TryHackMe Simple CTF Official Walkthrough

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
hey everyone welcome back to another video here on darksack i am dark and today we're going to be taking a look at the room simple ctf on tryhackme this is a beginner level ctf that covers the basics of being able to research cves and exploit them with things that we find on exploit db that being said let's go ahead and dive right in so i've gone ahead and deployed the machine and the attack box and i've also got a head inserted enumeration so deploy the machine attempt the questions it looks like our first question here is how many services are running under port 1000 in this case i've gone ahead and already run nmap with the aggressive flag and we can see that we have port 21 ftp open with anonymous access enabled then we have port 80 with http and then interestingly we have ssh running on a really high port 2222 which is not the normal part for it of course uh how many services are running under port 1000 that is going to be two what is running on the high report i would assume that's ssh in this case um and then what cve are you using it the application it looks like we need to dive in and do some further enumeration let's first go into this ftp since anonymous access is allowed we can go ahead and do that over here with ftp 10 let me scroll up to be able to see my ip 10 10 29 122 and we're going to log in as anonymous see what we got so it looks like we have a public directory cd pub that's owned by ftp uh and we have a for mitch.txt we can go ahead and get star and we'll grab for mitch type buy to close out of ftp and we can go and take a look at that file uh the worst dev i've ever seen you set the same pass for the system user and the password is weak i cracked it in seconds gosh what a mess so it looks like we are seeing that uh the password for some sort of application is the same as this user mitch's password which is not good you don't want to have your password reused between different applications so we can keep that in mind we know that we have a user likely named mitch and we know that we have a weak password at play definitely it's not something that you want to leave on an ftp share let's go ahead and we saw that we had an application running on port 80. let's go ahead and pull up firefox and see what we've got and in this case we can see that there's an apache to default page which is interesting uh this is indicative of an immature dev leaving this around um let's see if there's anything other robots.txt file that would indicate anything further it looks like we have an open emr which i'm not entirely sure what that is let's go ahead and go back to our terminal so i'll minimize this and we'll try go buster against this application so i'm going to go ahead and run go bust here with der and then my word list is going to be usr share wordless go i think it's dur buster uh let's see what we got in here directory list let's try small oh url should probably specify what i'm attacking http 10 10 29 122. uh temporarily unable to connect did i typo that there uh i'm gonna go ahead and pause this for just a moment when we're back i'll go ahead and pull up the results from go buster okay so as it turns out i had the url flag type incorrectly it's you and there we go right away we can see that we get a directory called simple so we pull back up firefox and go to 10 10 29 122. simple let's see what we get it looks like we have cms made simple uh whenever you see a cms think that there's probably a vulnerability cmss are very very common to see on exploit db just because a lot of these are whipped up and thrown onto github without any security testing done and as a result people will research them on github and get zero days off of them and find cves uh just as part of cve research and it looks like we have our version down here as well so we have cms made simple version two two eight let's go ahead and go over to exploit db and i'll just accept this this is just google freaking out we'll pull up exploit db you can also do this with search white i'm just showing it with exploit db just because it's easier uh cms made simple let's see if we find anything fun okay cms made simple so we had version 228 and it looks like we're already seeing vulnerabilities for another uh later application so that's interesting um that likely means that uh we are facing a heavily outdated application um let's go ahead and see what we've got so we have sql injection for anything less than two to ten it's likely what we're facing and we can go ahead and take a look at this in just a second let's see what we got so cve 2019 9053 that's likely something that we want to return to it's not verified so it might not work uh this little uh check mark means that these exploits have been verified you can scroll through this just a little bit more it looks like we have 32 entries total so we have quite a quite a large attack surface for or quite a large number of um exploits that might work against this i'll go ahead and pause this for just a moment i'm going to grab the cve that specifically we need double check my notes we were correct with this one so uh we can see that because the application is running at a lower version than 2 210 it's likely going to be the sql injection that we are running against it uh we need for the question the cve number that is going to be cv 2019 90 53 i'll go and try that now 2019 90 53 there we go what kind of vulnerability is the application uh what kind of vulnerability is this it's gonna be sqli short for sql injection and it looks like we can get the password using this so let's go ahead we can grab this number actually here we'll just download it make it easier you can grab that number and use it in search point um in this specific case i'm going to go ahead and just pull this down now because it'll save in the root home directory and now we can go ahead and minimize that so we'll close or clear that screen ls we can see that we've got our 46635 py try running that with i'm going to guess it's python 2. uh it looks like it is going to be python 3. uh please specify a url target it looks like we need to just specify the target that we are going to be running this against so we'll give it just a moment um let's try you and then hdp let's see 10 10 29 i think 122. let me double check that and then wait a minute we need to do simple because that is the directory that we're running that in uh it looks like we are missing something here let me go ahead and pause this i'll fix this real quick all right so after playing around with it just a little bit i did find that this is running in python 2 however we're missing some modules if you're running this on the free attack box you might have trouble getting this installed i do recommend doing this on your own kelly linux box in this specific case the reason being that the free attack box does not have internet access and you will need that to install these modules so i'm doing that the first thing that i had to do was run python2-m pip install requests i've gone ahead and already done that running this again it looks like we're missing a module called term color so we can run that right now and it looks like it grabbed it successfully let's try this again and it looks like the exploit is running so we'll go ahead and let this keep going it should find our username and then some additional information and i'll go ahead and let this continue running this shouldn't take too too long and there we go we can see that we found the salt for the password and now it's going to start looking for the username specifically and there we go we can see that it found mitch so sure enough we did see that that username was repeated from elsewhere in the system that we found it uh specifically within that uh the note in ftp looks like we have admin at i would assume that we're looking for the administrator email or at least the email for that user so admin at admin and i'm guessing that's com very creative email there we go so now we're looking finally for the password hash itself so since we have the salt and then we'll have the password hash we should be able to check that into hashcat and start uh cracking away at it and since we did see that there was a note in the system that the password cracked very quickly we should be able to get that pretty quickly on our end even with the attack box having somewhat limited resources for cracking while that's running i'm going to go ahead and pull up a new tab so that we can go ahead and start our hashcat command that's going to be hashcat capital o dash a0 and then we want dash m10 because we're going to be running this specifically against an md5 hash in this case so we'll give it just a second here and it looks like sure enough we did find the password now for this specific mode that we're running hash cat in we do need to grab the password and then we'll put a colon and then the password hash so we can grab that right here copy that in and then we can start cracking away and you can see one of the after effects of term color here sometimes running uh python will change the color of your terminal permanently i can't remember if this was green before sometimes that happens so we'll go ahead and let this run i will pause the recording once we're back i will go ahead and have the results back up all right i was silly real quick we need one more thing here at the end we need to specify our word list and in this case i'm going to go ahead and use rocky all right this should be pretty quick so it's going to go ahead and build a dictionary before that it was going to try to brute force it and even though brute forcing would be pretty quick on this we still want to go ahead and make it as fast as possible so we'll give it just a second we're going to try that looks like did it work nope it exhausted it so we might need to flip the uh mode around so we'll go ahead and try the other format for this which is going to be a mode of 20 where we have the password hash there we'll go ahead and just type a new one the password assault at the front rather than at the end of the password so we can go ahead and do that with dash o or capital o dash a zero dash m 20 and then we're going to go ahead and flip that around so we can grab that over here again we'll just try the same format for the actual password to see if hashcat likes it this way sometimes this can just be a game of playing around in hashcat until we see something come back out and we know that specifically that uh by uh the note on the system that this is likely the correct way to go and well the task itself is asking for the password so we can go usr share wordless rock you and there we go this should be pretty quick we'll give it just a moment and we should have the password here in just a second rocky is not very long um compared to some other wordless it is fairly long overall uh and just i guess for sure word count there we go now we can see that this successfully crashed and it looks like it is going to be lovers one maybe oh one two three four five six maybe we're looking at the wrong one hold on oh it's secret duh i'm looking at the wrong thing it's right up here i always do this on cat output it is secret there we go and where can you log in with the details obtained so we know the password is secret we know the username is mitch let's go ahead and try ssh mitch at 10 10 29 122. let's see if i type that correctly 29 122. here i'll pause this we'll be right back you know it helps if i specify that this is not running on a standard port i believe hold on we're going to do ssh dash h um i think it's capital p nope lowercase p dash p 2222 nope one more two there we go and we'll type yes uh and then it is going to be secret for that password okay now we can go and type who am i we can see that we have mitch ls cat user.txt we can go ahead and never mind i'm going to spawn myself bash because that was an awful shell there we go cat user.txt there we go so it's gonna be ssh for that service and we can copy out uh albeit a non-standard this flag we can grab that right here there we go and then is there any other user in the home directory what is its name let's do ls home and it looks like we have a user sun bath what can you leverage to spawn a privileged shell so one of the first things that i'd like to do when i'm attempting a privilege escalation is i will take a look especially if i have the user's password i'm going to see if i can run anything with sudo so we can try sudo tac l and it looks like we don't even need the user password so we can run azure vim without a password so we can go ahead and type that in here for that answer and since we can run that without a password we're going to go ahead and pivot over to one of my favorite resources on the web gtfo bins gtfo bins is a way that uh it consists of a list of different uh ways that we can use binaries that we would have elevated access to run uh so for example we can see if we have an suid binary or pseudo and so on and so forth here and we can actually sort up here at the top we're gonna be grabbing specifically the vim escape sequence there we go uh so we want sudo and we can do that just copy this over i don't know what that was hold on let's grab this over here and then paste it in type who am i and there we go we can see that we've spawned a root shell if we cd to root we should be able to grab root.txt we'll copy that out and there you go you can see just how easy it is that if you have pseudo rules that are not properly locked down you can just abuse them to easily escalate to root permissions and that's one of the reasons why especially when you're performing a pen test you should always audit these pseudo rules otherwise that is going to do it for the room simple ctf if you have any questions as always i will have the try hack me discord as well as the subreddit linked in the video description below i also will have the dark side discord linked if you want to join my community otherwise if you enjoy this content please subscribe to me on youtube follow me on twitter and until next time happy hacking
Info
Channel: DarkSec
Views: 40,144
Rating: undefined out of 5
Keywords: infosec, tryhackme, box, hacking, learn, darkstar, darksec, educational, darkstar7471, try, hack, me
Id: mItfrdyE1U4
Channel Id: undefined
Length: 17min 58sec (1078 seconds)
Published: Fri Apr 02 2021
Related Videos
TryHackMe! PickleRick - BYPASSING Denylists
John Hammond
248K
Capture the Flag | Hacking Challenge | ITProTV’s Live Week 2019 Replay
ITProTV
157K
Beginner and Easy CTF | TryHackme Wget CTF
Motasem Hamdan
4.8K
TryHackMe! LIVE King Of The Hill
John Hammond
124K
How To Learn Hacking With CTFs
LiveOverflow
236K
KING OF THE HILL - TryHackMe! Community Stream
John Hammond
55K
Stapler 1 - CTF Walkthrough - Boot-To-Root
HackerSploit
33K
Find Information from a Phone Number Using OSINT Tools [Tutorial]
Null Byte
4.7M
Google CTF Finals 2019!
LiveOverflow
310K
BEGINNER Capture The Flag - PicoCTF 2021 001 "Obedient Cat"
John Hammond
366K
TryHackMe - Basic Pentesting Walkthrough
HackerSploit
171K
I Played Beginner-Level Security CTFs For 30 Days - Here's What I Learned
Grant Collins
529K
TryHackMe! Looking Glass... with PWNCAT
John Hammond
64K
TryHackMe - Steel Mountain Walkthrough - Manual Windows Exploitation
HackerSploit
45K
CTF Walkthrough with John Hammond
David Bombal
152K
Linux for Ethical Hackers (Kali Linux Tutorial)
freeCodeCamp.org
5.3M
Google CTF - BEGINNER Reverse Engineering w/ ANGR
John Hammond
266K
I Challenged 3 Hackers for 1 Hour in TryHackMe's King of the Hill.
thehackerish
7.1K
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.