Simple CTF (tryhackme)

 I started with a quick SYN scan of all ports on the target machine. The -T4 flag speeds up the scan from the default -T3 and the -p- flag specifies all ports to be scanned. As can be seen from the results, ports 21, 80 and 2222 had services listening on them.




It was now time to take a closer look at those three ports, so I used the -A flag with nmap to find out more.




The anonymous login allowed using FTP on port 21 seemed interesting, so I connected to it in passive mode using the username anonymous and no password ftp -p 10.10.179.144


The connection was successful, but I could not get any listing of the directories or files using ls so I turned my attention to port 80 by navigating to the home page in my browser.


I was greeted with a default Apache "It Works!" page. I then checked the robots.txt file and fired up a directory buster. I used gobuster as it is fast, but dirb, dirbuster or a home-grown one would also do.




The /simple directory stood out as interesting, so I navigated to it and found a CMS Made Simple page. I looked over it and found its version at the bottom.




A quick online search for CMS Made Simple 2.2.8 exploit returned a few results. After reading over the descriptions, I felt CVE-2019-9053 (an SQL Injection) would be the best to use. I therefore downloaded the Python source code from exploit database and attempted to run it. I quickly discovered that it was written in Python2. I prefer to use Python3, so I edited the code with nano to turn all of the print statements into print functions. I then ran it with Python3.




The program was successful enumerating the salt, username and email but I received an error when it came to the password cracking function. The password hash was also not fully retrieved - this was to do with the TIME variable which I had left at the default of one second.




I therefore changed the TIME variable to 2 and tried again. I knew I could use hashcat to crack the hash so I didn't alter the password cracking function in the exploit (yet!) This time, with a TIME of 2 seconds, the password hash more closely resembled what I would expect for an MD5 message digest, so I fired up hashcat. The -a flag specifies the attack mode and the -m flag specifies the hashing algorithm to use. -m 20 uses MD5 but with the salt placed in front of the password hash. With the syntax of hashcat, we still need to put the password hash before the salt even when using -m 20. The salt is separated from the hash using :




Hashcat soon cracked the hash:



I could now try the username of mitch with the password ****** to log in to the remaining port (2222) using SSH. This worked. The first thing I did was spawn a better shell using python3 -c 'import pty;pty.spawn("/bin/bash");' The user flag was found in the home folder of mitch.




I now needed to escalate my privileges, so I looked for a quick win using sudo -l This showed me that mitch could run vim as sudo without needing to provide a password - oh happy days! A trip to GTFOBins was in order. The supplied command worked a charm and I was able to get a root shell and therefore find the root flag in the root directory.




The earlier problem I encountered when trying to crack the password using the downloaded exploit still annoyed me, though, so I went back to the code and changed it so it would work with Python3 properly. If you would like to do the same, you will need to rewrite the crack_password function. I have included comments in my code to try to explain what it does.


  


The program should now work using Python3...




Popular posts from this blog

Hacking Year of the Owl (thm)

Image
NOTE: I am currently migrating my writeups and cybersecurity notes to  my github This writeup can be found in a new and shiny form at puzz00 year of the owl writeup  --- The Year of the Owl is a machine by MuirlandOracle on tryhackme   We start by using nmap to scan the TCP ports. The results show us that this appears to be a windows machine because we see netbios on port 139, SMB on 445 and winrm on its default port of 5985. We take a closer look but don't find much of interest. Since SMB is running, we can try a null session attack, but this does not work. We cannot connect using rpcclient without valid creds, either. Web app enumeration does not reveal anything of interest, so I have not included it in this post. We need to find another way to enumerate usernames and potential passwords. We can try common UDP ports using nmap. The results come back in the open|filtered state which is not very useful. We do not know if the ports are open or if the UDP datagrams are bei...
Read more

Hacking Reset (thm)

Image
  NOTE: I am currently migrating my writeups and notes regarding hacking aka pentesting to  my github - my reset writeup can be found here     Reset is a fun active directory based box on thm   We start with an nmap scan which shows us that the target machine is probably a domain controller as it has port 88 open. Domain controllers typically have this port open since they are involved in kerberos based authentication. We also find some useful data regarding the domain and machine we are attacking. In addition, we find port 5985 is open - this is of interest as it is a port which is used by winrm which in turn is a service which could potentially give us a remote session on the target machine if we find valid credentials.    Since smb is being used, we start our enumeration of the haystack machine by taking a look at it - can we get a null session and thereby enumerate useful data? We find that we can. The IPC$ share has read access to non-authentica...
Read more