Simple CTF - TryHackMe Writeup
The link for this lab is located here: https://tryhackme.com/room/easyctf
This room is designed for beginners and mimics a CTF-like scenario including basics like port scanning, enumeration, SQL Injection and even some simple privilege escalation tactics.
Full Walkthrough
The first step is to run a simple Nmap port scan with the following parameters:
-p- for all ports
10.10.39.55 (target IP)
-oN allports.scan(outputs to a normal Nmap format)
This reveals 3 ports - FTP, HTTP and port 2222 running something called EtherNetIP-1. In order to get more information, a more detailed scan can be conducted to enumerate things like software running, versions, and potential operating system.
Immediately, I see that anonymous FTP login is allowed. This can be very dangerous. The first step is to connect to FTP and see if anything valuable can be downloaded or enumerated from the FTP share.
In this case, FTP seems a bit weird and won’t take a lot of commands. Additionally, there’s not really any useful files to check either. For right now, it seems to be a dead end.
Moving on, a website is always a good thing to check out.
Here, the website is a default Apache2 web page. There’s nothing of use on the main page. Looking back at the nmap scan, it found a hidden directory titled that we can navigate to.
However, it seems that this is either a false positive, doesn’t exist anymore or requires some sort of credentials. For now, we can keep it in the back pocket just in case.
At this point, it’s a good idea to run a directory busting tool to try and find any potential directories. My go-to tool for this is Feroxbuster with the “common.txt” wordlist which works incredibly well for initial scanning.
As always, robots.txt is an interesting file to look at first. It may reveal hidden directories that are not present in the chosen wordlist.
Checking the robots.txt, we see the directory Nmap was able to pull that we cannot access. At the bottom of the robots.txt, there seems to be this interesting string indicating the end of the file, but at the end there is a string of “mike” - could this be a potential username?
Looking back at the Feroxbuster results, the /simple directory stands out as a non-standard one. Let’s check it out.
Here, we see a website titled “CMS Made Simple”. This seems like a default template for a Content Management System (CMS). It’s a good idea to try and enumerate the version running either in the source code or on the page itself.
Here, scrolling down to the bottom reveals the version to be CMS Made Simple 2.2.8. Knowing this, we can Google for any potential existing vulnerabilities or exploits that we can run against this application.
The first result fits our version (2.2.8) and appear to be a SQL injection. Let’s dig further.
Looking at this exploit, it seems to be an unauthenticated SQL injection which is good. Additionally, this is a Python script that we can supply a wordlist with to attempt to crack the password or choose to not use a wordlist.
Downloading this code and trying to execute it using the given example with Python3 produces an error.
This error is not as scary as it looks. Seeing that it is missing parenthese for a print statement, you can immediately assume that this script is written in Python2 as Python3 requires parentheses around strings, but Python2 does not.
Trying to run it with Python2 allows the program to run.
For the wordlist, I choose to use the best15.txt from SecLists as a starting base. If needed, we could use a larger wordlist.
However, this wordlist seems to work and after a few minutes, we get the resulting information:
Using SQL Injection, it has been able to identify which characters are valid and which are not throughout the whole string and has been able to product very useful information:
Salt - 1dac0d92e9fa6bb2
Username - mitch
Email - admin@admin.com
Password - 0c01f4468bd75d7a84c7eb73846e8d96
The password seems to be a hash. Using the hash-identifier program, we can find which algorithm was used to generate this hash.
This tells us that the hash is MD5. Knowing this, we can take the hash and use Hashcat with the wordlist of rockyou.txt to attempt to crack the hash.
Almost instantly, the password is cracked and we get a cleartext password of secret.
Now that we know credentials, think about where we could possibly use them. You could possibly use them in the web app, but something else that stands out to me is the SSH port.
Password reuse is incredibly common in the real-world and in CTFs so attempting to SSH in with the credentials is a good idea.
It works! The credentials gave us an SSH shell running as mitch. In order to generate a more stable and cleaner shell, we can spawn a BASH shell using Python3:
With this shell, we can start to enumerate the machine and grab the user.txt flag in /home/mitch.
A starting point for privilege escalation is looking for easy wins - sudo privileges provide that. We can check the sudo privileges.
Immediately we see that the user is able to run Vim as root with no password. With this information, we can use the GTFOBins website to see if it’s possible to escalate using this program through sudo.
There is a section for Vim on GTFOBins. Knowing this, we can scroll down to the Sudo section and see how to escalate.
For Vim, it is possible to spawn a BASH shell with sudo privileges as it does not drop elevated privileges. With this knowledge, we can execute the following code and spawn a BASH shell running as root.
We are root! Finally, we can navigate to /root and grab the root.txt flag to complete this room.