Try Hack Me - Simple CTF

 

Try Hack Me 

 Simple CTF Walkthrough

Simple CTF Challenge on TryHackMe Platform is a beginner level CTF, if you want to learn about CTF's, this room is perfect for you! So let’s get going!



Initially, let's deploy our machine get connected to THM VPN and then, we are ready to begin.
We need to run a Nmap scan against the machine so that we know which ports are open and which services are operational on these ports. I am going to use an aggressive Nmap scan.

 #nmap -A -sC -Pn <Target IP>


Analyzing the above Nmap scan we now know the number of ports and their associated services that are running on the host. So we have 2 services running under port 1000 and ssh service running on the higher port. Also, as highlighted above, we see that we have got an anonymous ftp login, let’s try to log in and see if we can find anything.

From ftp access as shown above, we are able to gather some information as ForMitch.txt. We will further extract the file and let's see what output we get...

From the message from FromMitch.txt file we can deduce that passwords used are not strong as well as same for users.
Since, in nmap scan port 80 was open, we will try to access the URL and try to enumerate. 

From above image we can see apache server running and nothing much. To get other directories within the server and perform enumeration gobuster is a good choice.

#gobuster dir -u http://<Target IP> -w /usr/share/wordlists/dirb/common.txt


From above enumeration, we got a directory /simple.
Let's access the directory...
10.10.103.252/simple/
As we found CMS Made Simple Application inside, on the bottom left of the page we can also witness the version used which is 2.2.8
Let's search for the exploit for CMS Made Simple ver2.2.8
#searchsploit cms made simple 
 
We can see that there is one about sql injection!
Let's search the exploit on exploit-db to get more information.

https://www.exploit-db.com/exploits/46635
So the answer is CVE-2019-9053 .
And the type of vulnerability is SQL Injection(sqli)
To run the further exploit we have to download the python script provided on the exploit-db.
Prior to executing the python script for exploitation make sure all the libraries required and pip is installed.
 

The output on executing the above command:-


From the above image, it is clear that username and password are compromised as mitch and secret respectively.

Now, as port 2222 have an ssh as shown in nmap scan, let's get the user shell
#ssh mitch@<target IP> -p2222

When we access the shell it’s time to see what is inside.
#ls -la
You are going to notice a user.txt file.
#cat user.txt
Answer is G00d j0b, keep up!

Let's go further
#cd /home
#ls
We can see users as
mitch & sunbath

For the next task if we type "sudo -l" command it reflects that we can use vim directory to gain root access.


Search for vim sudo on GTFobins site, to get the command to gain root access.
sudo vim -c':!/bin/sh
After executing the command

to get the root flag, We just need to run simple commands
#cd /root
#ls
#cat root.txt 


Thank you very much for reading. I hope you find this blog useful.

!!!!Happy Hacking!!!!
















 
















Comments

Post a Comment

Popular posts from this blog

Image
  Try-hack-me PICKLE-RICK : Walkthrough Today I completed an other room on tryhackme with a Rick and Morty theme to it! Let's go and complete the room Pickle Rick from try Hack Me! Scanning & Enumeration A good rule of thumb is to start by scanning your machine for any open ports.  #nmap -T4 -sC -sV -A -p- <target IP> Enumerating Services Port 22- ssh Here we are able to see that our SSH port is open. This port isn't too vulnerable unless we have found some credentials. So we will not mess with it. Port 80- http It's here where we find a webservice. Lets see if there is anything interesting. This webpage comes up on port 80. There’s no useful data in here. But what if we check the page source? Checking out the source code of a page can reveal all sorts of things.  Great it looks like we have found a user name!!!  Most websites will have a robots.txt file that will tell a browser what is and isn't allowed to index. So lets see if there is one for this site. Su
Read more
Image
  Try-hack-me Lian_Yu : Walkthrough This post is a walkthrough of an Arrowverse themed beginner CTF box on Tryhackme. Let’s get started by deploying the machine. Now, after deploying the machine, start with a basic Nmap scan and see which ports and services are open and running on the particular IP address. #nmap -A -sC -sV <target IP> Port 80 is open and running so let’s look at the webpage first.. The First step is to check the page source and robots.txt but no information found there, so let’s move to enumeration. #gobuster dir -u http://<target IP>/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt Looks like we have found a directory /island let’s look at it. The webpage looks like this at first instance but when I saw the source code I realized the the code word is also given in as vigilante but is in the white text. So here we got our code word.  I then ran gobuster again with the addition of the new directory I had found directory inside island di
Read more