Location via proxy:   [ UP ]  
[Report a bug]   [Manage cookies]                
Post

SimpleCTF

Beginner Level CTF

Posted
Preview Image
By Samuel Katana
4 min read
SimpleCTF

Introduction

Hello guys, it has been quite some time since I made a CTF writeup and I figured it’s time to share some of my notes with you. Like many of you, I am a beginner and I am still learning and exploring stuff in cyber security. Just recently I got interviewed by CyberShujaa as I had applied to be a scholar in their program for the Security Analyst path. I am happy to say that I have been shortlisted for the program. As part of the admission process, I was required to try out this beginner-level CTF challenge and I thought it wise to take some notes while solving it. You can find the challenge here.

Disclaimer: The content presented in this article is for educational purposes only and does not endorse or encourage any form of unauthorized access or malicious activity.

SimpleCTF Challenge.

After clicking the start machine icon on the challenge webpage, you are presented with an IP of the vulnerable target, the first thing I normally do is to ping the target just to see if it is alive. ping_results

Since we have replies from the target we will now proceed to the next step of exploration.

Observations & Findings

We begin by scanning the target using the tool Nmap to find open ports running on it and also identify the services running on those ports. to do that, we use the command:

1
2

nmap -sV 10.10.64.42

Note If you’re following through the tutorial, make sure you use the target’s machine’s IP provided once you click the start machine icon on the challenge webpage. Here are the results from our scan.

nmap_results

Notice that we have three open ports.

  • Port 22 running ftp
  • Port 80 running HTTP
  • Port 2222 running SSH

Now we try accessing the webpage running on port 80 by pasting the IP and port number (80) for the service on the browser and we are welcomed with this page: apache

There is not much going on here so I decided to brute force the target’s website to see if I can find other web pages that might be helpful in this quest. For this, I use Gobuster using this command:

1
2

gobuster dir -u http://10.10.64.42:80 -w /usr/share/wordlists/directory-list-2.3-small.txt

Here are the results from the brute force attack: gobuster

We discover a directory /simple that we now visit on the browser and find this: website-simple When we scroll down to the footer of the webpage, we find something interesting: website-footer What comes to sight is the version number of the tool that was used to build this website. So I run a quick Google search about its vulnerabilities and possible exploits. It is discovered that CMS Made simple version 2.2.10 and below are vulnerable to SQL Injection. I found a good Python script that can be used to exploit this vulnerability here.

I download the script and try to run it to see its usage: exploit.

After seeing its usage, we can now decide the syntax to use for the exploit to work on the target depending on our needs. so we use the command:

1
2

python3 cmsexploit.py -u http://10.10.64.42:80 --crack -w /usr/share/wordlists/rockyou.txt

After running for a while we get the following output as shown below, and it contains:

  • The salt for the password some identified user
  • The user’s username
  • Their email address
  • Hashed password
  • The cracked password

exploited

Now that we have some credentials let’s try them out on another service that we found running on the target SSH. The command for logging in on ssh using the username and password that we found is:

1
2

ssh mitch@10.10.64.42 -p2222

Then type yes and accept to proceed and provide the acquired password. A successful login should land you at a terminal like this:

ssh_login

Solution/Flag

Now that we are logged in as Mitch I try to list the contents of his home directory and voila, we capture our first flag which is in the user.txt file.

userflag

I then try to go back to see if there is any other user on this machine and if I have access to their directory. I found another user sunbath but have no access to his directory. I moved back to another directory and tried to gain access to the root’s directory but again, I hit a wall. permission

I run the command:

1
2

sudo -l

to see what permissions Mitch has or what he can run as root without having to provide a password. The results: rootshell

We gain access to the root shell after finding out that he can access vim as root. To find the custom command to cater to your needs use this website. Now that we’re root, let’s confirm that and see if we have access to the root’s directory.

rootflag

Conclusion

In summary, this challenge underscores the significance of privilege escalation techniques for unearthing concealed data and vulnerabilities. By leveraging the use of tools and exploits, directory permissions, and sudo privileges, we elevate our access and seize the flags.

Remember, relentless learning and exploration are paramount to mastering hacking skills. Embrace the journey, and let the quest for knowledge fuel your hacking endeavors.

dr0idbot signing off.

Easy, TryHackMe, Gobuster, NMAP, ssh
TryHackMe Privilege Escalation Gobuster NMAP ssh
This post is licensed under CC BY 4.0 by the author.