This guide walks through the steps to tackle the Simple CTF challenge available on TryHackMe, suitable for beginners in the field of cybersecurity and hacking.
Reconnaissance
Any hacker’s first step upon encountering a target involves reconnaissance. This phase involves exploring and gathering information about the target to obtain the necessary flags, answer questions, and complete the challenge.
Let’s begin.
Scanning with Nmap
Upon scanning our target with Nmap, we discover three open ports:
- Port 21 (FTP): Accessible with the “anonymous” login
- Port 80 (HTTP)
- Port 2222 (SSH): Requires a username and password
Answering the first and second question is easy after we have reviewed our nmap result. We can tell how many services are running under port 1000 and what service is running on the higher port.
FTP Exploration
Connecting via FTP using the “anonymous” login without a password, we execute the ‘ls -al’ command, obtaining a directory listing.
Navigating into the “pub” directory, we locate a file named “ForMitch.txt.” Viewing its contents reveals a message addressed to someone named Mitch, hinting that this user has a potentially easily crackable password. We file that knowledge for later.
HTTP Investigation
Using dirsearch, we uncover several web pages such as ‘/index.html,’ ‘/robots.txt,’ and ‘/simple.’
Analyzing these pages, we discover that ‘/simple’ is powered by CMS Made Simple.
We check out the web pages we have available and we don’t really see anything interesting enough from the first two available.
Checking the ‘/simple’ page we scroll through to see if there’s anything we can use and we find something at the end of the page. We can see that it is powered by ‘CMS Made Simple’.
Is there anything special about this?
Researching known exploits related to the version of CMS Made Simple powering this website, we discover an exploit that can be utilized. This addresses both the ‘What CVE are you using against the application?’ and ‘What kind of vulnerability is the application susceptible to?’ questions.
Exploiting
Utilizing searchsploit, we locate and download the exploit.
It is a Python script, and when we execute it, the AttackBox provided allows for smooth execution without any problems. However, if you’re using Python version 3 or higher, a few modifications are necessary. Specifically, you’ll need to include brackets () wherever the script uses the print option.
Running this ‘python (script) -u (url),’ we uncover a hashed password, username, email, and salt for an account.
Utilizing hashcat and the wordlist we have available, we are able to successfully crack Mitch’s password.
Like the person who left the message for Mitch said, it was really easy to crack.
Now we have our password and our username.
SSH Access
With the acquired username and password, we gain access to the system via ssh on port 2222. Exploring the directories using ‘ls -al,’ we discover a file named ‘user.txt.’
Checking the contents of the file, we can see that it contains the user flag.
That done, we can now move on to exploring the system and answering other questions.
We list out the contents of ‘home’ using — ‘ls -al /home’ and we can see that there is another user besides mitch. That answers the question that wants to know if there is any other user in the home directory.
Elevating Privileges
One of the questions pertains to the root flag. As we lack logins for the root account, we explore alternative methods to gain root access. Additionally, another question inquires about what we can utilize to create a privileged shell.
We investigate available privileges using ‘sudo -l’ and discover that we can execute ‘sudo vim’ without requiring a password. This access enables us to leverage vim and spawn a privileged shell.
Executing ‘sudo vim’ and entering ‘:!bash’ enables us to spawn the privileged shell, facilitating the search for the root flag.
We search through the system to locate the root flag, and it doesn’t take long before we find it.
And that’s it! We have completed the challenge and found all the flags!