Remote Code Execution – Exploiting FuelCMS (CVE-2018-16763) | Vulnerability Capstone
Overview
This room focuses on identifying and exploiting a vulnerable web application to achieve remote code execution.
The target machine hosts a CMS application with a known vulnerability that can be leveraged for full system compromise.
Objective
- Enumerate open services
- Identify the web application and version
- Find and exploit a known vulnerability
- Gain remote code execution
- Retrieve the flag
Reconnaissance
Initial scan using Nmap:
1
nmap -sV -p- <target-ip>
Scan Results
1
2
3
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
Observations:
- SSH service is running (potential post-exploitation access)
- Web server hosted on port 80
Web Enumeration
Visiting the web application revealed:
- CMS in use: Fuel CMS
- Version: 1.4
Login panel was accessible.
Authentication
Default credentials worked:
1
admin:admin
This granted access to the admin panel.
Vulnerability Identification
The application version is vulnerable to:
CVE-2018-16763
- A Remote Code Execution vulnerability in Fuel CMS ≤ 1.4.1
- Caused by improper input sanitization in the
filterparameter
Vulnerable Endpoint
1
/fuel/pages/select/
Exploitation
A public exploit is available and works with Python2.
Exploit Setup
Save the exploit as:
1
exploit.py
Run:
1
python2 exploit.py
Exploit Behavior
- Sends crafted requests to the vulnerable endpoint
- Injects system commands via the
filterparameter - Executes commands on the target server
Result
Successful command execution:
1
2
cmd: whoami
www-data
Remote Code Execution achieved.
Proof of Exploitation
- Arbitrary commands executed on the server
- Shell obtained via exploit
- Access to system files confirmed
Post Exploitation
Navigate to user directory:
1
2
cd /home/ubuntu
ls
Retrieve the flag.
Impact
This vulnerability allows:
- Remote Code Execution (RCE)
- Full system compromise
- Unauthorized data access
- Potential privilege escalation
Mitigation
To prevent this vulnerability:
- Update Fuel CMS to a patched version
- Implement proper input sanitization
- Restrict access to admin panels
- Disable unnecessary endpoints
- Use Web Application Firewalls (WAF)
Real-World Insight
This is a classic example of:
- Outdated software leading to critical vulnerabilities
- Default credentials enabling easy access
- Public exploits making exploitation trivial
In real environments, this type of issue can lead to full infrastructure compromise within minutes.