Beginner level ctf (capture the flag).
This is the write up for the room Simple CTF on Tryhackme. You can access the Lab from here.
Firstly we have to make connection with VPN or use the attackbox on Tryhackme site to connect to the Tryhackme lab environment.
First deploy the machine after that we will get the Target system IP.
Now we will connect our VPN.
Once the machine is booted up then will move to our sub task
To check how many services are running under port 1000.
For this we have to run Nmap scan. Before runing nmap scan let’s first verify if we are geting the ping with the system.
nmap command : nmap -sC -sV -p- — min-rate=10000 -oN nmap 10.10.16.250
From scan we can see that 3 ports are open which are port 22,port 80 and port 2222.
here we got answer for our first there are 2 ports running under 1000.
Now moving towards next task which is to find What is running on the higher port. Which we already got using nmap scan that higher port 2222 is running ssh.
Task 1.3 :
Now next task which is to find the CVE (Common Vulnerabilities and Exposures)using against the application.
For this we have to do little enumeration like looking for some information in website as port 80 is open. So we directly visited the site we didnt found any information so did gobuster to check if there is any hidden directory where we can find some information or clue.
gobuster dir -u http://10.10.16.250/ -w /usr/share/dirb/worslists/common.txt
from the above scan found that there is a simple directory so went to that directory.
So I scrolled the website to check the version of the cms to find if it has any CVE.
If any known vulnerability is there using searchsploit or directly also can be searched in exploit-db.
From the searchsploit result we can see that there is CVE for this version of cms.
Here we come to know the vulnerability we can check the CVE no. in exploitdb and will get out answer for task.
Thus we got the answer for our Task CVE-2019–9053.
Task 1.4 :
Now moving to our next task that is to find the application which is vulnerable which we got in this CVE details and in searchsploit also that SQL injection is done so the application is SQLI.
First we can se that the file name is 46635.py
So we will search that exploit no in db so we can find the exact location where it is.
So now its is copied in our root directory.
Now moving to our next task that is to get user password. For this we used the script and got the user name and password.
Now we will run this script to get user id and password the command is.
python 46635.py -u https://10.10.16.250/ — crack -w /usr/share/seclists/Passowrds/Common-Credentials/best110.txt
As shown above we have to run the script and wait for it to perform it will take some time .Once completed will get our id and password.
We got User name and password .
User :- mitch
Password :- secret
we completed our task of getting user password.
Now will go to our next task that is to find where to use this login details so as we got port 22 open which is running ssh service use the id and password which we got by running the script.
ssh firstname.lastname@example.org -p 2222
Now will move to our next task that is to find user flag. For this will have to take interactive shell using python command as the shell we got is unstable.
python -c ‘import pty; pty.spawn(“/bin/bash”)’
And once we get interactive shell will search for flag inside the folders.
As you can see we got the user.txt flag.
Now will move towards our next task that is to see if any other user is present in home directory. so went back to home directory and found other user sunbath folder present .
Now will move to our next task that is to leverage to spawn a privileged shell. for this will check which application the user mitch is allowed to use as sudo (root) permision. For this will do sudo -l will get the application name
I searched for possible sudo command in GTFOBins.
We can run command :-
sudo vim -c ‘:!/bin/bash’
We got from GTFOBins.
Now will move towards our last task that is to find root flag.
I found the root flag.
I will check ip and confirm that its from the machine that was allotted to me.