TryHackMe | SimpleCTF Write-Up
Hi, We are going to solve the SimpleCTF on TryHackMe.
SimpleCTF: https://tryhackme.com/room/easyctf by MrSeth6797
Let’s begin with pinging the machine to see if it is up and running.
Our target is up and as you can see from a ttl value, it is a linux machine.
Now, let’s use nmap to find open ports, what service is running on that port, what is the version of that service.
sudo nmap -p- -T4 -sV -v -O -oN output
Port 21,80 and 2222 are open on this machine.
Let’s see if ftp protocol on port 21 has any vulnerabilities.
We can use dos attack but it has nothing to do with our work here.
Let’s see if we can login to ftp anonymously.
Yes, we can get into that via ftp anonymously. Let’s start enumarate.
We can see that there is a folder called pub and it has a text file in it. Let’s read it by getting that txt file into our local machine.
Dammit man… you’te the worst dev i’ve seen. You set the same pass for the system user, and the password is so weak… i cracked it in seconds. Gosh… what a mess!
This is all we got from ftp. Let’s take a look at the website on port 80.
Let’s find the directories using gobuster tool.
Let’s take a look at the directory called /simple.
Just taking a glace at the site, we can see that the version of CMS is 2.2.8
Let’s search for an exploit for CMS 2.2.8
There is a exploit for this CMS. It uses SQL Injection attack vector.
But there is a small problem here with this python code.
I think we can solve this problem by converting python2 code to python3 code.
I have used this website to change that p2 code to p3 code. https://python2to3.com/
./46635.py -u http:///simple/
Cracking part of a code gave me an error so i will try to crack this password manually.
Let’s first identify the hash.
It looks like it is an MD5.
Let’s try to crack it using hashcat.
First, I, wrongly, used -m 0 because I forgot that there is a salt.
m 10 ($pass.$salt) didnt work so I used -m 20($salt.$hash)
As we can see from the output, we got the username and a password. Let’s try to ssh into the machine.
username: mitch, password: secret, port: 2222
Let’s start enumarating!
There is a user.txt flag located in /home/mitch
Other flag, probably, is in the /root folder.
It’s time to privilege escalation.
There is my simple and basic Linux PE notes.
We can see that we can execute vim with root privileges.
Let’s look at the GTFOBins.
sudo vim -c ‘:!/bin/sh’
And congrats, we got the root shell by using vim.
I hope that this write-up helped to those who are interested. Thank you for reading.
:)
