This is a very easy boot2root machine, meant for the beginners. Let’s start by deploying the machine and scanning the target.
We see there that the only open port is 80, so let’s navigate to the webpage and see what’s there. It’s a Fuel CMS, and by reading the first page we find out it’s version.
Let’s search up the version and see if there is any vulnerabiliy. There is a RCE vulnerability. Download the exploit and set the right permissions to the file.
Edit the file by entering the target url. In my case it’s http://10.0.0.117 and open Burp, because the request will be routed through Burp. Now, execute the script. The reverse shell i’ll be using is the one Jeff Price provided.
After executing the command, fire up a netcat listener. Mine will be on port 5555.
Now, just go to your Burpsuite and forward the request, and you will get your reverse connection.
To get the user flag navigate to the home directory, and you’ll find it there.
To escalate privileges i used LinEnum, but nothing interesting came up… but i remembered that on the main page of the website, there was a path to the database.
You can display the content of the database.php file by using cat.
We have the password. To escalate to the root user we can use the following command: su -. But before that, we have to spawn a shell. I used python for that with the following command: python -c ‘import pty; pty.spawn(“/bin/sh”)’.
Now you can get the root flag from the root directory.