The TryHackMe: Ignite room is beginner friendly and really easy room. It took barely 15 minutes for me to get the root flag. It is based on a simple RCE that can be found out after some googling and that is it.

Initial Enumeration

The first that we must do after starting the machine is to access the machine’s IP address and run a simple nmap scan to check the open ports. On visiting the IP address we land up on a Fuel CMS Getting Started page.

This gives us a hint to look for an exploit for Fuel CMS v1.4. Also, we can take a look at the nmap result:

We can see that there is no port open other than 80. We can also try to access the /fuel directory that we obtained from the nmap scan.

The /fuel directory takes us to a login page where we can try some simple default login credential and turns out that by username and password as admin we can access the CMS dashboard as admin.

Now that we have access to the dashboard as an admin we can look for some exploit. And after some googling we can find a python script for Fuel CMS v1.4.1 Remote Code Execution. The script looks like:

We need to just change the target IP value and execute the script.

We do get an RCE and as shown above after running the command whoami it returns a response of systemwww-data. But along with that we get an HTML code as well in the result along with the desired output. To resolve this issue, we can pop another shell using netcat.

To do so, we need to first start a listener on our attacker machine using the command: nc -nvlp 4444 and run the following command on the target machine:

And we get a proper shell on our listener.

The next thing we need to do is go to /home directory and look for the user flag.

And there we get the user flag!

Privilege Escalation

The next task is to get the root flag. For this, we can first check the command that we can run with sudo privilege with the command sudo -l but we get an error.

To resolve this issue, we need to gain a tty which can be obtained using a python one-liner:

But here we are asked for www-data's password which we don't know. So, we need to look for some other option.

We can check the /etc/crontab to see if there is some cron job running but even there we don't find anything useful.

We can also check for files that have their SUID bit set.

But even here we don’t find any useful file. We can also look around the system for some file that might be a bit suspicious and also check the /var/www/html directory to check for some useful information. Meanwhile, we can also go back to the homepage of the machine as it had instructions related to installation of the CMS and there we can find information related to database containing passwords.

So, we can try to read the file /var/www/html/fuel/application/config/database.php and see of we can find some useful information over there. And to no surprise, we can find the password for root over there.

We can now simply switch user to root and read root flag.

With this we got the root flag and completed the room!

Reference Links

  1. TryHackMe-Ignite: https://tryhackme.com/room/ignite
  2. Fuel CMS v1.4.1 RCE: https://www.exploit-db.com/exploits/47138
  3. Reverse Shell Payloads: https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md
  4. Python one-liners: https://blog.ropnop.com/upgrading-simple-shells-to-fully-interactive-ttys/

Do check out my other work and write-ups at https://github.com/0xNirvana

Just another CyberSec Guy

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store