# Simple CTF {% embed url="" %} ## **TARGET IP -->** 10.10.120.214 ### **Task 1: How many services are running under port 1000?** * Utilize nmap for a quick scan. ``` nmap [Target IP] ```

* It appears that two services are running. FTP and HTTP. ``` nmap -sV -sC [Target IP] ```

* Looks like Anonymous login is allowed for FTP and SSH is running on port 2222. ### **Task 2: What is running on the higher port?** * After running a script scan and version scan on nmap I found that Port 2222 is running SSH. Check the notes above. ### **Task 3: What's the CVE you're using against the application?** * First tried out the web server on port 80. Looks like the default Apache web server page.

* Checking out Wappalyzer shows apache web server on version 2.4.18 and Ubuntu as the OS.

* Next I checked out the robots.txt page that was discovered during the nmap scan.

* I found a directory named **/openemr-5\_0\_1\_3**, and a possible user named **mike**. * The directory isn't there. * Decided to log into FTP service with anonymous account. Browsed around and found a file. ``` ftp [Target IP] ```

* Use the get command to download the file. ``` get ForMitch.txt ``` * Cat the file to view it. ``` cat ForMitch.txt ```

* The system user password is really weak. * Let's do a hydra attack on the SSH server. ``` hydra -V -l mitch -P rockyou.txt ssh://[Target IP]:2222 ``` * It kicked back credentials for Mitch. * **mitch:secret**

* Now let's log into SSH account with Mitch's credentials: ``` ssh -p 2222 mitch@[Target IP] ```

* The answer to this one was actually gaining access to mitch's account through the web server instead of SSH. To do this you can find a login page to the webserver by using gobuster. * I actually had to look up another person's [write-up](https://kartibok.github.io/Capture-the-Flag/tryhackme/simpleCTF.html) to see how they did it. * This will take you to a login page using **CMS Made Simple 2.2.8**. * Googling vulnerabilities for this application shows that there is one on [exploit DB](https://www.exploit-db.com/exploits/46635). * This shows a **CVE-2019-9053** * You can use this POC to grab a salted/hashed password from the CMS. You can then use hashcat to crack the password for Mitch.

### **Task 4: To what kind of vulnerability is the application vulnerable?** * Checking out the exploit DB for the CVE, shows this application is susceptible to SQL Injection or **SQLI**. ### **Task 5: What's the password?** * Based on hydra attack from Task 3, Mitch's password is **secret**. ### **Task 6: Where can you log in with the details obtained?** * We know we can log into SSH on port 2222 with the credentials. ### **Task 7: What's the user flag?** * Let's cat the file on the home directory for mitch. ``` cat /home/mitch/user.txt ``` * G00d j0b, keep up!

### **Task 8: Is there any other user in the home directory? What's its name?** * Cd out of mitch's directory into the the **/home** directory and we will find another user called **sunbath**. * ```

``` ### **Task 9: What can you leverage to spawn a privileged shell?** * Once logged in as mitch check what sudo privileges you have. ``` sudo -l ```

* This shows that I have root privileges with **VIM**. * Next, I'll go to [GTFOBins](https://gtfobins.github.io/gtfobins/vim/#sudo) to find privilege escalation.

* So let's try the command to gain root privileges. ``` sudo vim -c ':!/bin/sh' ``` * And now you should have root privileges. ### **Task 10: What's the root flag?** * Once you have root access, cat the root.txt file. ``` cat /root/root.txt ``` * **W3ll d0n3. You made it!** --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://sgtdiddlywink.gitbook.io/thm/machines/easy-machines/simple-ctf.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.