TryHackMe | Simple CTF Box

Ready for another one? Let’s do it! As per usual, let’s do an nmap scan and see what’s going on.

Time to break it down:

  • Port 80: We can check for a site of some kind here in the web browser, and also look up the version of Apache to see if their are any vulnerabilities/exploits for it.
  • Same tactics can be applied to port 21 and port 2222, check the versions for vulnerabilities.

Personally, I like to start with the website in these instances, as you are usually guaranteed to have something there. The main page for this site is the default Apache page though, so let’s see if Dirbuster will give us any directories.

Let’s see what’s hiding in that /simple/ directory.

Pulling the site up shows us that the framework being used is “CMS Made Simple” version 2.2.8. Let’s see if there are any vulnerabilities for that.

Time to download and run the exploit:

The command I ran to get the output is the command below the output

Let’s break this command up a little bit:

  • “python” runs the exploit we downloaded as it is a .py file.
  • “46635.py” is the exploit file.
  • “-u” is referring to the target (basically). It is referring to the URL.
  • “–crack” says that you want to crack the passwords found and
  • “-w” is referring to the wordlist you want to use to crack the password

We found two usernames, here’s one of them:

Now that we cracked the password and have a username to attempt to use, let’s try out ssh’ing on port 2222.

Sweet! We made it in! Now we can take a look around.

There’s the user flag. Time to escalate privileges. The first step (especially in these beginner boxes) that I take is to perform the command “sudo -l”.

From there we are able to observe that vim can be run without the root password, so let’s check out GTFO Bins to see what we can do with vim.

Trying out the first option, it is a complete success! Let’s deconstruct why this works.

  • “sudo” runs program as superuser.
  • “NOPASSWD” in “sudo -l” means this user has the privilege level to run this program as the superuser without needing to authenticate.
  • “vim” the program we are running as the superuser.
  • “-c” designates a command to be read after the first file.
  • “‘:!/bin/sh'” is the command executed by the “-c” bit. It will run the shell as the elevated user, making you root.

That’s the end of it! Thanks for reading!

TryHackMe | RootMe Box

So, as per usual, let’s kick it off with an nmap scan:

We notice that two ports are open; 22-ssh, and 80-http. Web sites are always fun in CTFs and leave lots of different places to stuff clues and challenges, so let’s check out the site first, and run Dirbuster on it at the same time to see if it has any hidden directories.

Two important directories that are needed for us. /panel, and /uploads. Panel brings us to this page:

Which WILL NOT take a standard .php file (my poor reverse shell). And we can assume once we get past this roadblock, that the shell we will be executing is going to be located in the /uploads directory.

So I have a simple little minimalist reverse shell I like to use for php (nothing fancy, I should probably upgrade). I just need to run this command:

And switch it over to a php5 extension instead of php. This is called a “file name bypass” and hoodwinks the file name validation the upload functionality has in place. You can read further up on this here, but essentially, this is a type of blacklisting bypass. We found out that a php file is blacklisted from being uploaded, but to bypass this, we just have to try an unpopular php extension such as: php3, phpt, php5, php6, etc.

And wouldn’t ya know, it works! Let’s go verify that our reverse shell is now inside of the uploads directory.

Before clicking on it, make sure to get a netcat listener running.

You might have to do some things to stabilize this shell. As I said, it is extremely minimalist. Now we just need to search for a file with SUID permissions, and find the one that sticks out. We can do this by running the following command:

One major one that sticks out that I’ve used before can be seen here:

Python is great if you have access to it. Check out GTFO Bins for some more information. Keep in mind that this is SUID related, and we already have access to python.

That means we just need to run the second command there.

And boom, you’re root.