Simple CTF

TryHackMe | Simple CTFTryHackMe

TARGET IP --> 10.10.120.214

Task 1: How many services are running under port 1000?

• Utilize nmap for a quick scan.

nmap [Target IP]

• It appears that two services are running. FTP and HTTP.

nmap -sV -sC [Target IP]

• Looks like Anonymous login is allowed for FTP and SSH is running on port 2222.

Task 2: What is running on the higher port?

• After running a script scan and version scan on nmap I found that Port 2222 is running SSH. Check the notes above.

Task 3: What's the CVE you're using against the application?

• First tried out the web server on port 80. Looks like the default Apache web server page.

• Checking out Wappalyzer shows apache web server on version 2.4.18 and Ubuntu as the OS.

• Next I checked out the robots.txt page that was discovered during the nmap scan.

• I found a directory named /openemr-5_0_1_3, and a possible user named mike.

  • The directory isn't there.

• Decided to log into FTP service with anonymous account. Browsed around and found a file.

ftp [Target IP]

• Use the get command to download the file.

get ForMitch.txt

• Cat the file to view it.

cat ForMitch.txt

• The system user password is really weak.

• Let's do a hydra attack on the SSH server.

hydra -V -l mitch -P rockyou.txt ssh://[Target IP]:2222

• It kicked back credentials for Mitch.

  • mitch:secret

• Now let's log into SSH account with Mitch's credentials:

ssh -p 2222 mitch@[Target IP]

• The answer to this one was actually gaining access to mitch's account through the web server instead of SSH. To do this you can find a login page to the webserver by using gobuster.

• I actually had to look up another person's write-up to see how they did it.

• This will take you to a login page using CMS Made Simple 2.2.8.

• Googling vulnerabilities for this application shows that there is one on exploit DB.

• This shows a CVE-2019-9053

• You can use this POC to grab a salted/hashed password from the CMS. You can then use hashcat to crack the password for Mitch.

Task 4: To what kind of vulnerability is the application vulnerable?

• Checking out the exploit DB for the CVE, shows this application is susceptible to SQL Injection or SQLI.

Task 5: What's the password?

• Based on hydra attack from Task 3, Mitch's password is secret.

Task 6: Where can you log in with the details obtained?

• We know we can log into SSH on port 2222 with the credentials.

Task 7: What's the user flag?

• Let's cat the file on the home directory for mitch.

cat /home/mitch/user.txt

• G00d j0b, keep up!

Task 8: Is there any other user in the home directory? What's its name?

• Cd out of mitch's directory into the the /home directory and we will find another user called sunbath.

• 

Task 9: What can you leverage to spawn a privileged shell?

• Once logged in as mitch check what sudo privileges you have.

sudo -l

• This shows that I have root privileges with VIM.

• Next, I'll go to GTFOBins to find privilege escalation.

• So let's try the command to gain root privileges.

sudo vim -c ':!/bin/sh'

• And now you should have root privileges.

Task 10: What's the root flag?

• Once you have root access, cat the root.txt file.

cat /root/root.txt

• W3ll d0n3. You made it!