Ready for another one? Let’s do it! As per usual, let’s do an nmap scan and see what’s going on.
Time to break it down:
- Port 80: We can check for a site of some kind here in the web browser, and also look up the version of Apache to see if their are any vulnerabilities/exploits for it.
- Same tactics can be applied to port 21 and port 2222, check the versions for vulnerabilities.
Personally, I like to start with the website in these instances, as you are usually guaranteed to have something there. The main page for this site is the default Apache page though, so let’s see if Dirbuster will give us any directories.
Let’s see what’s hiding in that /simple/ directory.
Pulling the site up shows us that the framework being used is “CMS Made Simple” version 2.2.8. Let’s see if there are any vulnerabilities for that.
Time to download and run the exploit:
Let’s break this command up a little bit:
- “python” runs the exploit we downloaded as it is a .py file.
- “46635.py” is the exploit file.
- “-u” is referring to the target (basically). It is referring to the URL.
- “–crack” says that you want to crack the passwords found and
- “-w” is referring to the wordlist you want to use to crack the password
We found two usernames, here’s one of them:
Now that we cracked the password and have a username to attempt to use, let’s try out ssh’ing on port 2222.
Sweet! We made it in! Now we can take a look around.
There’s the user flag. Time to escalate privileges. The first step (especially in these beginner boxes) that I take is to perform the command “sudo -l”.
From there we are able to observe that vim can be run without the root password, so let’s check out GTFO Bins to see what we can do with vim.
Trying out the first option, it is a complete success! Let’s deconstruct why this works.
- “sudo” runs program as superuser.
- “NOPASSWD” in “sudo -l” means this user has the privilege level to run this program as the superuser without needing to authenticate.
- “vim” the program we are running as the superuser.
- “-c” designates a command to be read after the first file.
- “‘:!/bin/sh'” is the command executed by the “-c” bit. It will run the shell as the elevated user, making you root.
That’s the end of it! Thanks for reading!