TryHackMe’s SimpleCTF is one of the first beginner-friendly CTFs, one will encounter as soon as they signup. As the name suggests it is one of the most basic rooms teaching bare minimum skills. This CTF forces the player to try every option and acts as a good enumeration coach. Some of the tools used in this write-up are OpenVPN, Gobuster, Nmap, python, etc. Once you join the room click on ‘Start Machine’ and you are good to go. Let's jump right in!
Disclaimer: The tools used in this tutorial are powerful. Please use them on systems you can legally tamper with. These tutorials are for educational purposes only.
Connect to TryHackMe via OpenVPN
To access any of TryHackMe’s machines you first have to use OpenVPN along with the config file to connect to TryHackMe’s network. I have covered this in a previous writeup which can be found here. The command to connect is as follows:
sudo openvpn <filename>.opvn
The first step in hacking any machine is discovery. Here we will try and discover the various services running on the remote host.
The IP address of the remote host can be found on the CTF page after you start the machine. The most popular tool used for host/service discovery is Nmap. You can download Nmap here, though it comes preinstalled in OSs like Kali Linux and Parrot OS. We will begin scanning the host with the following command:
nmap -sV -sC <machine IP>
The -sC & -sV are common flags used in Nmap. They execute basic vulnerability scripts on the target. The output should be as follows:
As we can see there are three services that show up: FTP, Apache Web Server, and SSH.
Enumeration is all about gathering more information about the target by either some tools or sometimes even just using the services themselves.
First on the list is FTP. We learned from the Nmap scan that Anonymous logins are allowed on this service. Let's try that.
ftp <machine IP>ls
After login in we can see there is a folder named pub. After moving into the folder using the cd command, we see there is a file named ‘ForMitch.txt’. Commands are as follow:
We then download the file to our machine by using the get command, we exit the FTP session and then use the cat command to read the contents of the text file.
get ForMitch.txtexitcat ForMitch.txt
The output of ForMitch.txt:
Dammit man… you’te the worst dev i’ve seen. You set the same pass for the system user, and the password is so weak… i cracked it in seconds. Gosh… what a mess!
The file might seem useless but gives us a few hints. Someone saved a message for his coworker Mitch who is a developer, saying the password is weak. Now we can safely assume that the password will be available in some wordlist. This is good information.
Second, on the list is SSH. after using the ssh command with Mitch as the target user of the machine, we are asked for a password. We can try and brute-force the password, but that is going to take time. This seems like a dead-end right now. Let’s put this lead on a side note for now.
Next, up is the webserver running on port 80. The first way to get more information is just to use the machine’s IP in a web browser. This step shows that on port 80 there is a live default Apache page. This approach does not get us far.
Hence we switch techniques and use a tool name Gobuster. Gobuster is a tool used to brute-force hidden web objects on a target using a dictionary attack. You can download the tool if not already installed using the sudo apt install command. The command to use gobuster is as follows:
gobuster dir -u http://<machine IP>/ -w /usr/share/wordlists/rockyou.txt
Multiple entries should show up after letting the command run for a few minutes. The most interesting of the entries is /simple with 301 redirect. Again the best bet is to just type the machine's IP with /simple into a web browser and see what shows up.
Great, we now have a solid lead! The image says the CMS is secure, well I think Not! ;)
Common sense tells us that /admin will have a login page to make changes to the CMS. While there is a login page, it would be time-consuming to brute-force the password. Upon further investigation, we have found the CMS Made Simple version, which is 2.2.8.
Now that we know the service version, we will do a quick search on ExploitDB for existing vulnerabilities and exploits. For this, we will use Searchsploit a tool to scan and search ExploitDB with keywords right from our attack machine terminal. The command is as follows:
sudo searchsploit CMS Made Easy
While we did not find any exploit with the exact service version we can explore exploits with version number 2.2.x. The best bet looks like using SQL Injection exploit on the 2.2.10 version. Let's download the exploit using the following command:
wget https://www.exploit-db.com/exploits/<exploit ID> -O <exploit name>.py
When you try to run the python script, by default it runs with Python version 3. But looks like a library named ‘termcolor’ is missing. Let's fix that by copying it from the libraries folder from Python 2.7 to the libraries folder of Python 3 by using the following command:
cp /usr/lib/python3/dist-packages/termcolor.py /usr/lib/python2.7/termcolor.py
This phase is where an attacker breaks into the system/network using various tools or methods.
Now that we have a working exploit ready let us start by running the python script by framing the command as follows:
python <exploit name>.py -u http://<machine IP>/simple/ -c -w /usr/share/wordlists/rockyou.txt
The -u flag indicates the target URL, -c stands for crack mode, and -w indicates the wordlist address. I have used the RockYou wordlist which comes pre-installed in Kali Linux as it is my personal favorite. You can find it here. The hint on the CTF page suggests the usage of the best110 wordlist. Both the lists work just fine. After letting it rip for a few minutes, this is the output:
Remember in the enumeration phase we tried SSH and didn't have the password? Well, now we have the user account password for Mitch. We will use the password found above to ssh into the machine by specificng the exact port number. Use the following command:
ssh -p 2222 mitch@<machine IP>
After entering the password we have access to the machine!
Now that we are in the machine, we should perform some extra enumeration to gain more information.
We first check our working directory by using the pwd command and check the list of files in the current directory using the ls command. We find the first flag by cat’ing into ‘users.txt’ in the same folder. Its usually a good practice to check what was the previous command run by the user, this might give us a lot of information. We can do this by using the sudo -l command. The list of commands are as follows:
pwdlscat users.txtsudo -l
As we can see above Mitch user has accessed vim editor with sudo. This is good! We can run vim as sudo. We can escalate our privileges to root by using the following command:
sudo vim -c ':!/bin/bash'
Congratulations! You have spawned a new shell and we are now root.
We now change our directory to the root folder to find the ‘root.txt’ file as the final flag.
For our final task, we are required to find the other user as well. For this, we can see that Mitch user has read permissions to the passwd. We can cat into the file to find other users. We see many service accounts and other useless text.
To find exactly what we are using for, we will pipe the output from cat command to grep. The grep tool will search for text which mentions ‘home’. As only users have a home folder. The command looks like this:
cat /etc/passwd | grep home
Alright, folks! That’s bout it for this tutorial, pretty straightforward with no honeypots. This machine was a good start point for noobs. Consider following me for more of these. New articles coming soon!
Happy Hacking. Cheers!
“There are no passengers on spaceship earth. We are all crew.“