Open in app

Sign in

Write

Sign in

Simple CTF — TryHackMe — Writeup

TonyRahmos
3 min readOct 15, 2020

Hello everyone, I’m Rahmos. Here is my SimpleCTF — Tryhackme writeup. Check it out!

Simple CTF

First, we use nmap to enumerate what ports this machine is opening.

nmap -sC -T5 -Pn -vv <ip>

nmap result

As we can see, it’s opening FTP(21), Apache(80) and SSH(2222).

#1 So the first ans is 2 services is running under port 1000.

#2 ssh is running on the higher port

Next, to ans question 3, we need to find out what CVE is this machine vulnerable to. But first let’s try login to FTP as anonymous to see any valuable.

FTP

Not much we can use here. So let’s use another tool called Dirbuster.

After using Dirbuster to find hidden dir, we can see a /simple. Let’s access to this.

http://<ip>/simple

It’s a CMS website. Just like Wordpress, let’s search for CVE of this kind of framework. We are using Searchsploit.

searchsploit cms made simple

searchsploit

There are so many exploits of CMS. However, this machine is runinng CMS verison 2.2.8. so we can use SQL injection exploit, which is available with version under 2.2.10.

CMS version

Search Google for CMS SQLi exploit, it leads us to a website exploit-db.com, which there is a python file to attack. Also we can see the CVE number. So:

#3 CVE-2019–9053 is ans for question 3

#4 SQLi is ans for question 4

Download the file and run. We will get the username and password to login to this machine.

python 46635.py -u http://<ip>/simple — crack -w /path-to-wordlist

Wait for the python script to run, and you will get the username and password!

Here i will give you the username: mitch. Password? Find it your own! :D

Now let’s ssh to the machine using the credentials above.

#6 ssh is ans for question 6

Remember, ssh is normally running under port 22, but this machine is running under port 2222, so you must specify -p2222 in ssh command.

ssh mitch@<ip> -p2222

Enter the password and you’re in! Now ls and cat the user.txt.

Now let’s cd to /home to see the other user. Here we are, he is: sunbath

#8 sunbath is ans for question 8

It’s time to check for which cmd we can use to get root! First let’s check sudo

sudo -l

Enter mitch’s password, and you can see mitch can run vim under sudo priv!

#9 vim is ans for question 9

Using vim to get root:

sudo vim -c ‘!/bin/bash’

Get root!

Now see the root.txt to get your final Flag!

The end.

HAPPY HACKING

Tryhackme
Ctf
Walkthrough

--

--

TonyRahmos

Written by TonyRahmos

19 Followers

I’m Groot

Help

Status

About

Careers

Blog

Privacy

Terms

Text to speech

Teams