EasyCTF WriteUp — PenTesting
TryHackMe’s EasyCTF — A good starting point for a beginner CTF lover
Today I’ll be writing how to solve EasyCTF room offered by TryHackMe. This is a very beginner-friendly CTF which you can work on if you just getting started with CTFs and pen testing. So let’s get started..
As usual lets start off with a port scan from our favourite port scanner Nmap. You can use the following command to do a port scan.
nmap -T4 -A -v <target-ip-address>
In case this fails, you can try adding -Pn flag to do a No Ping scan. We can identify 3 services running on the server and the port scan gives our answer to the first 2 questions in the room.
The most interesting thing I recognized is the anonymous ftp login and the webserver running on port 80. I started DirBuster and let it run in the background to identify any other directories in the webserver and before long it gives the directory /simple in the webserver.
When we visit the identified directory, we can see that it runs CMS Made Simple and the version is 2.2.8 . A simple google search shows the vulnerabilities in this version of the CMS. (Looks like this version is famous for vulnerabilities as it gets suggests exploits when we just type CMS Made Simple 2.2.8 ).
We come across 4 vulnerabilities. I ruled out the last 2 vulnerabilities for now as the XSS and we might need a user to work with XSS. The second one caught my attention as it is an SQL vulnerability. By reading the details we can see that it is an SQL injection and the letters ‘SQLi’ matches the number of letters for the answer in Question #4. The answer is correct which allows us to answer Question #3 with the CVE ID of the vulnerability. There is a hint about using SecLists’s best110.txt for Q #4, but let's skip it for now as we didn’t need it.
Although it is a good idea to try SQL Injection, i decided to go ahead with FTP as they have been so kind to allow us login anonymously. You can use ftp <target-ip-address> to log in to the ftp. Use anonymous as the username and the password. We have only 1 directory and a single file inside it. Let’s get it and check it out.
Interesting! Its filename is ForMitch.txt which hints us about a user named mitch . It also tells us that Mitch has a weak password and can be cracked in seconds. Now as we worked with 2/3 services, let’s try to bruteforce SSH. I advice you not to start with brute forcing if you are not sure it will give you a good result. In this CTF we can go ahead with it as it says mitch has a weak password somewhere and its easy to crack as well.
Bruteforcing the SSH with Hydra gives us the password within seconds. Make sure you set the correct port for SSH as this server does not run SSH in default port 22. Now we can log in and easily find the user flag and the other user in the system.
Now we have found the answers to Questions #6,#7, and #8, looks like all that is remaining is privilege escalation to log in to the root account. Let’s check Mitch’s privileges for that using sudo -l
We can see that Mitch can run Vim as a root user without a password which is great! The awesome thing about Vim is that it can open a shell insider it. So we can run Vim as root from Mitch’s account and access a shell from it which gives us root privileges. This nice article explains some Linux privilege escalation techniques very well.
I opened Vim using sudo vi script.sh and opened a shell using its :!bash . Voila! We are in! Let’s go ahead and read the root flag and we have finished the challenge!!!…
