Simple CTF — TryHackMe Walkthrough
Hi! Today I will be doing Simple CTF on TryHackMe.
Room link: https://tryhackme.com/room/easyctf
Lets get started!
Step 0: Reconnaissance
Before we get started lets add our IP to /etc/hosts
We’ll use nmap(Network Mapper) to enumerate the host and get information about the target machine.
sudo nmap -sC -sV -oN logs/initial_nmap simple.ctf
- -sC — to run the default set of script scans for a target host.
- -sV — to enable version detection for target host.
- -oN — to save the output in normal format.
Brief:
- 21/tcp — FTP(File Transfer Protocol) — is a network protocol used for transferring files between a client and a server. Anonymous login is enabled for this server( no credentials required ).
- 80/tcp — apache web server with entries in
robots.txt
file. - 2222/tcp — SSH(Secure Shell) — used for secure remote access to systems, we must find a username and password to log into ssh.
Step 1: Inspecting the FTP server
As caught in the nmap scan, anonymous login is enabled for the FTP server thus we can abuse this to login without credentials and access the files.
I found a pub
directory inside which there was a note for Mitch who could be one of the users on the target machine, lets download it and see what it contains.
Seems like mitch is using a weak password for the system user, we can use rockyou.txt
to crack it.
Step 2: The Web Server
Let’s open the browser and check the web server running on port 80.
Its the default apache page. Lets check robots.txt
we got one path /openemr-5_0_1_3
and a possible user, Mike.
Lets curl, /openemr-5_0_1_3
.
No luck, we get 404. Let’s use gobuster
to check for hidden directories.
gobuster dir -u http://simple.ctf -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt
And we find a hidden directory. Let’s check it out!
It is using CMS Made Simple version 2.2.8, on researching I found that it is vulnerable to a SQL Injection attack(CVE-2019-9053)
Lets use this exploit!
python CVE-2019-9053.py -u http://10.10.2.28/simple/ --crack -w 10k-most-common.txt
[+] Salt for password found: 1dac0d92e9fa6bb2
[+] Username found: mitch
[+] Email found: admin@admin.com
[+] Password found: 0c01f4468bd75d7a84c7eb73846e8d96
[+] Password cracked: secret
Great! We now have the password. As mentioned earlier, mitch was using the same password for the system, so lets use these credentials to ssh into the target machine.
Step 3: Getting into the target machine
ssh mitch@simple.ctf -p 2222
And there we have our first flag.
Step 4: Privilege Escalation
Now lets check what commands can Mitch run as a root user on this machine.
Mitch can execute the vim
command with root privileges, lets check out GTFObins to abuse this configuration.
sudo vim -c ':!/bin/bash'
And there we have our root shell. Lets grab the final flag to complete this room!
Conclusion:
Simple CTF is an easy-rated room on TryHackMe, to solve this room you need knowledge of service enumeration, web exploitation, privilege escalation etc. It is a great room for beginners to get exposure of advance-level CTF.
References:
Happy Hacking!