TryHackMe! Simple CTF

TryHackMe is an online platform that teaches Cybersecurity through hands-on virtual labs. Whether you are an expert or beginner, learn through a virtual room structure to understand theoretical and practical security elements.

Simple CTF is an easy CTF on TryHackMe for beginners to explore.

You have to first signup to join the room. There are few simple steps that you can follow in the Signup page. Next follow the steps in the Welcome room to configure the VPN connectivity.

I have connected to TryHackMe network using OpenVPN on Kali Linux. Once you connect, the access page will confirm the status by confirming your IP address and status.

Once You have deployed the machine, you will get an IP address of the machine.

The Machine's IP Address is displayed and the time remaining is also displayed, If you are unable to capture the flags within 1 hour, you may add 1 more hour.

We shall start enumeration using nmap. We can get the details of ports open and services running and their version by using -sV option along with nmap.

From the nmap scan results, we can answer couple of questions on TryHackMe.

Since nmap also revealed that port 80 is open and Apache service is running. We can explore it by browsing with IP.

We could see the default page of Apache web server. Let us further enumerate using gobuser and try to find directories under the server.

gobuster revealed robots.txt and a page called /simple. Let us take a peek into those pages as well.

We could see some data in robots.txt and also from /simple page we could see there is a CMS page hosted. Let us scroll and see what else is there.

There is a link for the login page. Let us follow that link and see what is there.

We don't have credentials as of now. So let us do some Google search and try to find more about the application hosted on this machine.

I could find this exploit related to the CMS Made Simple application on exploit-db. Download the Python script from the exploit-db.

With the information we have collected till now we can answer couple of more questions on TryHackMe.

The answers are correct. And we could see a hint on TryHackMe. Looks like we have to use this wordlist along with the script downloaded from exploit-db.

python 44635.py will let us know what all inputs we have to provide along with the script to exploit.

It takes the URL and the Wordlist as input to exploit

Script has found the password salt, Username and email. For some reason, it was unable to open the wordlist. So I decided to run Hydra to bruteforce and get the password.

The username is mitch and password is secret

Let us now try logging in to the machine using the ssh service, Note that ssh service is running on port 2222

We were able to login successfully. We can answer couple of more questions on TryHackMe.

Let us look for the flag.

Flag was saved in the user's home directory. The file name is user.txt

We can answer another question.

To find another flag, which is mentioned as root flag we may have to navigate to the root's home directory. User mitch has no permission to enter the /root. So we have to try Privilege Escalation now.

Command sudo -l revealed that mitch can run vim with root privilege without password. We can find lot of exploits on internet for privilege escalation. Let us try finding one