Simple CTF Game Room Write-up


Question 1: How many services are running under port 1000?


To determine the number of services running under port 1000, we can use the nmap tool. The command to scan ports under 1000 is:

'nmap -p 1-1000 <targetIP>'

Running this command will reveal the open ports on the target machine. In this case, we find that ports 21 (FTP) and 80 (HTTP) are open.


Answer 1

2

Question 2: What is running on the higher port?


Since the question asks for the service running on a higher port, we need to scan ports under 10,000 instead of just under 1000. We can run the nmap command again with an extended range: 

'nmap -p 1-10000 <targetIP>'

This scan reveals that port 2222 is open for SSH, which is important for the next steps.

Answer 2

SSH

Now that we know there's a website being hosted, let's investigate it further.


First, let's browse to the IP address and see what we get. By accessing the webpage on port 80, we find the default Apache2 page, which doesn't provide much information.


To dig deeper into the website, we can use a tool called "gobuster" to scan the website for additional pages. The command for using gobuster is: 

'gobuster dir -u http://<targetIP> -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt'

This command will search for hidden directories and files on the website using a medium-sized wordlist.


After running gobuster, we discover a webpage at '/simple'. Let's navigate to it and see what we find. On the "/simple" webpage, we come across a default page for something called "CMS Made Simple" and notice that it's running version 2.2.8.

Question 3: What's the CVE you're using against the application?

Question 4: To what kind of vulnerability is the application vulnerable?


To find information about the vulnerability in the CMS Made Simple version 2.2.8, we need to search online. A quick Google search for "CMS Made Simple 2.2.8 exploit" leads us to a page on Exploit-DB that matches our search. 


Answer 3

CVE-2019–9053

Answer 4

SQLi

Now armed with knowledge about the open ports, the website's technology, and a possible exploit, we proceed to examine the exploit itself. The exploit is a Python script, so we copy and paste it into a .py file on our attack box.


Question 5: What's the password?


To run the exploit script, we need to provide a URL using the -u flag. Optionally, we can supply a wordlist for password cracking using the --crack -w flag. After running the exploit, we successfully obtain a username and a cracked password. The command to run the exploit is:

'python exploit.py -u http://<targetIP>/simple --crack -w /usr/share/worldists/rockyou.txt'

Answer 5

secret

Question 6: Where can you login with the obtained details?


Now let's focus on where we can use the gained credentials and which ports are open. The answer is SSH.

Answer 6

SSH

Question 7: What's the user flag?


Using the discovered username and password, we can now attempt to SSH into the target machine. To do this, we use the command: 

'ssh mitch@<targetIP> -p 2222'

When prompted, enter the password that was obtained earlier. After successfully logging in, execute the command 

'ls'

to see the contents of the current directory. We should find the 'user.txt' file, which contains our first flag. To read the contents of the file, use the command

'cat user.txt'

Answer 7

G00d j0b, keep up!

Question 8: Is there any other user in the home directory? What's its name?


To check for other users in the home directory, use the command

'cd ..'

 to navigate up one level, and then execute 

`ls`

 to list the contents of the current directory. We discover another user named in the home directory.

Answer 8

sunbath

Question 9: What can you leverage to spawn a privileged shell?


Now, it's time for privilege escalation. To see what commands the current user, "mitch," can run with elevated privileges, execute 

'sudo -l'

This command will display the available commands. Among them, we find that the user can run the "vim" editor with sudo privileges.

Answer 9

vim

Question 10: What's the root flag?


Using information from GTFOBins, we find a command that allows us to escalate our privileges using vim. Execute the command 

sudo vim -c ':!/bin/sh'

After running this command, execute 

'ls' 

to list the contents of the current directory and find the root flag. Use the command 

'cat root.txt'

to read the contents of the file.

Answer 10

W3ll d0n3. You made it!


Congratulations! You have successfully completed the room. This CTF game provided a simple yet valuable learning experience by introducing us to tools like nmap and gobuster for enumeration, researching vulnerabilities, and exploiting them.