The Complete Writeup for a Simple CTF (Try Hack Me)

christine - Jun 4 '22 - - Dev Community

Want to be cool? Want to be a hacker? Want to be old school? Well look no further kid, because today we are going to hackify this Simple CTF on Try Hack Me (enter electric guitar and flying unicorns here). 😎

When you're ready, start up that machine, crack your knuckles and let's break this CTF apart.

Simple CTF


Task 1 Simple CTF

How many services are running under port 1000?
By now you will know that to find the services that are running on a port we need to run a nmap scan. Run the following command to scan for all services under port 1000: nmap -p1-1000 <your machine IP>.
Simple CTF
Simple CTF

We can see that there are two services running: ftp and http.
Simple CTF

What is running on the higher port?
Now we need to scan for services above 1000. We can do this by simply running a normal nmap scan via nmap -sV <your machine IP>.
Simple CTF

We can see one port above 1000, which is port 2222/tcp and it is running ssh.
Simple CTF

What's the CVE you're using against the application?
Before we can look for the CVE of our web application, we need to look at what our application contains. Let's start at our home page. Open up your IP address in your browser. We are greeted with a Default Ubuntu Page.
Simple CTF

Okay, there's not much for us there, so let's see what other directories we can find to see which services we can exploit. Let's run a gobuster scan to find these hidden directories. Open up gobuster and run the following: gobuster dir -w /usr/share/dirb/wordlists/common.txt -u http://<your machine IP> -t 30 -o output.txt.
Simple CTF

We can see that we have the following hidden directories that could be of importance to us: /robots.txt and /simple. Go back to your browser and open /robots.txt. It's useless. 😑
Simple CTF

Okay, let's try /simple. Hoorah! We are met with a page to CMS Made Simple. When we scroll to the bottom, we can see the version of CMS Made Simple used for this site. We can use this to find exploits.
Simple CTF
Simple CTF

When we search for it in Exploit-DB (you can click here to go to the exploit), we can see the CVE for this application.
Simple CTF
Simple CTF

To what kind of vulnerability is the application vulnerable?
From the page above, we can see that it is a sqli vulnerability.
Simple CTF
Simple CTF

What's the password?
Okay, now we need to use the CVE found above to exploit our application to find a password. If you are using python3, do not install the exploit from Exploit-DB (since you will have to pip install things to run python). Instead, head over to this GitHub page and download the exploit.py file for this CVE that is converted into python3. You can copy this file onto your desktop (I saved mine as 46635.py).
Simple CTF

Now, open up your terminal and cd to your Desktop. We need to run the chmod +x exploit.py command to convert this script into an executable.
Simple CTF

Okay, then we can simply run the bash script to run the exploit against our target IP: python3 exploit.py -u http://<your machine IP>/simple --crack -w /usr/share/wordlists/rockyou.txt
Simple CTF

This will take some time, but you will eventually find the password: secret.
Simple CTF
Simple CTF

Where can you login with the details obtained?
We can log in to ssh with these details, since we have the username mitch, the IP address, and his password.
Simple CTF

What's the user flag?
Let's log into ssh using Mitch's credentials. Run ssh mitch@<your machine IP> -p 2222 - 2222 is ssh's port.
Simple CTF

Let's list all the directories using ls -a. We can see a file named user.txt, and we can read the contents of this file via cat user.txt.
Simple CTF
Simple CTF

Is there any other user in the home directory? What's its name?
Let's first cd into our /home directory. We can see that there is one other user besides Mitch, Sunbath.
Simple CTF
Simple CTF

What can you leverage to spawn a privileged shell?
We can use vim to spawn a privileged shell.
Simple CTF
Simple CTF

What's the root flag?
Let's use vim to spawn a privileged shell. You can read more on this in the in link provided above, but simply put, we can do it via the following command: sudo vim -c ':!/bin/sh'. When we run the id command, we see that we now have root access.
Simple CTF

Now, let's cd into /root. We can see there is a file named root.txt.
Simple CTF

We have root access, so we can simply cat root.txt to get the final flag.
Simple CTF
Simple CTF


Conclusion

I hope this was easy enough to follow, and if it was, congratulations on completing the Simple CTF! You are now a master hacker, and there is nothing more to teach you. Keep an eye on your inbox for an email from the CIA. They'll be in touch soon! 👾

Until next time, happy hacking!

Visit my GitHub for more.

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .