Introduction: TryHackMe is a great platform for learning cybersecurity through many different challenge based rooms. Simple CTF is a capture-the-flag-based room that demonstrates enumeration, exploitation, and escalation. This is a free room on the TryHackMe platform that you can check out here: https://tryhackme.com/room/easyctf   Getting Connected: TryHackMe offers various ways to connect to their rooms. You can use the AttackBox if you are a subscriber, or head over to Access from your profile and download the VPN configuration files. If you connect from your Kali Linux box, the command will be “sudo openvpn — config configurationfile.ovpn”.   Enumeration: We must enumerate this box to understand which services are running, discover possible exploits, and answer the questions on TryHackMe. Start by running a Nmap scan. There are many different flags and options, but I usually run it like this:  

nmap -T4 -A -p- 10.10.X.X > nmapscan.txt

I added the output command as I would like to save my output into a text file in case I need to come back. Here are the results:

nmap -T4 -A -p- 10.10.X.X > nmapscan.txt

I added the output command as I like to save my output into a txt file in case I need to come it. Here are the results:

We have three services to review here, but I usually like to start with HTTP when present. We have the answers to the first two questions on TryHackMe.

1. How many services are running under port 1000? Answer:2
2. What is running on the higher port? Answer: ssh.

Enumerating HTTP: My first step was to visit the HTTP page on Firefox; while there, I also checked Wappalyzer for versioning details. When visiting the page, the default Apache2 page is shown and we identified the Apache version is 2.4.18 and it runs on Ubuntu.

Searching for more information, I right-clicked on the page and clicked View Page Source. Nothing of interest was here. My next step is to enumerate this site’s pages further to see if anything is running on here that might be exploitable. There are many options to do this — Dirb, Dirbuster, Gobuster, and Ffuf. In this case, I just went with the GUI tool Dirbuster. Here are the settings I used in Dirbuster:

As the results start coming in for tons of different directories, the first one that sticks out to me is simple.

Navigating to the Simple page, we see that this site is powered by CMS Made Simple, specifically version 2.2.8. We also get additional details from Wappalyzer as well.

So far, there has been quite a bit of versioning disclosure, but I believe we can start researching exploits. Beginning with a search for CMS Made Simple version 2.2.8 exploits. The first result from my search was an SQL injection, and the CVE was identified as CVE-2019–9053, which happens to be the answer to the following two questions: What’s the CVE you’re using against the application? And what kind of vulnerability is the application vulnerable to? This exploit also appears when searching for CMS Made Simple 2.2 exploits with Searchsploit. Other options are available, but they are authenticated, and at this point, we have no credentials.

I copied the SQLi exploit to work within my current directory.

└─$ sudo cp /usr/share/exploitdb/exploits/php/webapps/46635.py sqli.py

Just running the exploit with “./sqli.py” will give us information on how to format our command. We need to provide the URL with -u and a wordlist followed after -w. If we use this exploit to crack the hashes, it will find the password instead of just the hash. In my instance, I am going to have it crack the hash and use the rockyou.txt wordlist in my /usr/share/wordlists directory.

I had difficulty getting this exploit to work and returned to it in my next study session. I tried a few things to troubleshoot this script:

• Downloading a newer one from Github.
• Trying a python3 version.
• Trying different wordlists to crack the password.

I just kept having an issue where the script would give up and output whatever it wanted. It seemed like it was running out of time, so I reviewed the Python script and found a time variable. I at first changed this from 1 to 3 and got a little further, but ultimately, changing it to 5 worked.

Here are the results:

Having a valid set of credentials allows us to connect via ssh on port 2222. After connecting I was able to quickly capture the user flag as seen below.

The next question on TryHackMe can now be answered by checking for other users in the /home directory.

Privilege Escalation:

The first step here was to check for any leaked credentials in the bash history. Running cat .bash_history I was only able to identify commands being entered to create the user flag that we already captured.

Next I checked for any sudo privileges that can be utilized. Looks like we have sudo access to vim.

The best resource available for utilizing sudo privileges is GTFOBins:

vim | GTFOBins — https://gtfobins.github.io/gtfobins/vim/#sudo

From there I just copied the command seen below to utilize Vim’s ability to run as sudo and break out and capture a root shell.

After switching to the root directory we were able to capture the root flag and finish up this TryHackMe room. Congrats!