Simple CTF is an easy machine with straight forward progress, there’s no hidden or complicated steps but it will teach you mainly on how to use an exploit from exploit-db to access a system.
Let’s start by scanning the machine to see how many ports are open on the machine
nmap -sC -sV Machine_IP
Let’s get the results
here we can see 3 services running on the machine
- FTP service port 21
- Apache Service port 80
- SSH service port 2222
then we can answer the following questions
How many services are running under port 1000?
What is running on the higher port?
Now Let’s investigate the services running, since we have an Apache service running, let’s start with it and open the website.
You should get the default Apache2 webpage, let’s run gobuster on the site while we investigate the FTP service
gobuster dir --url http://machine_IP --wordlist /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -z
While we wait for the results, let’s connect to FTP service since anonymous login is enabled.
You will get “pub” directory and if you go inside you should get “ForMitch.txt” that contains the following
Dammit man... you'te the worst dev i've seen. You set the same pass for the system user, and the password is so weak... i cracked it in seconds. Gosh... what a mess!
Great!, so we know the password is weak, and it’s crackable , let’s keep that in mind
Now you should get the results for gobuster or wait until it finishes, but you should get the following resuilts
let’s access /simple and you would get the following website
while we investigate the source code and what kind of CMS is this site, let’s run gobuster for this page and see if there are any hidden pages that can help us ( we actually won’t use it but in case there are the results)
gobuster dir --url http://machine_IP/simple --wordlist /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -z
While we are waiting for gobuster results, let’s check this CMS, apparently this CMS is called “CMS Made Simple” with version 2.2.8 ( you can see it in the footer of the website)
let’s check if there are any vulnerabilities for this CMS from searchsploit
searchsploit cms made simple 2.2.8 -w
and we got one results
let’s open the URL and get the CVE number for the next question.
as you can see the CVE is “2019-9053” but we need to add “CVE-” before the number for the answer, so it would be
What’s the CVE you’re using against the application?
To what kind of vulnerability is the application vulnerable?
Let’s download the exploit to understand it and use it, we can see that the exploit is targeting the following URL
url_vuln = options.url + '/moduleinterface.php?mact=News,m1_,default,0'
Now, this code is written with Python 2, while python3 is now the default along with pip3 for Linux, we need to install pip2.7 in order to run the code with python 2, you can use the library 2to3 to convert python 2 code to python 3 but it might not work.
You can install pip2.7 by running these commands (you can check StackOverFlow post)
wget https://bootstrap.pypa.io/pip/2.7/get-pip.py sudo python2.7 get-pip.py
and you should get the following output
so we need to specify the URL along with a Wordlist in order to get the password, so let’s do that
python2.7 46635.py -u http://10.10.6.98/simple/ --crack -w /usr/share/wordlists/rockyou.txt
What’s the password?
Since we already got a hint that user “Mitch” uses the same password for everything, then we should get SSH to the machine with the same credentials.
Where can you login with the details obtained?
Let’s connect to to the machine through SSH with password “secret“
ssh email@example.com -p2222
and you should get the shell
now let’s output user.txt (you can just ls the directory)
What’s the user flag?
G00d j0b, keep up!
to check for other users, we can either ls the directories in /home or check /etc/passwd , I will list the directories in /home since it’s cleaner
Is there any other user in the home directory? What’s its name?
now to try to escalate the privilege, let’s check the basics by looking at which programs we can execute as sudo by running
and we got VIM as a result
What can you leverage to spawn a privileged shell?
now let’s run vim as sudo and get shell by getting the code from gtfobins
sudo vim -c ':!/bin/sh'
and we got the root access, now we can go and check for the flag (usually in root directory)
What’s the root flag?
W3ll d0n3. You made it!
and we’re done with this room, it was pretty simple and straight forward but we got to use a new exploit to access the machine.