#4. TryHackMe Series writeups-Simple CTF
Hey👋,Welcome back to series, it is time to solve another challenge i.e. “Simple CTF”.
This challenge is a beginner level CTF, where we will use the similar kind of approach as we did in #1.TryHackMe Series. Simple CTF is a beginner-level CTF on TryHackMe that demonstrates a few of the abilities required for all CTFs, including as scanning and enumeration, research, exploitation, and privilege escalation.
Basic steps which we always have to follow if we have a target <IP>.
- Network Scanning → Tool → Nmap
- Enumeration → Tools → Directory Listing (gobuster, dirserach,dirb)
- Exploitation → Tools → Searchsploit (offline search) or exploit-db
Note: Exploitation step can vary based on the services.
Let’s start the room with a nmap scan, which we perform in every room.
Commands: nmap -sV -sC <IP>
After executing the command, we can see the open ports and services running. Here, 3 ports are open i.e. FTP, HTTP and SSH.
Also, by running nmap command we can see that ftp is running on anonymous. Next, we try to browse the IP address on the browser, as HTTP service was running on the machine and we found the Ubuntu default HTTP works page displayed. Further, we will perform directory listing to find the hidden endpoints.
Commands: dirb <URL>
Try accessing /robots.txt, but nothing juicy there. We was able to find there is a webpage at “/simple”. Let’s try browsing to it now and see what we find.
Let’s see if there is anything online about this particular version by simply going to Google and searching “CMS Made Simple 2.2.8 exploit”.
Command: searchsploit cms made simple
Download the exploit i.e. 46635.py
Command: searchsploit -m 46635
Command: python 46635.py -u http://<IP>/simple/ — crack -w /usr/share/wordlists/rockyou.txt
Wow!! we got SyntaxError, try to follow the steps as shown in below screenshot
Forgot to to take command screenshot,
Command: python2 -m pip install termcolor
We must install the required libraries for executing the exploit. After executing the exploit I found hash for password and salt.
Now, we will use the Hashcat tool for cracking the password.
Command: hashcat -O -a 0 -m 20 0c01f4468bd75d7a84c7eb73846e8d96:1dac0d92e9fa6bb2 /usr/share/wordlists/rockyou.txt
Finally, We found the password secret. Then we can log in it via ssh with a found password.
Here, is the flag , simple use cat to view the flag.!!
It’s time to escalate our privilege to root.
We can check the permissions of the current user with command.
Command: sudo -l
Now we know that this user (mitch) can run vim as root.
Go to gtfobins, run the below command.
Command: sudo vim -c ‘:!/bin/sh’
Well, we are root now!
Hurrah!! This SimpleCTF is now over.
I appreciate you taking the time to read. For other such writeups do visit the TryHackMe Series writeups.
If you found it useful, please click the button 👏and share it with others who have similar interests! + Feedback is always appreciated!!😊
