{"id":294,"date":"2023-04-22T15:39:52","date_gmt":"2023-04-22T20:39:52","guid":{"rendered":"https:\/\/binaryblisters.com\/?p=294"},"modified":"2023-04-22T15:39:52","modified_gmt":"2023-04-22T20:39:52","slug":"try-hack-me-simple-ctf","status":"publish","type":"post","link":"https:\/\/binaryblisters.com\/?p=294","title":{"rendered":"Try Hack Me – Simple CTF"},"content":{"rendered":"\n
\"\"<\/figure>\n\n\n\n

This CTF was a pretty good one that I ended up solving in a different means other than what I believe the creator intended. I’ll go into more detail on that later but as always, if you want to see my original notes from the lab go here<\/a>.<\/p>\n\n\n\n

Task 1: How many services are running under port 1000?<\/h2>\n\n\n\n

This was a pretty quick one as all you need to do is run a simple NMAP<\/strong> scan. Running NMAP with no flags will go through the most common ports, which include ports less than 1000.<\/p>\n\n\n\n

nmap [TARGET IP]<\/code><\/pre>\n\n\n\n
\"\"<\/figure>\n\n\n\n
This shows that both FTP and HTTP are running. There is also another service running on Port 2222.<\/p>\n\n\n\n
Task 2: What is running on the higher port?<\/h2>\n\n\n\n
It appears that a service called EtherNetIP-1<\/strong> is running on Port 2222. However, let’s see if we can see some more information on it with a more detailed NMAP scan.<\/p>\n\n\n\n
nmap -sV -sC [TARGET IP]<\/code><\/pre>\n\n\n\n
\"\"<\/figure>\n\n\n\n
This gave us a lot of good information on the services being run but the important thing to note is the Service being run on Port 2222 is a typical one found on Port 22.<\/p>\n\n\n\n
Task 3: What’s the CVE you’re using against the application?<\/h2>\n\n\n\n
Tasks 3 and 4 took me quite some time to figure out and I actually ended up looking at another person’s write-up<\/a> for a clue. I was actually able to get root privileges another way that didn’t require this, which is why it took me a bit of time. I’ll give you a brief overview of how to answer this question.<\/p>\n\n\n\n
Since we can see that Port 80 is open from the NMAP scan, that means there is a pretty good chance that a web server is currently being run. Visiting the page shows us that there is a default Apache web server running.<\/p>\n\n\n
\n
\"\"<\/figure><\/div>\n\n\n
Performing some enumeration with Gobuster<\/strong> will show a few other directories available, including one for a standard CMS login page using the \/admin<\/strong> directory. I’m not going to go into too much detail here as I did not go down this route to get credentials but you’ll need to do this to answer the question.<\/p>\n\n\n
\n
\"\"<\/figure><\/div>\n\n\n
On the page, you’ll see that the application is running CMS Made Simple Ver. 2.2.8. We can take this and run a quick Google search to see what possible vulnerabilities exist. Checking out the link for Exploit DB<\/a> will give us a pretty clean means of exploiting a vulnerability for the application.<\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
It will also give us the answer to this task.<\/p>\n\n\n\n
Task 4: What kind of vulnerability is the application vulnerable to?<\/h2>\n\n\n\n
Looking at the Exploit shown above will also give us the answer for this task.<\/p>\n\n\n\n
I’ll go into a bit more detail here but it’s not the path I took to gain root access. To further pursue this exploit, you’ll need to grab the script included with this exploit and run it against the URL\/admin<\/strong> page.<\/p>\n\n\n\n
This will produce a hashed and salted password. After gaining this, you can use a tool like Hashcat<\/strong> to crack it and gain credentials for one of the users.<\/p>\n\n\n\n
Task 5 What’s the password?<\/h2>\n\n\n\n
The means I took were a bit different. I decided to explore some other routes prior to running Gobuster.<\/p>\n\n\n\n
During the more detailed NMAP scan, I noticed that Port 21 had anonymous login available so I started there.<\/p>\n\n\n\n
On my host machine, I logged into the FTP account for the target machine.<\/p>\n\n\n\n
ftp [TARGET IP]<\/code><\/pre>\n\n\n\n
Using the username anonymous<\/strong> will allow us to log in as a guest. If we list out the contents of the directory available to us, we will find a file in there called ForMitch.txt<\/strong>. <\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
We can use the following command to download the file.<\/p>\n\n\n\n
get ForMitch.txt<\/code><\/pre>\n\n\n\n
After we have downloaded the file to our host machine, we can use cat<\/strong> to view the contents.<\/p>\n\n\n\n
cat ForMitch.txt<\/code><\/pre>\n\n\n\n
\"\"<\/figure>\n\n\n\n
We learn two things from this file. <\/p>\n\n\n\n
    \n
  1. There is most likely a user named mitch<\/strong>.<\/li>\n\n\n\n
  2. That user has weak credentials.<\/li>\n<\/ol>\n\n\n\n
    Now that we have a possible username and know the password is probably something fairly weak, let’s do a brute-force attack on the SSH server running on Port 2222. In this instance, we’ll use one of my favorite tools, Hydra<\/strong>.<\/p>\n\n\n\n
    hydra -V -l mitch -P [PATH TO WORDLIST] ssh:\/\/[TARGET IP]:2222<\/code><\/pre>\n\n\n\n
    Remember to specify the port in this case since the SSH server isn’t running on the typical Port 22.<\/p>\n\n\n\n
    \"\"<\/figure>\n\n\n\n
    It looks like we now have credentials for the user mitch<\/strong>.<\/p>\n\n\n\n
    Task 6: Where can you log in with the details obtained?<\/h2>\n\n\n\n
    Since we just ran the Hydra attack on Port 2222. We already know what service is running on that port.<\/p>\n\n\n\n
    Task 7: What’s the user’s flag?<\/h2>\n\n\n\n
    Now that we have credentials for mitch<\/strong>, let’s login through SSH to their account.<\/p>\n\n\n\n
    ssh -p 2222 mitch@[TARGET IP]<\/code><\/pre>\n\n\n\n
    Similar to the Hydra attack, we need to specify the port in this instance since it is not on the standard port of 22.<\/p>\n\n\n\n
    \"\"<\/figure>\n\n\n\n
    Once we are logged into the user’s account we can find the user.txt<\/strong> file in the home directory for mitch<\/strong>. <\/p>\n\n\n\n
    cat \/home\/mitch\/user.txt<\/code><\/pre>\n\n\n\n
    Task 8: Is there any other user in the home directory? What’s its name?<\/h2>\n\n\n\n
    This one should be pretty easy as well since we are logged into the target machine. We can check the \/home<\/strong> directory for other possible users. We could also check the \/etc\/passwd<\/strong> file to see what other users are on the system since. This won’t always be possible but in this case mitch<\/strong> has read access to the file.<\/p>\n\n\n\n
    ls -l \/home<\/code><\/pre>\n\n\n\n
    cat \/etc\/passwd<\/code><\/pre>\n\n\n\n
    Task 9: What can you leverage to spawn a privileged shell?<\/h2>\n\n\n\n
    While logged into the mitch<\/strong> account, you can run the sudo<\/strong> command to see what privileges they have.<\/p>\n\n\n\n
    sudo -l<\/code><\/pre>\n\n\n
    \n
    \"\"<\/figure><\/div>\n\n\n
    This is great information as it shows a possible route to privilege escalation in the machine and also the answer to this task.<\/p>\n\n\n\n
    Task 10: What’s the root flag?<\/h2>\n\n\n\n
    Now that we know what program we have sudo<\/strong> privileges to, we can search for possible means to escalate those privileges to the entire machine. Let’s start by visiting GTFOBins<\/a> and looking for possible avenues of attack for vim<\/strong>.<\/p>\n\n\n\n
    \"\"<\/figure>\n\n\n\n
    It looks like there are a few options but let’s start with the first. Copy and paste that into your SSH session with the target machine.<\/p>\n\n\n\n
    sudo vim -c ':!\/bin\/sh'<\/code><\/pre>\n\n\n\n
    You should now have root privileges for the entire machine. Navigate over to the root directory for the flag.<\/p>\n\n\n\n
    sudo vim -c ':!\/bin\/sh'<\/code><\/pre>\n\n\n\n
    Summary<\/h2>\n\n\n\n
    This machine frustrated me for a while. Mainly because I had obtained the root flag but still couldn’t answer the questions to Task 3 and 4. I actually dug through the \/var\/www\/html<\/strong> directory once I had access to the system but dismissed further enumerating. <\/p>\n\n\n\n
    Lesson learned.<\/p>\n\n\n\n
    However, it was still pretty neat to see multiple ways into this system. I streamed<\/a> this hack if you are interested in watching me work through it.<\/p>\n\n\n\n
    As always, thanks for reading and catch you all later.<\/p>\n\n\n\n
    -sgtdiddlywink<\/p>\n","protected":false},"excerpt":{"rendered":"
    This CTF was a pretty good one that I ended up solving in a different means other than what I believe the creator intended. I’ll go into more detail on that later but as always, if you want to see my original notes from the lab go here. Task 1: How many services are running […]<\/p>\n","protected":false},"author":1,"featured_media":307,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[48,49],"tags":[18,28,51,66],"class_list":["post-294","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-hacking","category-thm","tag-hacking","tag-studying","tag-thm","tag-try-hack-me"],"_links":{"self":[{"href":"https:\/\/binaryblisters.com\/index.php?rest_route=\/wp\/v2\/posts\/294","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/binaryblisters.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/binaryblisters.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/binaryblisters.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/binaryblisters.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=294"}],"version-history":[{"count":1,"href":"https:\/\/binaryblisters.com\/index.php?rest_route=\/wp\/v2\/posts\/294\/revisions"}],"predecessor-version":[{"id":308,"href":"https:\/\/binaryblisters.com\/index.php?rest_route=\/wp\/v2\/posts\/294\/revisions\/308"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/binaryblisters.com\/index.php?rest_route=\/wp\/v2\/media\/307"}],"wp:attachment":[{"href":"https:\/\/binaryblisters.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=294"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/binaryblisters.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=294"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/binaryblisters.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=294"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}