Simple CTF Writeup

Question: How many services are running under port 1000?

Begin by performing a port scan over all 65,535 ports. We will use nmap for this.

Option -sS is TCP SYN (Stealth) Scan (this is a default regardless)

Option -p- tells nmap to scan all ports.

Option -T (-T5) tells nmap how fast to perform a scan with -T5 being the fastest as we are not evading an Intrusion Detection System (IDS)

Copy to Clipboard

We discover that there are three services running on the targeted host.

Observe the nmap port scan results. You will notice that port “2222” has not been enumerated.

Answer: The number of services running on the targeted host. Review your nmap report.

Question: What is running on the higher port?

We run an additional nmap scan removing the -sS, -p-, and -T5 options but add “-A” as an option. Option “-A” is Operating System and Service Version Detection.

This will be run against “port 2222” to get the Service and Version details.

Copy to Clipboard

Port 2222, as seen above, is being used by and accepting connections for OpenSSH or ssh.

Answer: Check your nmap -A port scan results for the service and the version of that service listening on port 2222.

What’s the CVE you’re using against the application?

Let’s move onto the httpd service (Apache Web Server) listening on port 80.

Browsing to the host IP address we observe that the Apache2 Default Page is returned.

Let’s see if we can find some additional directories using GoBuster:

Copy to Clipboard

You should have discovered the “/simple” sub-directory.

Browsing to this location in your web browser (“http://10.10.167.197/simple/”) you will see that there is a web application running called CMS Made Simple version 2.2.8.

We will search for a vulnerability in this CMS using searchsploit:

Copy to Clipboard

You find that there is a vulnerability (CVE-2019-9053) with a corresponding exploit that can be used against this version of the web application.

Answer: CVE-2019-9053

Question: To what kind of vulnerability is the application vulnerable?

As detailed in the CVE, we see that the attack involves SQL Injection.

Answer: sqli (SQL Injection)

Let’s test the Python script (46535.py) discovered with “searchsploit”.

With a prepared Python 2.7 environment, you can run the script as is.

If you want to run the script using Python3, then modify the “print” statements throughout the code to the standard Python 3 way. See the link below for a version that works with Python 3.

View Project on CyberTutorials.org (46535-python3.py)

View Project on Github (46535-python3.py)

When you’ve finished running the script you should be able to answer the following questions:

Copy to Clipboard

Question: What’s the password?

Running “hash-identifier” on the password hash obtained previously, we see the possible hash types.

Copy to Clipboard
Copy to Clipboard

Answer: If you’ve completed the steps above correctly you will find the cracked password in “solved.txt” within the directory from which you ran the script.

Question: Where can you login with the details obtained?

ssh mitch@10.10.9.21 -p2222

Answer: We will be using these credentials to log into “ssh“.

Remember to verify which port you are connecting to. ssh was listening on a non-standard port.

Question: What’s the user flag?

After logging in using ssh, we will list the contents of the current directory and then display the flag.

Last login: Mon

Answer: Look for the flag file after logon.

$ ls
user.txt
$ cat user.txt
–> *FLAG*

Question: Is there any other user in the home directory? What’s its name?

ls -alh /home

Answer: View the output of “ls“.

Question: What can you leverage to spawn a privileged shell?

Start by checking the current users “sudo” privileges.

mitch@Machine:~$ sudo -l
User mitch may run the following commands on Machine:
    (root) NOPASSWD: /usr/bin/vim

Answer: We can use vim.

Question: What’s the root flag?

Answers:

$ sudo vim /root/root.txt (based off of the format of the CTF challenges, we guess the file containing the flag)

$ sudo vim
from within vim:
:shell

#    – root shell spawned

Jesse Shelley