Simple CTF Writeup
Question: How many services are running under port 1000?
Begin by performing a port scan over all 65,535 ports. We will use nmap for this.
Option -sS is TCP SYN (Stealth) Scan (this is a default regardless)
Option -p- tells nmap to scan all ports.
Option -T (-T5) tells nmap how fast to perform a scan with -T5 being the fastest as we are not evading an Intrusion Detection System (IDS)
We discover that there are three services running on the targeted host.
Observe the nmap port scan results. You will notice that port “2222” has not been enumerated.
Answer: The number of services running on the targeted host. Review your nmap report.
Question: What is running on the higher port?
We run an additional nmap scan removing the -sS, -p-, and -T5 options but add “-A” as an option. Option “-A” is Operating System and Service Version Detection.
This will be run against “port 2222” to get the Service and Version details.
Port 2222, as seen above, is being used by and accepting connections for OpenSSH or ssh.
Answer: Check your nmap -A port scan results for the service and the version of that service listening on port 2222.
What’s the CVE you’re using against the application?
Let’s move onto the httpd service (Apache Web Server) listening on port 80.
Browsing to the host IP address we observe that the Apache2 Default Page is returned.
Let’s see if we can find some additional directories using GoBuster:
You should have discovered the “/simple” sub-directory.
Browsing to this location in your web browser (“http://10.10.167.197/simple/”) you will see that there is a web application running called CMS Made Simple version 2.2.8.
We will search for a vulnerability in this CMS using searchsploit:
You find that there is a vulnerability (
) with a corresponding exploit that can be used against this version of the web application.
Question: To what kind of vulnerability is the application vulnerable?
As detailed in the CVE, we see that the attack involves SQL Injection.
Answer: sqli (SQL Injection)
Let’s test the Python script (46535.py) discovered with “searchsploit”.
With a prepared Python 2.7 environment, you can run the script as is.
If you want to run the script using Python3, then modify the “print” statements throughout the code to the standard Python 3 way. See the link below for a version that works with Python 3.
View Project on CyberTutorials.org (46535-python3.py)
View Project on Github (46535-python3.py)
When you’ve finished running the script you should be able to answer the following questions:
Question: What’s the password?
Running “hash-identifier” on the password hash obtained previously, we see the possible hash types.
Answer: If you’ve completed the steps above correctly you will find the cracked password in “solved.txt” within the directory from which you ran the script.
Question: Where can you login with the details obtained?
ssh email@example.com -p2222
Answer: We will be using these credentials to log into “ssh“.
Remember to verify which port you are connecting to. ssh was listening on a non-standard port.
Question: What’s the user flag?
After logging in using ssh, we will list the contents of the current directory and then display the flag.
Last login: Mon
Answer: Look for the flag file after logon.
$ cat user.txt
Question: Is there any other user in the home directory? What’s its name?
ls -alh /home
Answer: View the output of “ls“.
Question: What can you leverage to spawn a privileged shell?
Start by checking the current users “sudo” privileges.
mitch@Machine:~$ sudo -l
User mitch may run the following commands on Machine:
(root) NOPASSWD: /usr/bin/vim
Answer: We can use vim.
Question: What’s the root flag?
$ sudo vim /root/root.txt (based off of the format of the CTF challenges, we guess the file containing the flag)
$ sudo vim
from within vim:
# – root shell spawned
Latest posts by Jesse Shelley (see all)