TryHackMe : Simple CTF

TryHackMe Room : https://tryhackme.com/room/easyctf

Aim : To get to the root of the machine and read the flag file.

Difficulty Level : Easy

Connect to the TryHackMe network using openvpn:

sudo openvpn /path/to/username.ovpn

Scanning and Enumeration

1. How many services are running under port 1000?

sudo nmap -sV --script vuln -p1-10000 -vv "Target Ip"

we have 3 services running on ports 21, 80 , 2222 . we also have a page “/robots.txt” , though it gives us no useful results .

2 .What is running on the higher port?

From above nmap scan , the service running on highest port(2222) is ssh .

3 . What’s the CVE you’re using against the application?

To answer the above question we need to do some more enumeration. I will use tools such as “nikto” and “gobuster” for this purpose . 

nikto -h "Target IP:
we just get the same “robots.txt” here too

We can enumerate the entire domain and can use directory busting to see if there is any thing of interest .Using “gobuster” :

gobuster dir -u "target_ip" -w wordlists/small.txt -t 200 -x .php -q
we got “/simple”,we should check what is there.

upon visiting the url , “/simple” is a CMS system .we also get a version at the very bottom left hand corner of the page:

CMS Made Simple version 2.2.8

To know about the exploits in this version of CMS Made Simple, let’s see exploit-db .

The answer to our 3rd question, we will use: CVE-2019-9053

4. To what kind of vulnerability is the application vulnerable?

It’s already given in above image, SQL Injection.

Exploitation

5. What’s the password?

Now to crack the password , I should at least have a username to bruteforce against. Since on the target machine ftp port 21 is open, it is wise to see if anonymous login is available or not:

we can use any password in most cases of anonymous login
ftp "target IP"
upon doing successful anonymous login , we have a text file and an Idea of username for the target machine.

Now on trying hydra to crack the password for username “mitch”:

hydra -l mitch -P rockyou.txt ssh://10.10.246.98:2222
woah , we have a password . So this will be the answer for this question.

6. Where can you login with the details obtained?

7. What’s the user flag?

we also have an ssh port at 2222 open , doing ssh using credentials for “mitch“:

ssh mitch@10.10.246.98 -p 2222
The output of last command give us the user flag (ques7), answer to question 6 will be ssh.

8. Is there any other user in the home directory? What’s its name?

ls /home
we have one more user ,this will be the answer .

9 . What can you leverage to spawn a privileged shell?

Now , this question is interesting , we need to check the system privilege for user “mitch” :

sudo -l
so , vim will be used to spawn a privileged shell

10. What’s the root flag?

we have permission to run vim as root , with no password required. Doing a little bit of googling , I got this :

Running this command as root :

sudo vim -c ':!/bin/sh'
Now , we have gained root privilege.

we can now find the root flag by :

ls /root -la
The output of last command give us the root flag!

The Machine has been conquered .

Unknown's avatar

Author: Snehil

Your daily IT guy who is interested mostly in Computers, Rock Music and Noir Movies .

Leave a comment

Design a site like this with WordPress.com
Get started