--- title: THM - Simple CTF (easyctf) chapter: 4 tags: [security, enumeration, privesc] --- # THM - Simple CTF (easyctf) <https://tryhackme.com/room/easyctf> ## Recopilación de información ### Enumeración de puertos y servicios *How many services are running under port 1000?* ~~~shell $ sudo nmap -p1-1000 -sS --open --min-rate 4000 -vvv -n -Pn $IP -oG allPorts ~~~ ~~~shell Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times may be slower. Starting Nmap 7.93 ( https://nmap.org ) at 2023-07-11 21:30 EDT Initiating SYN Stealth Scan at 21:30 Scanning 10.10.60.1 [1000 ports] Discovered open port 21/tcp on 10.10.60.1 Discovered open port 80/tcp on 10.10.60.1 Completed SYN Stealth Scan at 21:30, 2.06s elapsed (1000 total ports) Nmap scan report for 10.10.60.1 Host is up, received user-set (0.19s latency). Scanned at 2023-07-11 21:30:21 EDT for 1s Not shown: 998 filtered tcp ports (no-response) Some closed ports may be reported as filtered due to --defeat-rst-ratelimit PORT STATE SERVICE REASON 21/tcp open ftp syn-ack ttl 63 80/tcp open http syn-ack ttl 63 Read data files from: /usr/bin/../share/nmap Nmap done: 1 IP address (1 host up) scanned in 3.09 seconds Raw packets sent: 1999 (87.956KB) | Rcvd: 3 (132B) ~~~ **Flag \#1:** `2` *What is running on the higher port?* ~~~shell sudo nmap -p- -sS --open --min-rate 4000 -vvv -n -Pn $IP -oG allPorts ~~~ ~~~shell Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times may be slower. Starting Nmap 7.93 ( https://nmap.org ) at 2023-07-11 21:31 EDT Initiating SYN Stealth Scan at 21:31 Scanning 10.10.60.1 [65535 ports] Discovered open port 80/tcp on 10.10.60.1 Discovered open port 21/tcp on 10.10.60.1 Discovered open port 2222/tcp on 10.10.60.1 Completed SYN Stealth Scan at 21:32, 50.82s elapsed (65535 total ports) Nmap scan report for 10.10.60.1 Host is up, received user-set (0.28s latency). Scanned at 2023-07-11 21:31:50 EDT for 51s Not shown: 65532 filtered tcp ports (no-response) Some closed ports may be reported as filtered due to --defeat-rst-ratelimit PORT STATE SERVICE REASON 21/tcp open ftp syn-ack ttl 63 80/tcp open http syn-ack ttl 63 2222/tcp open EtherNetIP-1 syn-ack ttl 63 Read data files from: /usr/bin/../share/nmap Nmap done: 1 IP address (1 host up) scanned in 51.04 seconds Raw packets sent: 196621 (8.651MB) | Rcvd: 24 (1.056KB) ~~~ ~~~shell $ sudo nmap -p21,80,2222 -sSCV --script http-enum $IP -oN targeted Starting Nmap 7.93 ( https://nmap.org ) at 2023-07-11 21:40 EDT Nmap scan report for 10.10.60.1 (10.10.60.1) Host is up (0.23s latency). PORT STATE SERVICE VERSION 21/tcp open ftp vsftpd 3.0.3 80/tcp open http Apache httpd 2.4.18 ((Ubuntu)) |_http-server-header: Apache/2.4.18 (Ubuntu) | http-enum: |_ /robots.txt: Robots file 2222/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0) Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 50.09 seconds ~~~ **Flag \#2:** `ssh` ~~~shell git clone https://github.com/danielmiessler/SecLists.git /usr/share/SecLists ~~~ ~~~shell wfuzz -w /usr/share/SecLists/Discovery/Web-Content/common.txt -u $IP/FUZZ --hc=404 -t 40 ~~~ ~~~shell ******************************************************** * Wfuzz 3.1.0 - The Web Fuzzer * ******************************************************** Target: http://10.10.60.1/FUZZ Total requests: 4715 ===================================================================== ID Response Lines Word Chars Payload ===================================================================== 000000024: 403 11 L 32 W 294 Ch ".htaccess" 000000025: 403 11 L 32 W 294 Ch ".htpasswd" 000000023: 403 11 L 32 W 289 Ch ".hta" 000002194: 200 375 L 968 W 11321 Ch "index.html" 000003571: 200 32 L 141 W 929 Ch "robots.txt" 000003712: 403 11 L 32 W 298 Ch "server-status" 000003802: 301 9 L 28 W 309 Ch "simple" Total time: 0 Processed Requests: 4617 Filtered Requests: 4610 Requests/sec.: 0 ~~~ La ruta `/simple`  La herramienta nikto tomo mucho timpo y no arrojó reusltados utiles ~~~shell $ nikto -url http://$IP/simple/ - Nikto v2.5.0 --------------------------------------------------------------------------- + Target IP: 10.10.60.1 + Target Hostname: 10.10.60.1 + Target Port: 80 + Start Time: 2023-07-11 22:37:51 (GMT-4) --------------------------------------------------------------------------- + Server: Apache/2.4.18 (Ubuntu) + /simple/: The anti-clickjacking X-Frame-Options header is not present. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options + /simple/: The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type. See: https://www.netsparker.com/web-vulnerability-scanner/vulnerabilities/missing-content-type-header/ + /simple/: Cookie CMSSESSIDd6a5f2400115 created without the httponly flag. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies + No CGI Directories found (use '-C all' to force check all possible dirs) + Apache/2.4.18 appears to be outdated (current is at least Apache/2.4.54). Apache 2.2.34 is the EOL for the 2.x branch. + OPTIONS: Allowed HTTP Methods: GET, HEAD, POST, OPTIONS . + /: Web Server returns a valid response with junk HTTP methods which may cause false positives. + /simple/config.php: PHP Config file may contain database IDs and passwords. + /simple/admin/login.php?action=insert&username=test&password=test: phpAuction may allow user admin accounts to be inserted without proper authentication. Attempt to log in with user 'test' password 'test' to verify. See: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0995 + /simple/doc/: The /doc/ directory is browsable. This may be /usr/doc. See: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0678 + /simple/lib/: This might be interesting. + /simple/tmp/: Directory indexing found. + /simple/tmp/: This might be interesting. ~~~ ~~~shell $ sudo apt install cmseek $ cmseek -u $IP/simple/ ___ _ _ ____ ____ ____ _ _ | |\/| [__ |___ |___ |_/ by @r3dhax0r |___ | | ___| |___ |___ | \_ Version 1.1.3 K-RONA [+] CMS Scan Results [+] ┏━Target: 10.10.60.1 ┃ ┠── CMS: CMS Made Simple ┃ │ ┃ ╰── URL: https://cmsmadesimple.org ┃ ┠── Result: /home/kali/tmp/Result/10.10.60.1_simple/cms.json ┃ ┗━Scan Completed in 2.48 Seconds, using 1 Requests CMSeeK says ~ Aabar dekha hobey ~~~ ~~~shell $ whatweb http://$IP/simple/ http://10.10.60.1/simple/ [200 OK] Apache[2.4.18], CMS-Made-Simple[2.2.8], Cookies[CMSSESSIDd6a5f2400115], Country[RESERVED][ZZ], HTML5, HTTPServer[Ubuntu Linux][Apache/2.4.18 (Ubuntu)], IP[10.10.60.1], JQuery[1.11.1], MetaGenerator[CMS Made Simple - Copyright (C) 2004-2019. All rights reserved.], Script[text/javascript], Title[Home - Pentest it] ~~~ Notamos que la herramienta que nos dío la versión del CMS fue `whatweb`: ~~~ ...CMS-Made-Simple[2.2.8],... ~~~ Pero nosotros podemos encontrarlo directamente en el footer: