TryHackMe CTF Walkthrough - "Simple CTF"

Note: This is a reupload of a CTF walkthrough from my original website which no longer exists.

Tonight I'll be providing a writeup on the TryHackMe box "Simple CTF" similar to my writeup on Blue. TryHackMe is another great and incredibly educational site dedicated to teaching learners about offensive and defensive cybersecurity.

As always, it's typical to start with a basic Nmap scan. 

This is one of the typical Nmap scans that I like to run on TryHackMe and HacktheBox machines. It will take longer than most scans due to the enumeration being performed by the vulnerability script. Another I will typically run is -

nmap -sC -sV -A x.x.x.x

This is an aggressive service scan with default scripts enabled.

Here we have quite a bit of output, the bulk of it being a list of CVE's for the specific version of Apache web server running on the target machine. As we can see, Port 21 (FTP), Port 80 (HTTP), and Port 2222 (SSH) are currently open on the target machine. We can also see the specific versions of each service running on each port.

Wherever there's a web server, there's hidden and exposed directories, especially when it comes to CTFs. It is always a good idea to use gobuster to find these hidden and exposed directories. dirbuster can be used also, however it is much slower in comparison to gobuster. You are also welcome to use whichever wordlist you find best.

After letting gobuster run for a minute or two, we already have a directory that we can take a look at, /simple.

Navigating to the webpage in our browser, we can see that it appears to be the default homepage for "CMS Made Simple" software. CMS is a free and open-source content management system available for webserver administrators. As is always good practice, we should take a detailed look around for any useful information.

This looks promising. It is good practice to look for any publicly available exploits for any versions of software that we can find through enumeration. Doing a quick little bit of Googling, it appears that we've already hit the jackpot. If you are able to find a publicly available exploit on ExploitDB for the specific version of the software that you are attempting to exploit, you're golden. 

From the exploit description, it appears to be an SQLI exploit for all versions of CMS Made Simple prior to version 2.2.10. Let's download it and see if we can actually get it to work for us.

Assuming you have the required Python modules installed already, the script should work right out of the box. The syntax for the script is simple enough and now all we have to do is wait for the exploit to work it's magic.

After a 3-4 minutes, the script should eventually stop and you should see results very similar to the screenshot above. From the look of the results of the script, we have a MD5 hash, a salt for the MD5 hash, a username, and an email. Not to make any ridiculous claims but, the script might've worked. Let's use Hashcat to crack what we have.

For all those unaware, when you want to crack a salted hash using Hashcat, simply save them both in a text file in the hash:salt format. This took me an embarrassingly long time to figure out. I'm not too bright. Anyways, once you have the hash and salt saved in a file and Hashcat ready to go, simply run your preferred cracking command and wait for Hashcat to finish.

Hash cracked like it was nothing. Looks like we have Mitch's password now, secret. Great password there Mitch. First thing that comes to my mind is, let's log into the admin console on the CMS Made Simple page.

Looks like we're in. Taking a quick look around didn't appear to provide us with any useful information or anything else for that matter. All is not lost however as remembering back to our initial scan, we have both FTP and SSH running on the machine. Let's try SSH first and see what we can find.

Using the incredibly sophisticated and complex username and password that we somehow managed to crack earlier, we were able to successfully SSH into the machine as Mitch. Now before we move on, let me acknowledge the fact that I sub-novice level when it comes to Linux privilege escalation. I am currently working to improve my knowledge and skill when it comes to Linux privilege escalation, but in this case, I resorted to linpeas to do the enumeration part of it for me. 

linpeas: https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/tree/master/linPEAS

linpeas is a wonderful enumeration script that will search through every part of a Linux host for potential vulnerabilities that can be exploited in order to obtain privileged access on that host. That being said, you must already be SSH'd into the host as a user with the permissions to execute scripts. Thankfully in this case, Mitch has those permissions. 

Using SCP, we can copy the linpeas script to the target host. Once we have linpeas on the target machine, all we have to do is execute it, and it will do the rest.

Letting linpeas finish, we will come across a very interesting note here. It appears that Mitch is able to run Vim, the text editor, as root. In a real-life scenario, this would be a disastrous misstep. Now from what I have seen and researched, there appears to be multiple ways we can take advantage of this misstep in order to obtain privileged access. In my personal case, myself and a friend thought it would be smart to modify the /etc/sudoers file in order to simply give Mitch "root" privileges on the host. This actually worked, as after editing /etc/sudoers and running sudo su I spawned into the root shell. However, there appears to be another, simpler way, where you are able to spawn a bash shell from Vim using the command :!bash while in Vim. 

Either way, after acquiring root access, it's simply a quick cat of the flag in the /root directory, and we are done. 

I found this to be a very enjoyable CTF as it incorporated and required the use of various tools and techniques in order to successfully finish it.