Difficulty Level: Easy
Challenge link Getting Started
Information security is a broad field that has many specializations like:
If you are here, you have probably just started exploring these domains and have (hopefully) completed the Getting Started module on HTB academy up to the Knowledge check section. Congratulations for taking the first step in your infosec career. This module introduces the following foundation concepts which you will use to complete the challenge:
Although this module does a great job in explaining how to exploit a simple web app, in a real-world pen test there will be more detailed steps. I recommend finding a penetration testing [framework](https://owasp.org/www-project-web-security-testing-guide/latest/3-The_OWASP_Testing_Framework/1-Penetration_Testing_Methodologies#:~:text=The Penetration Testing Framework (PTF,Discovery %26 Probing) to follow and teach yourself how to document each stage.
Say we were using the PTES to do our 'pen test'.
The Penetration Testing Execution Standard PTES defines penetration testing as 7 phases. Particularly, PTES Technical Guidelines give hands-on suggestions on testing procedures, and recommendation for security testing tools. These stages are:
During this pre-phase, the penetration tester outlines the logistics of the test, expectations, legal implications, objectives and goals the customer would like to achieve.
During the Pre-Engagement phase, the penetration tester should work with the client to fully understand any risks, organizational culture, and the best pentesting strategy. The client may want a white box, black box, or gray box penetration test. It’s at this stage when the planning occurs along with aligning goals to specific pentesting outcomes.
In our case, we will be doing a gray-box testing since we already have some information about the target. The pre-engagement phase will include gathering the tools required to perform our challenge. These are:
Open Source Intelligence (OSINT) in the simplest of terms is locating, and analyzing publicly (open) available sources of information. The key component here is that this intelligence gathering process has a goal of producing current and relevant information that is valuable to either an attacker or competitor. For the most part, OSINT is more than simply performing web searches using various sources.
We begin with an nmap scan of the IP address that is provided in the challenge. The results of the scan are:
Whatweb confirms the following services running on the target:
Gathering victim host information
Navigating to the ip address on port 80 reveals a web service called getsimple running on the target IP
Clicking on the hyperlinks provided in the home page does not give much information about the target so we move on to other tactics
We check if there is a robots.txt file that could give further information about the web service. This reveals a disallowed /admin/ directory which we navigate to and find a login page
Scanning & Enumeration
Wordlist scanning on the root directory reveals the following directories and pages:
So far: we have a username admin, a potential password d033e22ae348aeb5660fc2140aec35850c4da997, a version 3.3.15, and a suspicion that the web app allows php uploads but we are yet to figure out an interface to use to make the upload
We can check if there are vulnerabilities associated with the version of the web service running in our target. Let's also search for public exploits related to getsimple version 3.3.15. There are many but the 2 that I select are GetSimpleCMS - Unauthenticated Remote Code Execution (Metasploit) and GetSimpleCMS PHP File Upload Vulnerability
Resource development
Let us log in to IP:PORT/admin using the credentials that we found earlier admin:admin.
HTB
Getting Started
Web Exploitation