Simple CTF TryHackMe Write-up
Simple CTF is an easy, beginner-friendly capture the flag exercise on TryHackMe. It features a vulnerable CMS, a weak user password, and misconfigured sudo user privileges that lead to root level access.
Disclaimer 1: IP addresses featured in this write-up will differ from those on your machine.
Disclaimer 2: This post will include spoilers for the room, so be mindful of reading this if you want to solve the challenge on your own. Flags and cracked hashes will remain obfuscated.
Enumeration
Let's start our enumeration with Nmap.
We can run Nmap to check open ports with the -A flag, so we don't have to enumerate versions, run default scripts, and enable OS detection separately. Sometimes we will want to be more stealthy and avoid such an aggressive scan, but this is not one of those cases.
nmap -A 10.10.252.159
With the results, we find out many different pieces of information. We learn there is an FTP server on port 21, an HTTP server running on port 80, and an SSH server on port 2222, which we will explore in a bit.
This gives us the answers to the first two questions:
1. How many services are running under port 1000?
2
2. What is running on the higher port?
SSH
Not only that, but we also learn that FTP allows for anonymous logins. We can take advantage of this as we start exploring the rest of the system.
Exploration
Before exploring the website hosted on port 80, let's take a look at the vulnerable FTP server by entering the following command and logging in with the user “anonymous” when prompted.
ftp 10.10.252.159
Here, we can see there is a single directory called “pub,” and if we change directories to it, we see a file titled “ForMitch.txt.” Let's download that file to our local machine.
get ForMitch.txt
After downloading the file and exiting FTP, we can cat its contents. As expected, we see a message for someone named Mitch.
Dammit man... you'te the worst dev i've seen. You set the same pass for the system user, and the password is so weak... i cracked it in seconds. Gosh... what a mess!
This lets us know the user Mitch might be an easy target later on. For now, that's all we can gather, so let's start exploring the web server.
In the browser, we navigate to the target IP address. We don't really find anything of note here, so let's try further enumeration with gobuster to see if there are any other directories we can find:
gobuster dir -u http://10.10.252.159 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
The output tells us there are a few other directories worth checking out, including /simple and /server-status. The latter throws up a 403 error as stated in the gobuster output, but the former takes us to a CMS.
Upon further investigation, we find the CMS is running something called “CMS Made Simple version 2.2.8.” We can search Exploit DB to see if there are any exploits for this particular piece of software.
And, just like that, we find the answer to our next two questions by finding an exploit and reading about it:
3. What's the CVE you're using against the application?
CVE-2019-9053
4. To what kind of vulnerability is the application vulnerable?
SQLi
Now that we have an exploit to try, let's move on to the next phase and see if we can make any progress.
Exploitation
After downloading the exploit from Exploit DB, we now have a Python script on our system called “46635.py.” Now, this is where we run into our first real hiccups in this exercise.
Either from reading the script manually or attempting to run the script first, we realize this script is Python2, not Python3. After trying to run the code as Python2, trying to update the code manually, and even trying to automate the update process with 2to3, we aren't able to get the script to run 100%.
We can get the script to run and reveal a username, password hash, password salt, and an email address. The script should continue running to crack the password, but it keeps erroring out at this point, and I can't get it to work.
What we can do is use hashcat to manually crack the password, since we have both the hashed password and the salt. After some tinkering with hashcat, this is what we land on:
hashcat -O -a 0 -m 20 0c01f4468bd75d7a84c7eb73846e8d96:1dac0d92e9fa6bb2 /usr/share/wordlists/rockyou.txt
We can also use the --force flag to get the command to run instead of -O. Honestly, I'm not sure which solution is better, but at least there are multiple ways.
Anyway, after running hashcat we get the output revealing the cracked password and giving us the answer to the next question:
5. What's the password?
******
And, after some testing and referring to our findings from the enumeration step earlier, we find the answer to the next question as well:
6. Where can you log in with the details obtained?
SSH
Gaining access
Now that we have the credentials for the SSH server, we can gain a foothold on the system.
ssh mitch@10.10.252.159 -p 2222
With a simple ls command, we can find the user flag, and cat the contents to get the answer to the next question:
7. What's the user flag?
******************
The answer to the next question is as simple as navigating up one directory vid cd .. and another ls to reveal the other user:
8. Is there any other user in the home directory? What's its name?
sunbath
Getting root
We are on the home stretch now. There are only a few more steps to gain root and crack the box. First, we can see the next question is asking us how we can escalate privileges.
To achieve this, let's see what commands Mitch can execute as sudo. We find this out with the command sudo -l, which reveals the answer to our penultimate question:
9. What can you leverage to spawn a privileged shell?
vim
By navigating to our browser and heading to the GTFOBins GitHub page, we find that users can use vim to escalate privileges to root with a simple command:
sudo vim -c ':!/bin/sh'
All that's left is to navigate to the root directory, cat the “root.txt” file, and get the answer to our final question:
10. What's the root flag?
***********************
Summary
When all is said and done, we've now completed the Simple CTF exercise on TryHackMe. We first enumerated any services and ports on the target. Then, we explored the vulnerable FTP server, browsed the HTTP server, and enumerated a vulnerable CMS at a separate directory.
After that, we exploited that CMS to gain SSH login credentials, giving us a foothold into the system. Finally, we took advantage of poorly configured user sudo permissions to escalate privileges and gain root.
Tags: #CTF Comments: Discuss...