Try Hack Me: Simple CTF Walkthrough
Beginner level ctf
This is the third walkthrough of our TryHackMe serie.
The chosen room is “Simple CTF” and I enjoyed a lot finish it.
This an easy room, but we can learn some interesting things, mostly how:
- Searching for CVE’s;
- Finding and running exploits;
- And escalate privilage using sudo permissions flaws.
I hope this walkthrough can be useful to you!
Good Luck! xD
Task 1
1.1 — How many services are running under port 1000?
Step 1: Run nmap to find open ports
nmap “Target IP” -sV -p 1–3000 -vv
Attention!
The ssh service usually run in port 22, but in this situation it’s being redirected to port 2222. If you simply scan it, won’t show you ssh running on port 2222 clearly, but it can be seen when using the parameter -sV with nmap.
So remember to add the -sV parameter, if not you won’t be able to see ssh service running on port 2222.
Answer: 2
1.2 — What is running on the higher port?
Answer: ssh
1.3 — What’s the CVE you’re using against the application?
Now we need to take a better look at the application.
As we can see in the nmap scan results, the port 80 is open with http service running what makes us think in a web application.
So let’s check what the browser shows us!
Step 1: Paste the IP target in the browser.
That’s what we got:
The default page of server apache running in this site.
It doesn’t have a lot of useful information, but maybe there is some hidden directory that we can find.
Step 2: Do a directory brute-force to find hidden directories.
You can use any tool you prefer.
I’ll be using gobuster with the wordlist below:
gobuster -u http://10.10.179.177 -w directory-list-2.3-small.txt dir
We found a directory named simple/ so let’s take a look.
Step 3: Take a look at simple directory:
http://”Target IP”/simple/
And we found what seems to be a home page of the application.
Let’s explore this page and see if we can find something interesting.
At the bottom of the page there is a useful information.
The site tells us that it is powered by CMS Made Simple, that seems to be a Open Source Content Management System, still tells us the version 2.2.8.
Knowing that, we can search for exploits for this version of CMS Made Simples.
Step 4: Search for CVE’s to CMS Made Simple version 2.2.8.
Searching on https://cve.mitre.org/, we find that it is vulnerable to sql injection attacks.
Answer: CVE-2019–9053
1.4 — To what kind of vulnerability is the application vulnerable?
Answer: SQLi
1.5 — What’s the password?
Let’s take a better look into this CVE.
The CVE.mitre gives us a link to an exploit, let’s check!
Seems like it cracks a password to us.
So let’s use it!
Doing some searching on google, I found the same script adapted to python3. If you prefer it too, you can find it on the link below:
https://github.com/4nner/CVE-2019-9053/blob/master/exploit.py
Step 1: Copy the script to a .py file and save it, or download the script.
As the code tells us, we just need to specify an URL, the parameter -c to especify that we want to try to crack the password, and a wordlist.
Step 2: Run the script specifying the parameters:
- -u for URL
- -w for some wordlist
- -c for crack the password
exploit.py -u http://”Target IP”/simple -c -w /usr/share/wordlists/rockyou.txt
And that’s it!
Now we have a username and a password.
Answer: secret
1.6 — Where can you login with the details obtained?
As we saw in the nmap scan, the service ssh is running on port 2222.
So we can try to log in using the credentials we found.
Answer: ssh
1.7 — What’s the user flag?
Step 1: Let’s log in using ssh with the command below:
Remember that the user is mitch and ssh is running on port 2222.
ssh mitch@”Target IP” -p 2222
password: secret
We are in!
Step 2: Read the file inside User directory.
cat user.txt
Answer: G00d j0b, keep up!
1.8 — Is there any other user in the home directory? What’s its name?
Step 1: Take a look inside the home directory.
We can see another User.
Answer: sunbath
1.9 — What can you leverage to spawn a privileged shell?
If we try see the sudo commands that our current user is allowed using:
sudo -l
We find that user mitch have root permission to use vim editor.
So we can use some parameters with vim to escalate privilege:
sudo vim -c ‘:!/bin/bash’
Now we have root access!
Answer: vim
1.10 — What’s the root flag?
Let’s look for the flag in the root directory.
Got it!
Answer: W3ll d0n3. You made it!
And that’s it!
I hope you had a lot of fun like me completing this room.
If I said something wrong or you have a better way to complete it, please let me know!
I’m here to learn too! xD
Thanks for read until here!
And if you liked it, follow me! I intend to continue posting!
Bye!
