Simple CTF — WriteUp
Hello infosec people, this is a write up from the simple CTF room on TryHackMe.com
Starting, i did an nmap scan to see what i was dealing with. I used the nmap command below and it showed 3 ports.
nmap -T4 -A -v 10.10.95.118
Open Ports: 80 (Apache) , 2222 (OpenSSH), 21 (vsftp)
Okay, that's interesting. the machine has open port for SSH so at some point we would have to connect to SSH i guess. What i did first was to check out the website to see if it has anything interesting.
1st & 2nd question: 2 ports / SSH
I used dirb to locate all the directories to see if there is anything interesting in there.
dirb http://10.10.95.118 /usr/share/dirb/wordlists/common.txt
There was a directory named “simple”. i checked it out, and found out it's some kind of CMS.
Mistake i made here: I saw from the dirb results that, there is /admin/login.php directory in the /simple directory. I went in that directory and i tried to use hydra to find any password and username. As you may have guessed, it was not the right way to continue, hydra gave me a lot of passwords for the username “admin” so i knew that there has to be another way.
Anyway, moving on, i searched for an exploit using searchsploit
searchsploit cms made simple
There were a lot of exploits, but i used the SQL Injection one.
cp /usr/share/exploitdb/exploits/php/webapps/46635.py /root/Desktop
i visited the website of that exploit in exploitdb.com and found the CVE of the vulnerability
3rd & 4th question: CVE-2019–9053 / SQLi
I run the python exploit
python3 /root/Desktop/466351.py -u http://10.10.95.118/simple/ -c -w /usr/share/wordlists/rockyou.txt
Using this exploit, i’ve run into a lot of errors relating to python and i could only find the username and half email. I searched everywhere to fix it and tried running it with different version of python and it didn't work again,i installed the libraries needed and still didn't work. So i found the password from a friend who had already completed the room. I know it’s not the best solution and i am a bad person from finding the password like that :(
Using the credentials i used SSH to login into the system
ssh username@10.10.95.118
It didn't work. Then, looking through my notes i saw that SSH was on port 2222 so i used this command instead
ssh username@10.10.95.118 -p 2222
It worked! i am in. So with a simple ls i saw a file “user.txt” and it was the user’s flag.
I moved to the /home directory to see find any other users and i saw the user2’s folder. Now to access that folder i had to escalate privileges.
sudo -l is used to check the permissions of the current user.
Well it can run vim. So i used this command to gain root privileges
9th question: vim
sudo vim -c ‘!sh’
And just like that i was root, i used whoami to make sure and i move on finding the root’s flag
I checked the /root directory and i found the root.txt and inside was the flag.
Thank you, for reading this article!
