You can access the room here.
A not-so-simple solution
This easy room has 10 tasks that need to be answered:
- How many services are running under port 1000?
- What is running on the higher port?
- What’s the CVE you’re using against the application?
- To what kind of vulnerability is the application vulnerable?
- What’s the password?
- Where can you login with the details obtained?
- What’s the user flag?
- Is there any other user in the home directory? What’s its name?
- What can you leverage to spawn a privileged shell?
- What’s the root flag?
This is a good room for beginners since it walks you through the steps of the solution without actually spoiling it.
How many services are running under port 1000?
This is an easy one, after connecting to the environment let’s run Nmap.
nmap 10.10.12.34If you run the command like this it will be easy to give an answer 😀 . Let’s move on to the next one.
What is running on the higher port?
This one is easy to guess because this particular service is usually placed on ports that end with 22. It is alright if this hint is not enough, in that case just run Nmap with some specified arguments.
nmap -sV 10.10.12.34This will try and enumerate the services on each port.
What’s the CVE you’re using against the application?
Now this one confused the hell out of me since there are multiple services there with CVE vulnerabilities but the correct one is a service running on the web app.
First of all run dirsearch.
As we can see there is a directory called /simple/, go and see what it contains.
If you look around the page there will be a version number cms made simple 2.2.8. If you google this with the added phrase vulnerability you will find the exact CVE you are looking for. This will also contain the answer to the next question which is what kind of vulnerability is it.
What’s the password?
Now this one is a bit trickier but it is also easy to solve. So the problem is that the first hit for an exploit is probably Exploit-DB but the exploit there is written in python 2. There are some ways to fix this but the easiest one is to use this version that was ported to python 3.
To get the password run the following command:
python3 exploit.py -u http://10.10.12.34/simple/ --crack -w /usr/share/wordlists/rockyou.txtWhere the -w parameter contains the path to the wordlist you would like to use.
After a while, we will see that the exploit worked and got us the following information.
The value of the Password cracked field is the answer.
Where can you login with the details obtained?
We can use the service available at port 2222 to try and log in.
ssh mitch@10.10.12.34 -p2222What’s the user flag?
Since logging in leaves us in the directory where the user.txt is located we can easily read its content.
Is there any other user in the home directory? What’s its name?
It is a pretty easy solution we just need to look up what is in the /home directory.
cd /home && ls
What can you leverage to spawn a privileged shell?
This one also might not be the clearest part but before overcomplicating things let’s just do what a pentester should and see what commands we can run with sudo.
This tool is going to be our way to the root flag.
What’s the root flag?
Now this one I overcomplicated 😀 . I went to the FTP server, pulled the ForMitch.txt file and realised it only contained information that I already knew.
So the correct way of getting the root flag is going to GTFOBins and search for the tool we want to use to exploit the machine. Here the first command is the one that will give us a root shell so enter it to the command line.
sudo vim -c ':!/bin/sh'
Now we should switch to the /root directory and read the contents of the root.txt.
Congrats, you solved the challenge!
Thank you for following along! If you like my content you can check out more of my posts and write-ups here.
Thank you for reading!
Sincerely,
B4D4M.
Leave a Reply
You must be logged in to post a comment.