Listed as "A Beginner Level CTF". Let's do it.
Start with enumeration:
2 ports are under port 1000
SSH is running on the higher port
Using exploit-db.com we seach all those services for exploits and only find some non-verified username exploits. We open the website to see it's an unconfigured apache server. Let's run gobuster on it and see if there's any folders.
Looks like there is a site at /simple. If we scroll to the bottom of the page we can see that it's using CMS Made Simple version 2.2.8.
If we go back to exploit-db.com and now search for this we see there's a SQL Injection CVE for this software title if it falls below the 2.2.10 version, which ours does.
Clicking on this like we can see there's a known CVE
The answer is CVE-2019-9053
This is a SQL Injection attack, short-formed to sqli
The aswer is sqli
Okay, let's dig into a foothold. This is a python script so we'll visit the link on the exploit-db.com page to view the raw version so we can copy and paste this into a new script file.
From looking at the script there's a few variables but we'll just run it to see what happens. Right away, it looks like there's some old python syntax in there that's not going to work for us.
I've made a copy of the original and modified all the print statements to be quotes inside brackets (print("text"))as well as removing any colored statements from other print commands.
python new-cve-2019-9053.py -u http://10.10.233.190/simple --crack -w /usr/share/wordlists/rockyou.txt
It was still giving me errors with encoding but thanks to deltreey for sharing this thread on how to fix it. Another note here was that the file needs to be encoded as UTF-8 or ASCII for this to work. The rockyou.txt file I had wasn't encoded properly and it didn't work. Using another wfuzz common.txt ascii password list did. Here's what I did to fix:
This let the script run and gave us the username, email and password.
BTW, you could have also got the answer using BurpSuite by doing a login page brute force with intruder - although it takes a LONG while.
The answer is secret
Ok, let's try these creds on the FTP and SSH ports and see which one takes it. It looks like FTP is a bust but SSH let us in on that 2222 port.
The answer is SSH
In fact, the output of that text file is the answer to the next question too!
The answer is G00d j0b, keep up!
Then we can pop up a level and get the next answer
The answer is sunbath
Okay so now we need to escalate privileges - I always suck at this. first things first, let's see what I have sudo privileges I have. ...umm okay, I don't mean to make assumptions but this looks like it might be easy. Vim has sudo privileges so hopefully I'll be able to shell escape with it.
if you've never done this before, it's super slick. You run sudo vim to open the app then type ":" to open the escape console. Then we just tell it to open a shell again - but this time, because we're running the app as sudo, it opens the shell as the privileged user!
The answer is VIM
This gives us our shell! The we just need to get to the root folder and grab the last flag.
The answer is W3ll d0n3. You made it!
I'm actually super proud of myself on this one - although it was super easy, I didn't need as much help as I normally do!
コメント