TryHackMe — SimpleCTF Writeup
Start The machine
Task 1 : Simple CTF
How many services are running under port 1000?
A simple nmap scan will show the results
Ans: 2
What is running on the higher port?
From the scan it is clear that ssh is running on port 2222
Ans : ssh
What’s the CVE you’re using against the application?
This is quite tricky, I was not finding any clue, so I fired up DirBuster
Now, I navigated to this page and then after a lot searching, I found out that it was powered by CMS version 2.2.8
Now After I searched for the CVE in this version, Here It was. This version is vulnerable to SQL injection.
So,
ANS : CVE-2019–9053
To what kind of vulnerability is the application vulnerable?
from here, It is clear that it is vulnerable to sql injection. But putting sql won’t work as the full name is sql injection.
ANS: sqli
What’s the password?
Now this also gave me some problem. So, I tried to dig in more. from the nmap scan, We found out that the “FTP” port is open so logging in
This file here seems a bit useful
We cannot read the file here so download it.
let’s read the file, maybe we can get some clues from there.
Reading the file it has some clue. We know that the password is weak. so let’s bruteforce it. There is ssh port open as well so, let’s try to bruteforce it.
Since the filename is ForMitch.txt let’s hope the username is “Mitch”
so passing this username and rockyou.txt in password field.
We found the password !!
Ans : secret
Where can you login with the details obtained?
It is obvious, SSH
ANS : SSH
What’s the user flag?
We have the password and the username, so let’s dig deeper and login via ssh
here after opening the file, It says “good job”. so this is the flag.
ANS: G00d j0b, keep up!
Is there any other user in the home directory? What’s its name?
Go to home and look
ANS: sunbath
What can you leverage to spawn a privileged shell?
judging by the question, We have to escalate our privilege.
so let’s see what commands can we run as sudo.
Here, We can see that We can run “vim” as root with no password.
so,
ANS: vim
Vim is a powerful tool. Using this we can also run system commands. by passing “-c” flag, we can run any system commands.
so with sudo if we run vim with -c flag then we can run any command with root privilege.
Doing such is tedious, opens up vim everytime and it is difficult to navigate, so let’s fire up bash shell
Now, We get the bash shell and it is easier to navigate here.
What’s the root flag?
Navigate to root folder and there we see root.txt. view the file and We will get the flag.
ANS: W3ll d0n3. You made it!
Congratulations!!