【THM】Simple CTF-Practice

本文相关的TryHackMe实验房间链接：https://tryhackme.com/room/easyctf

Difficulty: Easy

端口扫描

nmap -p- -sC -sV -T4 10.10.246.59

From our results, we can see ports 21 (FTP), 80 (HTTP), and 2222 (SSH) are open.

First, let’s just browse to the IP and see what we get

We find it is the default Apache2 page, not much more to go off of here.

gobuster dir --url http://10.10.246.59/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt

Using the medium wordlist we supplied, gobuster was able to find there is a webpage at “/simple”. Let’s try browsing to it now and see what we find

Here we can see this is a default page for something called “CMS Made Simple” and if we look in the bottom corner we can see it is version 2.2.8.

Let’s see if there is anything online about this particular version by simply going to Google and searching “CMS Made Simple 2.2.8 exploit”.

https://www.exploit-db.com/exploits/46635

The exploit is a python script so I copied and pasted into a .py document on my attack box.

或者

运行的时候发现少了-u这个参数

此脚本在 CMS 站点上执行 SQLi，其目标是返回其用户凭据

python 46635.py -u http://10.10.246.59/simple

python 46635.py -u http://10.10.246.59/simple --crack -w /usr/share/wordlists/rockyou.txt

不知道为什么我爆破的和wp不一样

[+] Salt for password found: 1dac0d92e9fa6bb2
[+] Username found: mitch
[+] Email found: admin@admin.com
[+] Password found: 0c01f4468bd75d7a84c7eb73846e8d96
[+] Password cracked: secret

Bingo! We got a username and a cracked password returned from the exploit.

ssh

Is there any other user in the home directory? What’s its name?

answer: sunbath

提权

On to privileged escalation! First I like to start off with running “sudo -l” to see what my current user can run.

sudo -l

https://gtfobins.github.io/gtfobins/vim/