Simple CTF
Reconnaissance
Lets start with a initial nmap scan to find open ports
Detailed Nmap Scan :
Command Breakdown:
(-sV): Service version
(-sC): Default nmap scripts
(-p): Specifying ports 21,80,2222
(-oN nmap): Saving it into a files called nmap
With this information we can answer the first 2 questions
Enumeration
Port 21
Lets start enumerating FTP (Port 21) as we have anonymous login allowed.
After listing the contents, we can see that there is a directory called pub
and inside is a file called ForMitch.txt
. Let us transfer that to our machine using the command get
.
After reading the contents of the file we transferred, we can understand that Mitch set the password for the system user and the password is weak.
Port 80
Lets visit the website.
It a default apache2 ubuntu page, so let us visit robots.txt as we see something of interest related to it in our nmap scan.
We can see that there is a directory called /openemr-5_0_1_3
, lets go visit it.
And is not found, well, now lets try finding hidden directories using a tool called Gobuster
.
Command Breakdown:
(-w): Specifying wordlist
(-u): Specifying URL
The directory called /simple
looks interesting, so lets go visit it.
Its a CMS made simple application and scrolling down a bit, we can see the version of it.
Lets look for exploits on it using searchsploit
Looks like a SQL Injection exploit, lets use this to exploit this machine.
Exploitation
Searching this on exploit-db gives us the answers to questions 3 and 4
Lets download the exploit.
Now lets launch it against the server, but first we need to do some changes to the script as we are going to use python3 to launch this exploit. First we need to add parenthesis around the print commands
Before:
After:
Before:
After:
Before:
After:
Now we can run the exploit with some options, like the target URL (-u), a wordlists to crack the password (-w) and the option for telling the exploit to crack the password (-c), all mentioned in the exploit.
We found the password: secret
. Sometimes this exploit does not work, so we can also try cracking the password using the tool called hydra.
And now we can ssh into the machine using these credentials.
Privilege Escalation
For privilege escalation, one of the first commands we use is sudo -l
, which tells us what we are allowed to run on the machine.
We are allowed to run /usr/bin/vim as root, so what we can do is visit GTFOBins which is a site with commands that will help us escalate our privileges.
Search for vim on the site and look for sudo as we are allowed to run /usr/bin/vim as root.
After you type the first command, you are now root.
Last updated