Post

Ignite | Tryhackme

Posted
By Vikram Sharma
2 min read
Ignite | Tryhackme

Ignite is an easy machine on Tryhackme that focuses on vulnerability discovery and exploitation in FuelCMS, a popular open-source content management system (CMS). It is a PHP-based CMS that provides a flexible and modular framework for building custom web applications.

We’ll be performing basic enumeration and privilege escalation to solve this machine.

Task 1 User.txt

First of all let’s use Rustscan and Nmap for basic port scanning.

1

rustscan --ulimit 100000 -a 10.10.145.64 -- -sV -sC -v -oN ignite

I personally prefer rustscan because RustScan is significantly faster than Nmap, especially when scanning large networks or performing multiple scans simultaneously, you can use rustscan to identify open ports and then nmap for detailed scanning

Rustscan output

I personally prefer rustscan because RustScan is significantly faster than Nmap, especially when scanning large networks or performing multiple scans simultaneously. You can use rustscan to identify open ports and then use Nmap for detailed scanning.

Result of the Nmap scan

Nmap scan results

It says port 80 is open and running Fuel CMS on it. Let’s check what we can find there in a web browser:

FuelCMS Default Page

We are welcomed with the Fuelcms default landing page. Fuel CMS is built on top of the CodeIgniter framework and uses a modular architecture, which allows developers to easily add or remove features and functionality as needed.

On the default page, some things caught my attention:

  1. The version of the CMS. We can search for potential exploits with this info later. FuelCMS Version

  2. DEFAULT CREDENTIALS!! Default Credentials Info

The /fuel directory leads to the login form, and it can be accessed with default credentials.

FuelCMS Login Page

However, after logging in I wasn’t able to upload a reverse shell for some reason. So I decided to check if any potential exploits were available for it.

Google Search for exploit

HMM… Got some interesting results.

After surfing a bit, I got to know that FuelCMS v1.4 has an RCE vulnerability (CVE-2018–16763).

I used this Python exploit for the Reverse shell.

Getting an initial foothold

Got the initial foothold with that python exploit. Now we can look around the directories and find the user flag.

user.txt flag

Task 2: Root.txt

I attempted privilege escalation by exploiting SUID and SGID binaries and conducting a system scan with linpeas, but I did not uncover any useful information.

So, I decided to take a look at the default web page’s files again.

Web directory files

Checking the PHP file at fuel/application/config/database.php, I got:

Database Credentials

We can try and see if this password is the same for the root user:

Switching user to root

PRIVILEGE ESCALATED! Now we can read the root.txt flag.

cat /root/root.txt

Machine PWNED

Conclusion

Exploiting this machine was a valuable experience, highlighting that the answer can often be obvious. Whenever we’re stuck, it’s essential to re-examine what we already understand.

Hope y’all liked my first write-up. I tried to keep it concise and insightful. Feedback would be much appreciated.

See you next time !! ^_^

Follow my socials: Github, Instagram, Linkedin ```

Walkthrough, TryHackMe
fuelcms rce privilege escalation
This post is licensed under CC BY 4.0 by the author.