Ignite machine on THM
Ignite is a simple yet intriguing machine running a vulnerable CMS. The story is that a new start-up has a few issues with their web server and you need to find the problem.
Information gathering
Enumeration
nmap
Command:
nmap -sC -sV [machineIp]
Results:
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-title: Welcome to FUEL CMS
|_http-server-header: Apache/2.4.18 (Ubuntu)
| http-robots.txt: 1 disallowed entry
|_/fuel/
dirb
Command:
dirb http://[machineIp]
Results:
---- Scanning URL: http://10.10.220.131/ ----
+ http://10.10.220.131/@ (CODE:400|SIZE:1134)
+ http://10.10.220.131/0 (CODE:200|SIZE:16597)
==> DIRECTORY: http://10.10.220.131/assets/
+ http://10.10.220.131/home (CODE:200|SIZE:16597)
+ http://10.10.220.131/index (CODE:200|SIZE:16597)
+ http://10.10.220.131/index.php (CODE:200|SIZE:16597)
+ http://10.10.220.131/lost+found (CODE:400|SIZE:1134)
+ http://10.10.220.131/offline (CODE:200|SIZE:70)
+ http://10.10.220.131/robots.txt (CODE:200|SIZE:30)
+ http://10.10.220.131/server-status (CODE:403|SIZE:301)
Exploitation
Foothold
- Look on the internet for the default user/pass for Fuel CMS 1.4: admin/admin
- Login with default user/pass
- Use the exploit from searchsploi: https://www.exploit-db.com/exploits/50477
- Once you can RCE create a revshell using PentestMonkey PHP and upload it from local machine to victim using python http server
- With file uploaded and a listener started access it from browser and get reverse shell on the machine
Data exfiltration
- Get user flag from home directory: [UserFlag]
Privilege escalation
- Look into html file for content, check file cat fuel/application/config/database.php in the webapp structure
- There is a password for root user on DB: mememe
Suon root with this password and get root access
Data exfiltration
- Get root flag: [RootFlag]
