Simple CTF — TryHackMe — Writeup
Hello everyone, I’m Rahmos. Here is my SimpleCTF — Tryhackme writeup. Check it out!
First, we use nmap to enumerate what ports this machine is opening.
nmap -sC -T5 -Pn -vv <ip>
As we can see, it’s opening FTP(21), Apache(80) and SSH(2222).
#1 So the first ans is 2 services is running under port 1000.
#2 ssh is running on the higher port
Next, to ans question 3, we need to find out what CVE is this machine vulnerable to. But first let’s try login to FTP as anonymous to see any valuable.
Not much we can use here. So let’s use another tool called Dirbuster.
After using Dirbuster to find hidden dir, we can see a /simple. Let’s access to this.
http://<ip>/simple
It’s a CMS website. Just like Wordpress, let’s search for CVE of this kind of framework. We are using Searchsploit.
searchsploit cms made simple
There are so many exploits of CMS. However, this machine is runinng CMS verison 2.2.8. so we can use SQL injection exploit, which is available with version under 2.2.10.
Search Google for CMS SQLi exploit, it leads us to a website exploit-db.com, which there is a python file to attack. Also we can see the CVE number. So:
#3 CVE-2019–9053 is ans for question 3
#4 SQLi is ans for question 4
Download the file and run. We will get the username and password to login to this machine.
python 46635.py -u http://<ip>/simple — crack -w /path-to-wordlist
Wait for the python script to run, and you will get the username and password!
Here i will give you the username: mitch. Password? Find it your own! :D
Now let’s ssh to the machine using the credentials above.
#6 ssh is ans for question 6
Remember, ssh is normally running under port 22, but this machine is running under port 2222, so you must specify -p2222 in ssh command.
ssh mitch@<ip> -p2222
Enter the password and you’re in! Now ls and cat the user.txt.
Now let’s cd to /home to see the other user. Here we are, he is: sunbath
#8 sunbath is ans for question 8
It’s time to check for which cmd we can use to get root! First let’s check sudo
sudo -l
Enter mitch’s password, and you can see mitch can run vim under sudo priv!
#9 vim is ans for question 9
Using vim to get root:
sudo vim -c ‘!/bin/bash’
Now see the root.txt to get your final Flag!
The end.
HAPPY HACKING