InfoSec Write-ups

A collection of write-ups from the best hackers in the world on topics ranging from bug bounties…

Follow publication

TryHackMe | Simple CTF | Walkthrough | By HexaHunter

Greetings, everyone! Today will be taking an in depth look at the TryHackMe Simple CTF room, which has a little bit of everything and is a great CTF for a beginner. I’m designing these walkthroughs to keep myself motivated to learn cyber security and to make sure that I remember the knowledge gained by THM’s rooms. Come along with me as I learn cyber security, and I’ll try to explain concepts as I go to set myself apart from other walkthroughs.

Have fun in the room!

Let’s begin by using nmap, which I always scan before entering a room.

2 ports are open

From our results, we can see ports 21 (FTP), 80 (HTTP), and 2222 (SSH) are open.

How many services are running under port 1000?

2

What is running on the higher port?

SSH

Numerous fascinating facts can be found here. We can observe an anonymous FTP login, a robots.txt file containing disallowed content, and, most importantly for our research, we find SSH functionality.

From our results, we can see ports 21 (FTP), 80 (HTTP), and 2222 (SSH) are open.

Note that anonymous login for FTP is allowed, let’s see if we can access any sensitive information via FTP

Well, I do not change my directory, nothing really interesting in the note. Moving on to port 80. As we previously discovered that port 80 is running the http service we will use the Firefox browser, so open a new tab and enter you target machine IP. This brings up an “Apache2 Ubuntu Default Page”. Not too exciting.

Next, we can use “gobuster” to scan the website for any additional pages.

gobuster result

Using the big wordlist we supplied, gobuster was able to find there is a webpage at “/simple”. Let’s try browsing to it now and see what we find.

CMS system
CMS version 2.2.8.

This seems interesting, it opens up a a CMS system. Quickly reading through the page we can see that it is Simple CMS version 2.2.8.

Running a quick google search or a search on exploit-db.com for known exploits associated with it and we can see that there is indeed an exploit. This will help us answer Q3 and Q4.

In our results, we see a page on Exploit-DB that matches our search and refers to a SQL injection attack utilizing CVE-2019–9053.

What’s the CVE you’re using against the application?

CVE-2019–9053

To what kind of vulnerability is the application vulnerable?

SQLi

Exploitation

To exploit this vulnerability, all we ideally need to do is download the script right from ExploitDB and run it. Optionally, if you’re using Kali or ParrotOS (as I am), the script is located in:

/usr/share/exploitdb/exploits/php/webapps/46635.py.

I will be downloading the script and moving it to the directory that I am working from.

Pro tip: Reading the script can tell us a lot about how to run it. Here’s a snippet from the beginning of the script:

The script wants us to provide three options:

  • -u: Target URI, or the URL to the website we will be attacking
  • -c: Crack, whether we want the script to attempt to crack any hashes it finds (which we do)
  • -w: Wordlist, specifies a wordlist to use for cracking. I will be using rockyou.txt

Let’s try running this script in python as-is:

python3 46635.py -u http://10.10.192.40/simple -c -w /usr/share/wordlists/rockyou.txt

Bingo! We got a username and a cracked password returned from the exploit.

What’s the password?

secret

Where can you login with the details obtained?

SSH

Using the username and password we discovered we can now try to SSH on port 2222 into the target machine.

Now if we ls we see the “user.txt” file and read it for our first flag!

user.txt flag 1 🏴

What’s the user flag?

G00d j0b, keep up!

Next let’s check if any other users have home directories.

Is there any other user in the home directory? What’s its name?

sunbath

Privileged Escalation

On to privileged escalation! First I like to start off with running “sudo -l” to see what my current user can run.

We can see the user “mitch” can run /usr/bin/vim without a password. With that information, let’s check out GTFOBins and see if we can use that for privesc.

Looks like if we run this command here we can escalate our privileges!

What can you leverage to spawn a privileged shell?

vim

The ‘#’ already indicates to us that we have root priviledge but we still run the ‘whoami’ command to show off.

That was successful! The room is finished; all we need to do now is grab the root flag.

root.txt final flag

What’s the root flag?

W3ll d0n3. You made it!

Congrats!

Overall, the room was simple but effective in teaching us how to use Gobuster and Nmap, investigate vulnerabilities till we find one that works for us, look into GTFOBins, then escalate to root to obtain the last flag.

Checkout other tryhackme walk-through:

My LinkedIn Profile:

https://www.linkedin.com/in/momal-naz/

Sign up to discover human stories that deepen your understanding of the world.

Free

Distraction-free reading. No ads.

Organize your knowledge with lists and highlights.

Tell your story. Find your audience.

Membership

Read member-only stories

Support writers you read most

Earn money for your writing

Listen to audio narrations

Read offline with the Medium app

Published in InfoSec Write-ups

A collection of write-ups from the best hackers in the world on topics ranging from bug bounties and CTFs to vulnhub machines, hardware challenges and real life encounters. Subscribe to our weekly newsletter for the coolest infosec updates: https://weekly.infosecwriteups.com/

Written by Momal Naz

Bug Hunter | EHE Certified | CNSP Certified | Jr. Penetration Tester | OSINT Enthusiast

No responses yet

What are your thoughts?