Simple CTF
Beginner level ctf
https://tryhackme.com/room/easyctf
We will run nmap to find what services are running.
We see 2 services running under port 1000(vsftpd 3.0.3 and Apache httpd 2.4.18 ((Ubuntu)). The higher port is running SSH. We search for subdirectories using dirb.
We found a directory /simple. We can visit the IP address in the browser to view the web application. We see it’s running so we can search for an exploit.
We search got the CMSMS 2.2.8 exploit. Exploit Database provides us with the CVE 2018–9053.
Offensive Security’s Exploit Database Archive
CMS Made Simple < 2.2.10 — SQL Injection. CVE-2019–9053 . webapps exploit for PHP platform
We see this is a SQLi vulnerability. We need to use the exploit to get the password. Let’s find it using searchsploit.
We copy file to our computer and view it.
root@ip-10–10–99–175:~# searchsploit -m 46635.py
We see how the exploit should be ran
So let’s run the exploit. It tells us we need to install requests.
We do so by
Now we can run it
python2.7 46635.py -u http://10.10.45.111/simple — crack -w /usr/share/wordlists/SecLists/Passwords/Common-Credentials/best110.txt
But we get an error telling us we need to install termcolor
sudo apt install python-pip -y
python2.7 -m pip install termcolor
We let the exploit run and we get an email, username and password.
Now that we have a username and password we can use SSH to access the victim computer. We could have also obtained the password using Hydra.
hydra -l mitch -P /usr/share/wordlists/rockyou.txt $IP ssh -s 2222
Let’s log in
We are logged in as mitch. We can navigate the system to find the flag.
We found another user in the home directory
We can see which commands we can run as root by
We see that vim is accessible. Through research we find that we can run a shell command (amongst others) in vim by using :!sh
How to access shell or run external commands from within Vim
Let’s try to get root by running the shell command. Create a shell file and
We see the # prompt meaning we have root! Let’s get the flag.
