18 January 2021

Pentesting Fun Stuff

following the cyber security path…


This is one of the rooms on tryhackme.com. It is rated as easy, so this shouldn’t take to much time. But as always I really like CTF challenges, so I can’t resist this one. On TryHackMe it’s all about answering questions during the challenge.


#1 How many services are running under port 1000?

To get the answer to this question I run a nmap scan.

Looks like there are 2 services running below port 1000, namely FTP (with anon option on) and HTTP (with Apache for Ubuntu running).

#2 What is running on the higher port?

From the nmap scan I can see that OpenSSH is running on the higher port.

#3 What’s the CVE you’re using against the application?

There are several finds from the nmap scan that could lead to exploiting this machine:

  • the FTP server allows anonymous login, but it doesn’t lead to anything and can be considered as a red haring;
  • on the webserver there is a robots.txt file with one disallowed entry. Unfortunately this also leads to a dead end.

When running a Dirb scan it seems there is a hidden folder named /simple/ which is running a content manager called CMS Made Simple (CMSMS). On the mainpage there is a version number available: 2.2.8

My best bet is that I have to exploit the SQLi vulnerability mentioned in CVE-2019-9053.

#4 To what kind of vulnerability is the application vulnerable?

From the searchsploit list I can see the application is vulnerable for SQL injection, SQLi for short (and also the answer to this question).

#5 What’s the password?

To exploit this vulnerability I can use the python script that is available. When running the script you can encounter the follow error:

This means your Kali (if youére using Kali) is missing this python library. To solve it you can install the library like this:

Now I can run the script without a problem.

For this script to run properly it needs an URL, the –crack option and a wordlist. In this case I use a small one.

#6 Where can you login with the details obtained?

Let’s try the remaining SSH server.

#7 What’s the user flag?

#8 Is there any other user in the home directory? What’s its name?

#9 What can you leverage to spawn a privileged shell?

There are a few things that you can do first. Check the kernel version, the OS version, files with the SUID bit set and the current sudo rights before you import an enumeration script like LinEnum.sh. But the manner to elevate the privs are in this case through the use of sudo.

Vim can be run as root. And there is an option in Vim that let you spawn a shell.

In Vim use the option :!sh

And I am root.

#10 What’s the root flag?

And there you have it. This was fun. Onto the next room.





Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.