January 14, 2021

TryHackMe's Ignite room

As with any room the first thing you do is deploy the server. Make sure that you are connected to the openvpn server or have the attack machine started.

Once the machine is deployed I copy the ip address and then paste into the browser to see what I get. I will do this while running an nmap command to see what ports are available. nmap -sC -sV -oA nmap/server IP ADDRESS. I might as well do a gobuster to fuzz the website to see what pages are available. The command that I will use is gobuster dir -u http:// -w ~/CTF/words/directories/directory-list-2.3-medium.txt -x php,txt.

I try to see if there is a /robots.txt file and low and behold I see that there is a file there. I notice that it is telling the search engines not to index a specific folder on the web server. Next I want to go to that directory and see if there is anything of importance there. I see that there is a login page there. I will try the normal admin:admin, admin:password, etc.

Once I got into the control panel I can see that I am now admin. Let's poke around the admin panel and see if there is anything that is obvious.

That was a dead end. I then searched for "fuel cms exploits" and found a python script that needs a proxy like burp. I got the script to run and the output was a little messy but it would output the commands from the input. In order to clean up that mess I want to use a php script like phpbash on the machine. In order to do that I need to spin up an http server using python, python3 -m http.server. Then use the wget command to upload the file onto the target box. Once the file is uploaded on the target box navigate to the page and then execute it. You should see:

From there you want to change the working directory to the /home/www-data folder to get the flag for the user.

Now it's time to try and figure out how to privilege escalate from here. I can't run any sudo commands because I am not in a terminal just a website that is emulating that terminal. I am going to try and get a real reverse shell on the box. I have the same script that I have used from the GTFO site. Once I have that ready to upload I will just use netcat nc -lvnp 8888 to capture the reverse of the shell.

From here I need to get the shell stabilized and I am going to do that with python. The command that I am going to do that with is python -c 'import pty; pty.spawn("/bin/bash")'.

I struggled with this and I had to finally go to the internet for some help and after a lot of time I saw that there is a folder with a configuration file in it. The path to the file is /var/www/html/fuel/application/config. Once I got to that directory I saw that there was a database config file and then I used the cat command to get the contents of the file and I saw a password for root in there.

I then used that password and I had finally accessed the root account. From there I went to the root user's home directory and saw the file there. All I had to do was view the contents of the file and I had the flag.