Ignite
This engagement involved exploiting a vulnerable FUEL CMS instance to gain remote code execution, followed by credential discovery and reuse to achieve full root access.
Reconnaissance
Port scanning revealed a single exposed service:
- HTTP (Apache)
The web application was identified as FUEL CMS version 1.4, which is known to contain publicly disclosed vulnerabilities.
Initial Access
Default credentials were discovered for the admin panel, allowing access to the CMS dashboard. Attempts to upload a reverse shell directly were unsuccessful due to file restrictions.
A known public exploit targeting FUEL CMS was then used to achieve remote code execution, resulting in a web shell.
Exploitation
The web shell was upgraded to a reverse shell, providing a more interactive session on the target system.
During post-exploitation enumeration, a configuration file (database.php) was discovered containing database credentials:
username: root password: mememe
These credentials were reused to switch to the root user viasu, successfully achieving full system access.
Key Finding: Credential Reuse
Sensitive database credentials were stored in plaintext and reused for system-level authentication. This allowed immediate privilege escalation without the need for additional exploitation.
Credential reuse remains one of the most common and impactful security weaknesses in real-world environments.
Impact
Full system compromise was achieved. The attacker gained root-level access, enabling complete control over the system, including file manipulation, persistence, and potential lateral movement.
- Outdated CMS platforms often contain publicly exploitable vulnerabilities
- Public exploit repositories can provide quick paths to initial access
- Always search for configuration files containing credentials
- Credential reuse can lead directly to privilege escalation
- Web vulnerabilities frequently chain into full system compromise