This will be my 3rd write-up. Thank you so much for taking the time to read! Today we’ll be looking at the “Simple CTF” on TryHackMe. I started with an nmap scan appending the -sC option to take advantage of the default scripts on nmap, and -sV for information on the service versions of the open ports we find. That way it’s easier to find exploits later!
First thing we see is the FTP service allowing anonymous logins, mental note taken. I follow up with a gobuster scan on the HTTP port and find this login page after browsing through it!
Ok, we have a log in but we don't have a clue to what the username can be to run word lists with. Maybe we should access the FTP server and see what we can find!
Awesome! We found a file named “ForMitch.txt” in the pub directory, lets grab it using the “get” command and then exit!
Ha! So it seems we’re not the first ones to have accessed this network someone is going in on Mitch for his weak password! However, this a great opportunity for us because we now have a username and a log in page. Let the cracking begin with Hydra!
Hydra is a password cracking tool. Since we’ll be cracking an http login we need a few things. We need a user list, password list, the service we’re attempting to crack. Followed by the path to the login, request payload, and the message we receive when we have an invalid attempt.
The user list we’ll make will have mitch, Mitch, root, and admin as user names. The password list we’ll be using will be the rockyou.txt, the service is of course http. Now we need three things which is the method, request, and the invalid login prompt.
To navigate here we go find the inspector tools, click the network tab and send an attempt to log in our page. After this we see the method named “POST”, and the incorrect login prompt. Next up we have to find our request prompt!
To the bottom right we navigate to the “Request” tab and we copy the request payload which is “username=mike&password=sad&loginsubmit=Submit”. In our hydra command we’ll replace “mike” with ^USER^ and “sad” with ^PASS^. Now we’re ready to crack our login!
Awesome!! We’ve acquired credentials for Mitch lets go!
after some navigating i see we’re running an old version of CMS!
I opened up a browser and googled cms 2.2.8 exploit. I found The CVE python script from the site!
Since I already have credentials for Mitch I didn't proceed with the sql injection. I was only required to find the CVE for the initial exploit and I remembered the open ssh port from our scan so I tried them there!
voila! we have user status and the flag! From here we privilege escalate. I type sudo -l to check our permissions ..
Says here we can run /usr/bin/vim as root, perfect! I navigate to gtfo bins which is a great priv esc tool to aide in attaining root and foud this!
from here I paste this on to my terminal..
We have successfully owned this machine, thank you so much for reading!
