Beginner level ctf (capture the flag).

This is the write up for the room Simple CTF on Tryhackme and it is part of our cybersecurity training from HackerU .

Firstly we have to make connection with VPN or use the attackbox on Tryhackme site to connect to the Tryhackme lab environment.

VPN connection with THM

Task 1:

First deploy the machine after that we will get the Target system IP.

Once the machine is booted up then will move to our sub task

Task 1.1:

To check how many services are running under port 1000.

For this we have to run Nmap scan. Before runing nmap scan let’s first verify if we are geting the ping with the system.

Now we are set to run nmap scan to find the ports running under 1000.For this i used

nmap -sS -sV -A 10.10.96.70

-sS (TCP SYN scan)

-sV (Version detection)

-A (Aggressive scan options)

From scan we can see that 3 ports are open which are port 22,port 80 and port 2222.

here we got answer for our first there are 2 ports running under 1000.

Task 1.1

Task 1.2:

Now moving towards next task which is to find What is running on the higher port. Which we already got using nmap scan that higher port 2222 is running ssh.

Task 1.2

Task 1.3 :

Now moving towards next task whic is to find the CVE (Common Vulnerabilities and Exposures)using against the application.

For this we have to do little enumeration like looking for some information in website as port 80 is open.

so we directly visited the site we didnt found any information so did gobuster to check if there is any hidden directory where we can find some information or clue.

gobuster dir -u URL -w /wordlist path/ -t no. of threads(max64)

from the above scan found that there is a simple directory so went to that directory.

As we visited the site found that it is runing cms (Content management system) is running which is cms made easy.

So scrolled the website to check the version of the cms to find if it has any CVE.

we got the cms version from this version we checked if any known vulnerability is there using searchsploit or directly also can be searched in google.

From the searchsploit result we can see that there is CVE for this version of cms.Here we come to know the vulnerability we can check the CVE no. for thi in google and will get out answer for task.

CVE Detail

Thus we got the answer for our Task CVE-2019–9053.

Task 1.3

Task 1.4 :

Now moving to our next task that is to find the application which is vulnerable which we got in this CVE details and in searchsploit also that SQL injection is done so the application is SQLI.

Task 1.5:

Now moving to our next task that is to get user password. For this we used the script and got the user name and password. To run the script some details were provided in the CVE details page and inside the file .

Script additional value.
Script

As shown above we have to run the script and wait for it to perform it will take some time .Once completed will get our desired output.

USER and PASSWORD

We got User name and password .

User :- mitch

Password :- secret

we completed our task of getting user password.

Task 1.5

Task 1.6:

Now will go to our next task that is to find where to use this login details so as we got port 22 open which run ssh service will try this user name and password for ssh login.

SSH login

We were able to login ssh using the user name and password.

Task 1.6

Task 1.7:

Now will move to our next task that is to find user flag. For this will have to take interactive shell using python command as the shell we got is unstable.

python -c 'import pty; pty.spawn("/bin/bash")'

And once we get interactive shell will search for flag inside the folders.

User flag

As seen above we got interactive shell and the user flag ass well.

Task 1.7

Task 1.8:

Now will move towards our next task that is to see if any other user is present in home directory. so went back to home directory and found other user sunbath folder present .

Task 1.8

Task 1.9:

Now will move to our next task that is to leverage to spawn a privileged shell. for this will check which application the user mitch is allowed to use as sudo (root) permision. For this will do sudo -l will get the application name.

Root shell
Task 1.9

Task 1.10:

Now will move towards our last task that is to find root flag. As doing sudo -l we got to know that mitch user can use vim application as root permision we searched for the command to get root shell using vim for this we searched vim in gtfobins(https://gtfobins.github.io/).

gtfobin

using the above command will try to get root shell.And in above (root shell) we were successfully able to get root shell. now will search for root flag in root directory.

Root flag

As can be seen in the above image we successfully captured our second flag .

Task 1.10

Thus we successfully able to crack the box get privilege escalation and got root access and captured both the flag.

Cyber security enthusiast currently learning cybersecurity as RED team From HackerU