TryHackMe: Simple CTF Walkthrough
Simple CTF is a beginner level box from TryHackMe that tests your skills on basic web enumeration, vulnerability research, and some basic Linux privilege escalation. In my case, the machine lives at 10.10.115.53.
As usual, please attempt this room for yourself first before reading this walkthrough. Good luck!
Scanning & Enumeration
Let’s start with a quick nmap scan:
nmap -sCV 10.10.115.53
This gives us the answers to a couple of questions:
Question 1: How many services are running under port 1000?
Answer: 2
Ports 21 (FTP) and 80 (HTTP) are both open.
Question 2: What is running on the higher port?
Answer: SSH
We can see SSH running on port 2222 (nondefault, so if we want to connect via SSH, we’ll have to specify this port).
Note that anonymous login for FTP is allowed, let’s see if we can access any sensitive information via FTP:
There is an FTP directory on the system that we can see, but we are unable to cd into it, so we are not able to access it.
Moving on to port 80, let’s take a look at that website:
Just a standard Apache default page, nothing for us here. But could it be running something behind the scenes? Let’s fire up gobuster and see if it can find any interesting:
gobuster dir -u http://10.10.115.53 -w /usr/share/wordlists/dirb/big.txt
Check robots.txt, it does not lead anywhere, it only points to a non-existent directory. But this /simple looks interesting:
Bingo, we have a website we can look at! Scrolling down to the bottom of the page, we do have a version number that we can research:
So we’re looking at CMS Made Simple v2.2.8. Googling this one leads us to an ExploitDB article for anything under CMSMS v2.2.10.
Looks like a Python script that we can download and run to automatically exploit a SQL Injection vulnerability. I won’t go into exactly what this script is doing, or how an SQLi works in this post, but this is definitely a winner!
Question 3: What’s the CVE you’re using against the application?
Answer: CVE-2019–9053
Question 4: To what kind of vulnerability is the application vulnerable?
Answer: SQLi
CVE-2019–9053 is an unauthenticated SQL injection vulnerability found in CMS Made Simple versions 2.2.9 and lower. This script has the capability to query the website’s backend database and for sensitive information such as usernames, emails, password hashes, and salts.
Exploitation:
To exploit this vulnerability, all we ideally need to do is download the script right from ExploitDB and run it. Optionally, if you’re using Kali or ParrotOS (as I am), the script is located in /usr/share/exploitdb/exploits/php/webapps/46635.py.
I will be downloading the script and moving it to the directory that I am working from.
Pro tip: Reading the script can tell us a lot about how to run it. Here’s a snippet from the beginning of the script:
The script wants us to provide three options:
- -u: Target URI, or the URL to the website we will be attacking
- -c: Crack, whether we want the script to attempt to crack any hashes it finds (which we do)
- -w: Wordlist, specifies a wordlist to use for cracking. I will be using rockyou.txt
Let’s try running this script in python as-is:
For some reason, I have had a lot of trouble getting this script to run with python, so I’ve had to make some minor changes to it so that I could run it with python3:
- Changed the shebang at the top to #!/usr/bin/env python3
- Added parentheses around calls to print
- Remove the colored parameter on the call to print on line 183
Now we’ll try running it in python3:
python3 46635.py -u http://10.10.115.53/simple -c -w /usr/share/wordlists/rockyou.txt
It will take a few minutes to run, just let it do its thing, maybe go make yourself some popcorn in the meantime, and check on it in a few minutes.
About 7 minutes later…
Well, it still didn’t run through completely with the changes that were made, but it still returned some very useful information! We now have a username, what appears to be an MD5 hash and a salt for the password.
There are a couple of ways we can attempt to gain access with this information:
1) Crack the salted password with hashcat.
Hashcat modules 10 and 20 allow us to specify a salt for an MD5 hash:
I will be placing both the salt and the hash into the same file (crackme_salt.txt) in the format hash:salt to use module 10 to attempt to crack it:
hashcat -m 10 -a 0 crackme_salt.txt /usr/share/wordlists/rockyou.txt
Looks like hashcat couldn’t crack this one either (module 20 also didn’t work). But there is one more thing we can try:
2) Brute force SSH login with Hydra
Remember how we found that username mitch before? We can use that to brute force the login with Hydra:
hydra -l mitch -P /usr/share/wordlists/rockyou.txt ssh://10.10.115.53:2222 -t 4
Success! We have a username of mitch and a password of secret!
Question 5: What is the password?
Answer: secret
Question 6: Where can you log in with the details obtained?
Answer: SSH
Let’s see if this gets us onto the machine:
ssh mitch@10.10.115.53 -p 2222
Bingo! We are now logged in to the machine as the user “mitch”!
Question 7: What is the user flag?
Answer: cat user.txt and you’ll find out ;)
Question 8: Is there any other user in the home directory? What’s its name?
Answer: Climb up to the home directory and issue the ls command and find out!
Privilege Escalation
First of all, run /bin/bash to upgrade to a full, more stable bash shell:
The next thing I like to do is run sudo -l to see what commands I’m allowed to run as sudo:
Question 9: What can you leverage to spawn a privileged shell?
Answer: vim
According to this, we are able to use sudo to run the text editor vim as root with no password.
This is good for us since vim has the ability to run system commands.
Using the -c flag, vim will run any system command we give it prior to opening up its own interface. Here’s a good example:
As you can see, we are easily able to run system commands as root through vim this way.
So what if we were to run ‘!/bin/bash’? Would it spawn a root shell?
Let’s find out :D
sudo vim -c ‘!/bin/bash’
We are root, and this box is officially PWN3D!
Question 10: What is the root flag?
Answer: cat /root/root.txt and get it yourself!
I hope you found this walkthrough helpful! Happy Hacking!
-Derek