Simple CTF

Beginner Level Ctf

Nmap Scan

We will begin with an nmap scan.

nmap -A -T4 -p- 10.10.190.75

Nmap Results

FTP Service

Let us start by exploring the ftp service since anonymous login is allowed.

ftp service

Once we download the file, let us view it in our attack machine.

File captured

Hmm, interesting. Perhaps there is a user named Mitch, and probably their password is the same as that of root. Let us enumerate some more.

HTTP Service

Since there is a web server running, let us open it and see what is there.

Apache2 Default Page

In our nmap scan results, there is a robots.txt file with 2 disallowed entries. Let us have a look at it.

/robots.txt

Let us navigate to /openemr-5_0_1_3

404 Error

That's strange. Okay, let us search for hidden directories.

gobuster dir -u http://10.10.25.54 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,txt,bak,zip,html

And we get our results back.

Gobuster Results

Let us navigate to /simple

We come across a website named CMS Made Simple. Some googling reveals that it is a free, open source content management system to provide developers, programmers and site owners a web-based development and administration area.

Scrolling to the bottom of the web page, we find its version number.

Version

While going through the web page, we are informed of an admin console.

Admin console instructions.

And sure enough, we find a login page at /admin.

Login Page

The instructions mention that logging in requires the username/password mentioned during installation. So the site does not have default credentials. However, I will still try using common username/password combinations to see if I could be lucky.

I wasn't.

Luckily, there is a forgot password feature. Let me see if we can enumerate usernames.

When I use the username admin, I get an error.

User Not Found

However, when I use the username Mitch (remember him?), I get a blank screen. Does this mean Mitch might be a potential user? Let us try brute-forcing the password with his username.

We will use hydra for our brute-force attack.

hydra -l mitch -P /usr/share/wordlists/rockyou.txt 10.10.25.54 http-post-form "/simple/admin/login.php:username=admin&password=^PASS^&loginsubmit=Submit:User name or password incorrect" -t 30 -v

A quick google search reveals our CMS Made Simple version (2.2.8) is vulnerable to an Unauthenticated SQL Injection (CVE-2019-9053). Let us download the exploit code and exploit that.

LogoCMS Made Simple < 2.2.10 - SQL InjectionExploit Database

python 46635.py -u http://simple.local/simple --crack -w /usr/share/wordlists/rockyou.txt

And we get the following details:

  • username: Mitch

  • password: secret

  • email: admin@admin.com

  • etc...

Let us go ahead and login with the credentials.

Success!!!

Successfully Logged In

SSH Service

Before we enumerate the website, let us recall from our nmap scan results that we had ssh open on port 2222. From the image below, we also see Mitch being criticized that he set the same password for the system user.

Message for Mitch

We should see if we can use the his credentials to login to the server via ssh.

Login to Server

And success. Let us retrieve the user flag.

User flag

We are unable to retrieve the root flag since we do not have full system privileges.

Privilege Escalation

Let us run sudo -l to see if there are any commands we can run as root, and see how we can escalate our privileges.

Vim can be run as root

We see that vim can be run as root with no password. Referring to GTFOBins, we see that there is a vim command which can allow us to escalate our privileges.

Vim command to escalate privileges

Let us run it, escalate our privileges to root and retrieve the root flag.

Root Flag Retrieved

Lessons Learnt

  1. Always try to login via ssh using any credentials found.

  2. Refer to notes regularly to recall any 'hints' e.g. the note to Mitch about setting the same password in system.

  3. Enumerate all running services.

PreviousVulnversityNextIgnite

Last updated

Was this helpful?