TryHackMe - Simple CTF

Beginner level capture the flag

TRYHACKME

6/11/20242 min read

assorted flags
assorted flags

Simple CTF

Let's first run nmap and check what ports are open.

Open a new terminal and run command nmap -T4 -sC -sV -Pn -oN ~/Documents/nmap/initial TARGET_IP. Once complete the output shows there are 3 open ports, port 21, 80 and 2222 (ssh).

How many services are running under port 1000?

From the previous commands output we can see that there are 2 services running under port 1000. These being port 21 and port 80.

What is running on the highest port?

Again, from the previous output we can see that port 2222 is the highest open port for ssh services.

What's the CVE you're using against the application?

Browsed the website.

Run gobuster against the website.

Found /simple as a page and browse to it.

See that its running CMS made simple version 2.2.8.

Google that application and version to see if anything - found CVE-2019-9053.

To what kind of vulnerability is the application vulnerable?

Vulnerable to SQL injection (sqli)

Downloaded the exploit python script from link https://www.exploit-db.com/exploits/46635/

Script is for python 2 and I've got python 3 installed

Lets get chatGPT to sort that out for us and convert code to python 3

Now lets run the following command:

python test.py -u http://TARGET_IP/simple --crack -w /usr/share/wordlists/rockyou.txt

What's the password?

password is "secret"

Where can you login with the details obtained?

So lets try and login to the server using ssh and the credentials we have.

ssh mitch@10.10.64.229 -p 2222

What's the user flag?

After we log in I do a quick directory listing of the folder we are in and discovery user.txt

Open that baby up and find the user flag: G00d j0b, keep up!

Is there any other user in the home directory? What's its name?

OK lets browse to the /home directory and run ls to see if there are any addition users home dirs.

We find sunbath home directory.

What can you leverage to spawn a privileged shell?

If we run sudo -l we can see what access the user mitch has.

$ sudo -l

User mitch may run the following commands on Machine:

(root) NOPASSWD: /usr/bin/vim

Now lets head over to GTFOBins and type in vim. Click on sudo to see what we could use to gain privileged access.

First one states to run sudo vim -c ':!/bin/sh'

Done and done. Lets browse to that sunbath home directory just to check - yep access granted. vim is the answer.

What's the root flag?

Browse over to /root directory and we find root.txt

Open that up and we find the answer W3ll d0n3. You made it!

Site links

Home

Blog

Videos

Privacy Policy

Terms of Use