TryHackMe – Simple CTF Walkthrough
Introduction
This was an easy Linux box that involved exploiting a blind SQL injection vulnerability in CMS Made Simple to obtain initial access and the Vim text editor allowed to run as root to escalate privileges to root.
Enumeration
The first thing to do is to run a TCP Nmap scan against the 1000 most common ports, and using the following flags:
- -sC to run default scripts
- -sV to enumerate applications versions
The scan has identified four open ports: 21 (FTP), 80 (HTTP), 22 & 2222 (SSH). The next step will be to start enumerating HTTP and FTP.
Enumerating HTTP
The following page is displayed when visiting the web server through a browser:
The Nmap scan has identified a openemr-5_0_1_3 entry although this returns a 404 error:
The next step is to run a scan to find hidden files or directories using Gobuster, with the following flags:
- dir to specify the scan should be done against directories and files
- -u to specify the target URL
- -w to specify the word list to use
- -x to specify the extensions to enumerate
- -t to specify the number of concurrent threads
The scan has identified a /simple directory, when accessing it a CMS Made Simple instance comes up:
The site’s footer reveals the current version, 2.2.8:
Using the SearchSploit tool to identify known vulnerabilities in this version of CMS Made Simple:
It seems to be affected by a SQL injection vulnerability
Exploiting Blind SQL Injection
Mirroring the exploit found earlier:
The exploit can be found at this link.
The script exploits a blind SQL injection vulnerability, and it allows to enumerate database entries and potentially cracking user hashes stored in it by providing a wordlist:
The script has successfully found and cracked the hash for the “mitch” user:
At this point, having credentials to the CMS does not necessarily mean it will provide a shell, so further enumeration is required.
Enumerating FTP
Since the FTP server enabled on the host allows anonymous authentication, logging into it and downloading the “ForMitch.txt” file available:
The text file mentions how the same password has been used in multiple places, especially for the system user:
This probably means the password obtained earlier could have been re-used for the “mitch” system user.
Authenticating via SSH on port 2222 as mitch:
Privilege Escalation
It appears the mitch user can execute Vim as root:
Vim is a popular text editor, and it has the ability to execute shell commands within the editor with the following syntax: :![command].
Running Vim with sudo and executing /bin/sh within it:
This has granted a root-level shell:
Conclusion
This box is great for beginners as it doesn’t require any advanced technical skills, only the ability to be able to find known vulnerabilities or misconfigurations to exploit and gain further access, it can be great when starting the OSCP journey.