EasyCTF : THM Writeup
A beginner level easy Capture The Flag(CTF) that challenges beginners to solve variety of tasks using available tools and hacking into a server to steal data. In this post, a course task from HackerU : RED Team Pentester, I will show the steps followed to get the flag.
Basic Checks to be performed before attacking the machine.
1.Power on the Target Machine and make a note of the IP address.
2.Start your Kali Virtual Machine.
3.Connect to TRY HACK ME OPEN VPN
4.Check connectivity to the target machine from attacker pc (Kali VM).
NMAP (NETWORK MAP) -Enumeration
Process of extracting machine names, network resources , shares , services from a system.
NMAP scan is the first step I use to scan the target machine most of the time. With -A enables OS detection , Version detection , Script Scanning , -sV probes open ports with service and version info. Use -vv to increase verbosity level.
Discovered Open Ports :
21{Anonymous Login Allowed}
80 {HTTP Open}
2222{SSH Open}
Target Machine OS Detection:
For the first(1st) question on how many ports are open under 1000. The answer is two(2) as we can see from nmap output there are only 2 ports open under 1000.
For the second(2nd) question, what service is running on the higher port which is 2222 and it is SSH services.
From Network Mapper scan , it was identified that FTP anonymous login was allowed. I will check if I am able to FTP into the target machine as it does not require any password.
I am able to login using the ftp command with username as anonymous. Type “dir” or “ls -lsa” in the prompt . You can find a directory pub. Change directory to pub , you will find a text ForMitch.txt. From the filename, it can be considered that Mitch is a username and we can brute-force with rock-you wordlist to get the password.
The contents in ForMitch.txt indicates that it is easy password that can be cracked in seconds and it is confirmed that Mitch is one of the users. We will use “hydra” to crack the password with rockyou.txt wordlist. I still haven’t used “dirbuster” which I plan to do after cracking the password for Mitch to answer the other questions.
Using hydra -l where l is the username or login name. In our case it is “mitch” and -P where you can load multiple passwords in a text file and -s is the port you want hydra to attempt cracking the password and the service is ssh with -t 4 to run tasks in parallel.
We now have the ssh password for Mitch I was able to answer the questions five (5) and six (6). For the 6th question the answer is SSH.
Q5)What’s the password ? {Mitch Password is the answer}
Q6) Where can you login with the details obtained?
Now, I will perform a gobuster to check if some interesting directories are visible. I for only two directories /simple and /server-status. The code 403 means server understands the request but refuses to authorize it. The error code 301 means that the requested URL is moved to a different location.
In the browser I will type <Target Machine IP>/simple. The server responded with CMS page. If you scroll to bottom of the page you can find the CMS version. I could not find anything in source page.
Copy the CMS Version and using google you can find that the CMS version 2.2.8 is vulnerable to sql injection and the CVE is 2019–9053 which answers the following questions.
Q3)What’s the CVE you’re using against the application?
Q4)To what kind of vulnerability is the application vulnerable?
Now I need to gain access to retrieve user flag. I have the username and password and using ssh I was able to login successfully.
Type “ls -lsa” in the prompt and you can find user.txt. I was able to get the flag for user.txt.
I usually look into important folders or something looks unique to see if any information will be useful to gain access. You can see in the history there is a command “sudo -l”.
Before I try to gain root access , I will need to find out what is the other user in the directory. It is “sunbath”.
To gain root access , I have access to the machine and I could transfer LINEPEASE exploit to check all known vulnerabilities to gain root access. However before attempting basically I try to run the command “sudo -l” to check if something interesting is displayed in the screen. There are other commands that can also be executed however the basic command “sudo -l” is what was taught to me as part of the course @ HackerU.
The next important thing what was taught to me @ HackerU is refer GTFOBINS for any commands that could help to gain root access. In GTFOBINS type “vim” in the search bar and immediately shows the following command can be used to gain root access.
Copy the command and enter in the shell. The command opens up VIM and gives root access.
I was able to navigate to the root directory and gain access to the root flag.
And there we have it. Nice room.Overall the box was great and it takes lot of practice to remember what steps could be used to exploit the target machine.