TryHackMe CTF:
Ignite

Today, I will be writing on the easy-rated TryHackMe CTF machine "Ignite"

First off, let's go ahead and add this box to our hosts file

And off we go for our Nmap scan to see what ports we have open

Alright, so it looks like we only have one open port and it's hosting a web-server running Fuel CMS. Let's go check it out

Okay, so a fresh install of Fuel CMS Version 1.4. We can go ahead and look up some vulnerabilities for this version. In the meantime, if you go back to our Nmap results, it referenced a found directory called "/fuel" so let's head there. 

So we can see it takes us to a login page. If you read through the text in the main page, it provides default credentials, so I figured I'd give them a shot and voila, we got in. That was easy

Let's go ahead and enumerate the pages on this admin dashboard to see if we have any options to upload (Saw a few RCE vulnerabilities on Exploit-db) and it looks like the Assets page is where we want to be. 

Let's select that "Upload" button and see what we're working with.

Alright, let's see if we can directly upload a PHP file. I have a bunch of "Test" documents in multiple file formats, so I'll just attempt to upload my "test.php" file.

Nope, we can't. Okay, so if we look near the bottom, we can see there is a checkbox that unzips .ZIP files upon upload. I wonder if we could just compress this PHP file in a ZIP and upload it then.

Nope, still wouldn't let us. But, the asset folder is set to "docs" at the moment, let's see if we can upload it to another directory. Let's try the next folder down, "images." 

Hey! It worked! Now, let's create a PHP reverse shell script, and ZIP it up and upload it to see if we can spawn a reverse shell.

Alright, it worked! Let's head back to our Assets page to see if we can see it there.

Perfect! Let's set up a Netcat listener and then run then cURL http://ignite/assets/images/shell.php and see what happens.

Got it! Let's go ahead and whip out a better TTY. 

Perfect. Let's go ahead and grab that user flag!

Yessss! Now, let's figure out how to escalate our privileges up to root! 

So, I spent about 45 minutes enumerating the box only to find no useful information or anything to exploit. I was pretty stumped, but I decided to go back to the main http://ignite page since it had some default config information to see if I could get any ideas. I noticed there was a section that mentioned configuring the database.php file to add your localhost name, username and password. Now, from the 45 minutes of enumerating (and from obtaining the user flag) I knew that the only user other than root on the machine was www-data. And given there was very little permissions that the www-data user did have, I figured it was a 50/50 shot that the SQL user was root. Maybe this file contains the password in plaintext or a hash, let's head there and find out. 

And sure enough, I found a portion of that PHP file that mentioned the information that the install page of the application mentioned, and the user was indeed root, and the password was stated in plaintext. Let's go ahead and see if we can switch users using that password.

Niiiiiice! It worked! Let's go snag our root flag!

And there we have it! Overall, this was a very fun box, and very informative. It definitely threw me for a bit of a loop as I was expecting a hint of how to obtain full system control once we got the initial foothold when instead, it was right in front of my face from the beginning. I will remember that and it's a great reminder that enumeration is key! 

Thank you all for taking the time to read my walkthrough of "Ignite."