Simple CTF Walkthrough — TryHackMe
Dear friends, let us solve challenges in the Simple CTF box present in the below link.
https://tryhackme.com/room/easyctf
Note: You can see two different IPS as I did the challenges on 2 different timings. Every time we start the THM machine, the IP changes.
1.Start the VPN you have downloaded and Deploy the Tryhackeme machine first. Ping and check the We need to run a Nmap scan against the machine to know which ports are open and which services are operational on these ports. I am going to use a hostile Nmap scan.
nmap -A -sC -Pn- 10.10.89.35
On analyzing the above Nmap scan, we get to know the number of ports and their associated services running on the host. So, we have 2 services running under port 1000 and an SSH service running on the higher port. We can see on port 2222 and SSH is running.
2. We see that we have got an anonymous ftp login. Let’s try to log in and see if we can find anything.
ftp 10.10.89.35
It seems like we don’t get anything from the FTP login. So, let’s move forward and access the machine IP via a web browser as our Nmap scans show that there is a web service running on port 80
3. We need to dig a little deep and find out any other hidden directories. Thus, let’s use go buster or owasp dir buster, which finds hidden directories by performing dictionary attacks and checking its responses. Start go buster and check the results
gobuster dir -u http://10.10.89.35 / -w /usr/share/dirb/wordlists/common.txt
4. Now, let’s explore the hidden directories we found. Let’s check out robots.txt as it might give us some information
10.10.89.35/robots.txt
5.It Looks like robot.txt does not give us anything. There is one more interesting directory with the name of simple, and it has a valid web response code. Let’s check this directory
10.10.89.35/simple/
6. Accessing the simple directory, we come to know that there is a Content Management System (CMS). Let’s find out more information about this cms. We are going to use searchsploit to check if I find any vulnerabilities against this service
searchsploit cms made simple
7. Looking at the searchsploit result, we find tons of vulnerabilities. The question asked in the challenge is the CVE number. So, searching more against the cms service, we got across exploit DB, and it showed me the CVE number associated with this vulnerability. Also, when we compared the results with the searchsploit data, I decided to go for the SQL injection vulnerability. Just googled 46635.py. The application is vulnerable to SQL vulnerability.
8. Now, let’s exploit the vulnerability and see if we can find the username and password. So I am going to use the exploit I found in searchsploit. Navigate to the exploit filesystem and use the parameters as shown below. Wait for a while, and you will get the username and password.
Note: If you get the color error, try to run “ pip install termcolor,” then do the below command again
python 46635.py -u http://10.10.155.134/simple/ — crack -w /usr/share/wordlists/rockyou.txt
9. The above exploit will give us the username and password. Now that we have our username and password, remember that our Nmap scan results also pointed out to the ssh service, which was running on port 2222, so let’s try logging in to the machine using ssh on port 2222.
ssh -p2222 mitch@10.10.155.134
10. In this task, we have to find the user flag. So let’s list the contents; we find out our user flag as shown below. We found 2 users mitch and sunbath, here.
11. If you cant gain root access to any of the logins, try the given a hint in the last line using vim. Search in GTFO bins for vim sudo. Let’s find out a way to get escalate our privileges. Let’s see what mitch is capable of. So we come to know that the user Mitch can run vim. We can use vim to escalate our privileges.
12. Let’s run vim to escalate our privilege via a bash shell. Now we can navigate to the root directory and find our final flag
Done!!!!!! Let us see the answers to the challenge questions now.
How many services are running under port 1000?
2 [ From Step 1]
What is running on the higher port?
ssh [ From Step 1]
What’s the CVE you’re using against the application?
CVE-2019–9053 [ From Step 7]
To what kind of vulnerability is the application vulnerable?
sqli [ From Step 7]
What’s the password?
secret [ From Step 8]
Where can you log in with the details obtained?
ssh [ From Steps 1 & 9]
What’s the user flag?
G00d j0b, keep up! [ From Step 10]
Is there any other user in the home directory? What’s its name?
Sunbath [ From Step 10]
What can you leverage to spawn a privileged shell?
Vim [ From Step 11]
What’s the root flag?
W3ll d0n3. You made it! [ From Step 12]
Thank you very much for reading. I hope you find this is useful and if there is something you would like to add or any suggestions, you can contact me anytime.
Happy Hacking!
