Simple CTF — TryHackMe
First let’s dive into website of the target ip. We will see an Apache2 Ubuntu Default Page. Nothing interesting here.Let’s run nmap to see if there are any open ports that we can exploit. Do nmap — help to list all options.
sudo nmap -T4 -A -p- <MACHINE-IP>
We can see there are three ports open 21,80 and 2222. Answer the questions by these results.
Let’s run gobuster or dirbuster to see if there are hidden directories, i will go with gobuster.
sudo gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt -u http://<MACHINE-IP>/
We discovered a directory lets browse to that and see if there is something useful.
After looking around the website CMS seems to be interesting lets try if there’s an exploit named by it.
searchsploit cms made simple
Then we know that cms is vulnerable to sql injection and there is a python script that we can run,download the script and run.
python3 46635.py -u http://<IP>/simple — crack -w <wordlist path>
I used rockyou.txt, you can find it in /usr/share/wordlists/
After some minutes we got the username and password required for our target machine, then we will login using these credentials through ssh as we saw ssh was open in our nmap scan.
We got the user flag.
We found the other user in the system, we can find it in home directory.
sudo -l
use this command to list user’s privileges.
We can see that vim can be run as root.
sudo -u root vim
Above command to run vim as root. Type :sh to get shell as root.
Now navigate to root.txt file and get the root flag.
Finally machine has been pwned and we got all flags!!
Happy H@k!ng!!
Thank You!!
