Simple CTF — TryHackMe Walkthrough

Hi! Today I will be doing Simple CTF on TryHackMe.

Room link: https://tryhackme.com/room/easyctf

TryHackMe | Simple CTF

Lets get started!

Step 0: Reconnaissance

Before we get started lets add our IP to /etc/hosts

/etc/hosts

We’ll use nmap(Network Mapper) to enumerate the host and get information about the target machine.

sudo nmap -sC -sV -oN logs/initial_nmap simple.ctf

1. -sC — to run the default set of script scans for a target host.
2. -sV — to enable version detection for target host.
3. -oN — to save the output in normal format.

initial nmap scan

Brief:

1. 21/tcp — FTP(File Transfer Protocol) — is a network protocol used for transferring files between a client and a server. Anonymous login is enabled for this server( no credentials required ).
2. 80/tcp — apache web server with entries in robots.txtfile.
3. 2222/tcp — SSH(Secure Shell) — used for secure remote access to systems, we must find a username and password to log into ssh.

Step 1: Inspecting the FTP server

As caught in the nmap scan, anonymous login is enabled for the FTP server thus we can abuse this to login without credentials and access the files.

FTP

I found a pub directory inside which there was a note for Mitch who could be one of the users on the target machine, lets download it and see what it contains.

ForMitch.txt

Seems like mitch is using a weak password for the system user, we can use rockyou.txt to crack it.

Step 2: The Web Server

Let’s open the browser and check the web server running on port 80.

Apache Default Page

Its the default apache page. Lets check robots.txt

robots.txt

we got one path /openemr-5_0_1_3 and a possible user, Mike.

Lets curl, /openemr-5_0_1_3 .

/openemr

No luck, we get 404. Let’s use gobuster to check for hidden directories.

gobuster dir -u http://simple.ctf -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt

gobuster

And we find a hidden directory. Let’s check it out!

CMS Made Simple

It is using CMS Made Simple version 2.2.8, on researching I found that it is vulnerable to a SQL Injection attack(CVE-2019-9053)

Searchsploit

Lets use this exploit!

python CVE-2019-9053.py -u http://10.10.2.28/simple/ --crack -w 10k-most-common.txt
 
[+] Salt for password found: 1dac0d92e9fa6bb2
[+] Username found: mitch
[+] Email found: admin@admin.com
[+] Password found: 0c01f4468bd75d7a84c7eb73846e8d96
[+] Password cracked: secret

Great! We now have the password. As mentioned earlier, mitch was using the same password for the system, so lets use these credentials to ssh into the target machine.

Step 3: Getting into the target machine

ssh mitch@simple.ctf -p 2222

user.txt

And there we have our first flag.

Step 4: Privilege Escalation

Now lets check what commands can Mitch run as a root user on this machine.

sudo -l

Mitch can execute the vim command with root privileges, lets check out GTFObins to abuse this configuration.

sudo vim -c ':!/bin/bash'

root shell

And there we have our root shell. Lets grab the final flag to complete this room!

root.txt

Conclusion:

Simple CTF is an easy-rated room on TryHackMe, to solve this room you need knowledge of service enumeration, web exploitation, privilege escalation etc. It is a great room for beginners to get exposure of advance-level CTF.

References:

1. https://www.exploit-db.com/exploits/46635
2. https://gtfobins.github.io/gtfobins/vim/#sudo

Happy Hacking!