top of page
Search
bobloblaw321

TryHackMe - Simple CTF

Updated: Mar 13, 2021

Welcome welcome! To my first walkthrough. We start with a relatively simple CTF room on TryHackMe: Simple CTF. https://tryhackme.com/room/easyctf


Scanning & Enumeration

As always, begin with enumerating the machine ports:


I used the (slightly modified) Threader3000 to get the open ports of the machine:


I then used nmap to scan those open ports found:


nmap -T4 -Pn -p21,80,2222 -A 10.10.206.93


Breaking down the command:

-T4: speed of nmap scan is 4/5 (personal preference of mine)

-Pn: skip pinging the machine being scanned (we already know the host is up)

-p21,80,2222: only scan the ports specified (the ones we found open)

-A: do an extensive scan on these ports


 

Enumerating Services


Port 21- ftp

From the nmap scan we see that the ftp port allows anonymous login, so we try that:


ftp 10.10.150.11
cd pub
get ForMitch.txt
exit


cat ForMitch.txt

From the anonymous login, we have access to 1 file on the box, which informs us that there is password is weak, reused, and that there is probably a user name 'Mitch' (or some variation).


Port 2222- ssh

We see that ssh is available on port 2222, but ssh usually isn't too vulnerable unless we have credentials, so I leave it alone for now.


Port 80- http

A website being run on a port is usually a great place to visit on CTFs, so let's check that out:


Just a default page, so let's try to enumerate and see if we can find any hidden directories:

I used dirsearch to do this


python3 /opt/dirsearch/dirsearch.py -u http://10.10.206.93/ -e * -r

An interesting directory was found! Let's explore that.


 

Vulnerable WebApp


Navigating to the webpage, I have an extension called Wappalyzer which identifies webApp versions and as well as versions of services running on them:


Using that (as well as looking around the web page), we can see that this app is running CMS Made Simple. A google search for exploits on this service leads me to this:


After reading what the exploit does, I get retrieve it locally in hopes of obtaining some credentials:


searchsploit -m 46635



Running the exploit with no parameters shows you how to run it. We know the URL from our enumeration earlier, and I figure rockyou.txt (which comes preinstalled on kali) will be enough to crack any password we find.


python 46635.py -u http://10.10.206.93/simple/ --crack -w /usr/share/wordlists/rockyou.txt

After running this and waiting for a bit, we obtain credentials!





 

Getting User


Now, these credentials we found are for the CMS site we saw earlier. But remember back to the beginning when I said ssh usually isn't useful until we have credentials. Well, now we have credentials so let's try that and see if some password reuse is going on!


I use medusa to check ssh validation. It's more useful for checking lists, but I'll show you the syntax anyway:



medusa -u mitch -p {password} -h 10.10.206.93 -M ssh -n 2222

Breaking down the command:

-u: use a single username to test

-p: test a single password

-h: the host we are checking

-M: the module

-n: the port number (necessary since this box didn't have the default port 22 for ssh)


After checking with medusa we see that it's a success!

We ssh into the machine with the retrieved credentials


ssh mitch@10.10.206.93 -p 2222

And we get the user flag!


 

Privilege Escalation


After giving myself a normal shell with:


python -c "import pty; pty.spawn('/bin/bash')"

we check if we can go get the root flag. As expected we get a Permission Denied.

So the first thing I like to check when it comes to Linux Privesc is what commands we can run as sudo:


sudo -l

Doing that, I see we can run vim as sudo! When you are in vim, you can run commands simply by prefacing them with '!'. I suspect we can spawn a root shell through this method:




sudo vim

Then, inside of vim:


:!/bin/bash

Running vim with sudo and then spawning a shell, we can see that we are now root!


And we have access to the root flag!


That's all for now, thanks for reading :)

If you want to reach out for questions/feedback you can reach me on the TryHackMe discord server under the name B10b#9228!

4,427 views0 comments

Recent Posts

See All

Comments


bottom of page