📓
Pentesting
  • Writeups
  • HackTheBox
    • Easy Machines
      • Beep Writeup
      • Shocker Writeup
      • Lame Writeup
      • Jerry Writeup
      • Legacy Writeup
      • Blue Writeup
  • TryHackMe
    • Walkthroughs: Easy
      • CC: Steganography
      • Cryptography for Dummies
      • Cross-site Scripting
      • SQL Injection Lab
      • SQL Injection
      • ZTH: Web 2
      • SSRF
      • XXE
      • Authenticate
      • Injection
      • Blaster
      • The Cod Caper
      • Hardening Basics Part 1
      • What the Shell?
      • Game Zone
      • Upload Vulnerabilities
      • Bolt
      • Erit Securus 1
      • CC: Pentesting
      • JavaScript Basics
      • OverPass 2 - Hacked
      • Linux: Local Enumeration
      • Ice
      • Linux Backdoors
      • Avengers Blog
      • DNS in Detail
      • Putting it all together
      • Kenobi
      • Common Linux Privesc
      • Network Services 2
      • Network Services
      • The Hacker Methodology
      • The Find command
      • HTTP in Detail
      • Web Fundamentals
      • How Websites Work
      • Introductory Networking
    • Challenges (CTF): Easy
      • VulNet: Roasted
      • VulNet: Internal
      • Git Happens
      • Kiba
      • VulNet: Node
      • Memory Forensics
      • Smag Grotto
      • Investigating Windows
      • Cat Pictures
      • Juicy Details
      • Anthem
      • Tony The Tiger
      • Jack-of-All-Trades
      • JPGChat
      • Blueprint
      • All in One
      • Gotta Catch'em All
      • Mustacchio
      • Break Out The Cage
      • HeartBleed
      • Poster
      • Madness
      • Source
      • Thompson
      • Library
      • Magician
      • Anonforce
      • Dav
      • GLITCH
      • Fowsniff CTF
      • Team
      • H4cked
      • Easy Peasy
      • ColddBox: Easy
      • Archangel
      • Cyborg
      • Chocolate Factory
      • Brute It
      • Year of the Rabbit
      • ChillHack
      • Gaming Server
      • Brooklyn Nine Nine
      • Wgel CTF
      • Tomghost
      • ToolsRus
      • Skynet
      • Startup
      • Agent Sudo
      • Lian-Yu
      • OhSINT
      • Overpass
      • Crack The Hash
      • Ignite
      • Inclusion
      • Bounty Hunter
      • LazyAdmin
      • RootMe
      • Pickle Rick
      • Basic Pentesting
      • Simple CTF
  • Crackmes.one
    • 1 Difficulty Rating
      • easyAF
      • Easy Keyg3nme
Powered by GitBook
On this page
  • Reconnaissance
  • Enumeration
  • Port 21
  • Port 80
  • Exploitation
  • Privilege Escalation

Was this helpful?

  1. TryHackMe
  2. Challenges (CTF): Easy

Simple CTF

PreviousBasic PentestingNext1 Difficulty Rating

Last updated 3 years ago

Was this helpful?

Reconnaissance

Lets start with a initial nmap scan to find open ports 

nmap -Pn 10.10.221.224

Detailed Nmap Scan :

Command Breakdown:

  • (-sV): Service version

  • (-sC): Default nmap scripts

  • (-p): Specifying ports 21,80,2222

  • (-oN nmap): Saving it into a files called nmap

nmap -sC -sV -p 21,80,2222 -oN nmap 10.10.221.224

With this information we can answer the first 2 questions

Enumeration

Port 21

Lets start enumerating FTP (Port 21) as we have anonymous login allowed.

ftp 10.10.221.224

After listing the contents, we can see that there is a directory called puband inside is a file called ForMitch.txt. Let us transfer that to our machine using the command get.

get ForMitch.txt

After reading the contents of the file we transferred, we can understand that Mitch set the password for the system user and the password is weak.

cat ForMitch.txt

Port 80

Lets visit the website.

It a default apache2 ubuntu page, so let us visit robots.txt as we see something of interest related to it in our nmap scan.

We can see that there is a directory called /openemr-5_0_1_3, lets go visit it.

And is not found, well, now lets try finding hidden directories using a tool called Gobuster.

Command Breakdown:

  • (-w): Specifying wordlist

  • (-u): Specifying URL

gobuster dir -w /usr/share/wordlists/dirbuster/common.txt -u http://10.10.221.224

The directory called /simple looks interesting, so lets go visit it.

Its a CMS made simple application and scrolling down a bit, we can see the version of it.

Lets look for exploits on it using searchsploit

searchsploit cms made simple 2.2.8

Looks like a SQL Injection exploit, lets use this to exploit this machine.

Exploitation

Searching this on exploit-db gives us the answers to questions 3 and 4

Lets download the exploit.

searchsploit -m php/webapps/46635.py

Now lets launch it against the server, but first we need to do some changes to the script as we are going to use python3 to launch this exploit. First we need to add parenthesis around the print commands

Before:

After:

Before:

After:

Before:

After:

Now we can run the exploit with some options, like the target URL (-u), a wordlists to crack the password (-w) and the option for telling the exploit to crack the password (-c), all mentioned in the exploit.

python3 46635.py -u http://10.10.221.224/simple -w /usr/share/wordlists/rockyou.txt -c

We found the password: secret. Sometimes this exploit does not work, so we can also try cracking the password using the tool called hydra.

hydra -l mitch -P /usr/share/wordlists/rockyou.txt 10.10.221.224 http-post-form "/simple/admin/login.php:username=^USER^&password=^PASS^&loginsubmit=Submit:User name or password incorrect"

And now we can ssh into the machine using these credentials.

ssh mitch@10.10.221.224 -p 2222

Privilege Escalation

For privilege escalation, one of the first commands we use is sudo -l, which tells us what we are allowed to run on the machine.

sudo -l

Search for vim on the site and look for sudo as we are allowed to run /usr/bin/vim as root.

After you type the first command, you are now root.

sudo vim -c ':!/bin/sh'

We are allowed to run /usr/bin/vim as root, so what we can do is visit which is a site with commands that will help us escalate our privileges.

GTFOBins