Hey dears, today we crush this capture the flag activity. TryHackMe is an easy way to immediately get hands on with your learning.
The Simple CTF room is a beginner-level CTF on TryHackMe. It introduces you to some necessary skills needed for all CTFs including reconnaissance done via port scanning, enumeration, exploitation, privilege escalation and further research.
This Room is available at TryHackMe Simple CTF
Q1. How many services are running under port 1000?
As with every hacking activity we start with information gathering, we need to know what exactly we're dealing with. For that we run the port scans with the command:
sudo nmap -sS -p- -T4 <_machineIP_> -vv
Here's what our scan does
-sS to run a Syn/Stealth scan
-p- to scan all ports
-T4 to speed up the scan
-vv for very verbose so we can monitor progress of the scan
A. 2
Q2. What is running on the higher port?
From our scan we saw that three ports were open, 2 of the ports (port 21 and port 80) are under 1000 and port 2222. To answer this question we will run a command to discover the services and OS being run on these open ports.
To do this, we will use the below command:
nmap -A -p21,80,2222 -T4 <_MachineIP_>
A. ssh
Investigating the open Ports
Our result from the above nmap scan shows us that port 21 has an FTP service, port 80 has an HTTP service and port 2222 has an ssh service.
We will investigate these open ports further.
Beginning with port 21 we see from our scan result that “Anonymous FTP login allowed” so we're definitely logging into this baby. Using the command:
ftp <_MachineIP_>
We list the contents of the FTP server with the ls command, this process leads us to find a pub directory.
ls
Next we navigate into the pub directory and we find a file named “ForMitch.txt”.
You already know we're gonna download it so our nosy asses can read it, it may contain useful information!
Well Bummer, nothing really interesting in the note, be sure to remember that Mitch has a crackable password, as per the note (shown below). Moving on to port 80.
We will investigate port 80 next.
As we previously discovered that port 80 is running the http service we will use the Firefox browser, so open a new tab and enter you target machine IP. This brings up an “Apache2 Ubuntu Default Page”. Not too exciting.
Enumeration
To unearth any hidden directories we will run Dirb, a web content scanner to search for any hidden directories.
DIRB looks for existing (and/or hidden) Web Objects. It basically works by launching a dictionary based attack against a web server and analyzing the responses. DIRB comes with a set of preconfigured attack wordlists for easy usage but you can use your custom wordlists.
dirb http://<_MachineIP_> /usr/share/dirb/wordlists/common.txt
From our scan we find robot.txt and simple, further investigation of the robots.txt reveals that it disallows the crawling of User-agents on the '/openemr-5_0_1_3' directory found there.
Let's see if there's anything we can find in the '/openemr-5_0_1_3' directory
The 'openemr-5_0_1_3' directory gives us a 404 error, indicating there's nothing useful there.
Would we have any luck with the simple directory we found?
http://<_MachineIP_>/simple
This seems interesting, it opens up a a CMS system. Quickly reading through the page we can see that it is Simple CMS version 2.2.8.
Running a quick google search or a search on exploit-db.com for known exploits associated with it and we can see that there is indeed an exploit. This will help us answer Q3 and Q4.
Q3. What's the CVE you're using against the application?
A. CVE-2019-9053
Q4. To what kind of vulnerability is the application vulnerable
A. SQLi
Exploitation
Download the exploit from exploit-db.com and run the command
python simple.py -u http://<_MachineIP_>/simple --crack -w /usr/share/wordlists/rockyou.txt
Executing the script however gives us a syntax error but from the error message we can see that we just need to enclose the print statements in parenthesis, so we do that and proceed.
This will help us discover the password and be able to answer question 5
Q5. What's the password?
A. secret
Q6. Where can you login with the details obtained?
A. We're going to ssh into the machine
Enumerating FTP
We ssh into the machine using this command
ssh -p 2222 mitch@<_MachineIP_>
Enter the password we found in Q5, next we run the 'whoami' command just to confirm that we're logged in as Mitch.
whoami
List the contents of the directory
ls
Investigate the contents of the file we find there to get the answer to Q7.
cat user.txt
Q7. What's the user flag?
A. G00d j0b, keep up!
Navigate back to the home directory and list its contents we would find the other user.
Q8. Is there any other user in the home directory? What's its name?
A. sunbath
Priviledge Escalation
Mitch is currently just a regular user we should see if we can you get root priviledge.
Let's see if any programs run as root user.
sudo -l
We can see that we have root priviledge on vim binary, this is great for us as hackers but bad for the target machine.
Q9. What can you leverage to spawn a privileged shell?
A. Vim
gtfobins shows us how we can use vim with sudo to escalate our privileges. We do this with the following command:
sudo vim -c ':!/bin/sh'
Whoop whoop, anyone else doing a happy dance. We did it baby!!!
Finally
The '#' already indicates to us that we have root priviledge but we still run the 'whoami' command to show off.
Q10. What's the root flag?
Navigate to the root directory, list its contents and capture the flag contained in root.txt
A. W3ll d0n3. You made it!
Congratulations dears, Mitch has officially been fully hacked. Cheers to that.
Thanks for staying with me this long.
Top comments (0)