The Simple CTF — TryHackMe Writeup
Hello guys! Today we will be looking at ‘The Simple CTF’. It is a beginner level CTF in TryHackMe. TryHackMe has always been the best platform for playing CTF. “Simple CTF” will give a lot of information about various vulnerabilities. So without wasting time, Let’s begin :)
After connecting to the box, we can enumerate the network using nmap.
nmap -A -sS <IP_ADDRESS>
We can notice 3 open ports after scanning for the top 1000 ports. The FTP server is running at port 21, a web server on port 80 and SSH on port 2222.
We notice the default web server runs on Apache2.
Before searching for exploits, we can search the server for common web directories using the gobuster tool.
gobuster -u <URL> -w /usr/share/wordlists/dirb/common.txt
We visit the “robots.txt” file, but we do not find anything interesting.
Now, we open the “/simple” page.
We can find from the page that the webserver has CMS Made Simple v2.2.8 installed.
On the same page, we can find the link for the page admin login form.
With the information we gathered , we can go to the exciting part, exploitation!
Using searchsploit, we can try to find the appropriate exploit
From the results above, we can find that ‘CMS Made Simple < 2.2.10 — SQL Injection’ looks good. This is backed up by a simple google search as well.
Now, we get more information about the exploit using
searchsploit -p 46635
But, when I tried to execute the program, I got an error that termcolor wasn’t present. This can be fixed by executing the following command.
We can run the exploit using
python2 /usr/share/exploitdb/exploits/php/webapps/46635.py -u http://<ip>/simple/ — crack -w /usr/share/wordlists/passwords/rockyou.txt
Trying to login with the credentials, we can successfully authenticate in to page!
I couldn’t find anything interesting here. So I try to access the SSH service, with
ssh mitch@<IP_ADDRESS>
Using the same credentials, I can successfully login!
In the home directory, we can find the user flag!
To find other users, I used
ls /home
There is a second user called sunbath. But I couldn’t access the directory. To escalate our privileges, I tried to find files with root access for user ‘mitch’
We can execute vim with root permission.
To find different ways of Privilege Escalation, we can use this handy dandy website:
https://gtfobins.github.io/gtfobins/vim/
We can use this command for vim:
sudo vim -c ‘:!/bin/sh’
And, voila! We have root access.
Now, to find the root flag, we can access the /root directory.
Thanks for the read! :)