THM - Simple CTF (easyctf)

$ sudo nmap -p1-1000 -sS --open --min-rate 4000 -vvv -n -Pn $IP -oG allPorts

Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times may be slower.
Starting Nmap 7.93 ( https://nmap.org ) at 2023-07-11 21:30 EDT
Initiating SYN Stealth Scan at 21:30
Scanning 10.10.60.1 [1000 ports]
Discovered open port 21/tcp on 10.10.60.1
Discovered open port 80/tcp on 10.10.60.1
Completed SYN Stealth Scan at 21:30, 2.06s elapsed (1000 total ports)
Nmap scan report for 10.10.60.1
Host is up, received user-set (0.19s latency).
Scanned at 2023-07-11 21:30:21 EDT for 1s
Not shown: 998 filtered tcp ports (no-response)
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT   STATE SERVICE REASON
21/tcp open  ftp     syn-ack ttl 63
80/tcp open  http    syn-ack ttl 63

Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 3.09 seconds
           Raw packets sent: 1999 (87.956KB) | Rcvd: 3 (132B)

sudo nmap -p- -sS --open --min-rate 4000 -vvv -n -Pn $IP -oG allPorts

Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times may be slower.
Starting Nmap 7.93 ( https://nmap.org ) at 2023-07-11 21:31 EDT
Initiating SYN Stealth Scan at 21:31
Scanning 10.10.60.1 [65535 ports]
Discovered open port 80/tcp on 10.10.60.1
Discovered open port 21/tcp on 10.10.60.1
Discovered open port 2222/tcp on 10.10.60.1
Completed SYN Stealth Scan at 21:32, 50.82s elapsed (65535 total ports)
Nmap scan report for 10.10.60.1
Host is up, received user-set (0.28s latency).
Scanned at 2023-07-11 21:31:50 EDT for 51s
Not shown: 65532 filtered tcp ports (no-response)
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT     STATE SERVICE      REASON
21/tcp   open  ftp          syn-ack ttl 63
80/tcp   open  http         syn-ack ttl 63
2222/tcp open  EtherNetIP-1 syn-ack ttl 63

Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 51.04 seconds
           Raw packets sent: 196621 (8.651MB) | Rcvd: 24 (1.056KB)

$ sudo nmap -p21,80,2222 -sSCV --script http-enum $IP -oN  targeted 
Starting Nmap 7.93 ( https://nmap.org ) at 2023-07-11 21:40 EDT
Nmap scan report for 10.10.60.1 (10.10.60.1)
Host is up (0.23s latency).

PORT     STATE SERVICE VERSION
21/tcp   open  ftp     vsftpd 3.0.3
80/tcp   open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
| http-enum: 
|_  /robots.txt: Robots file
2222/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 50.09 seconds

git clone https://github.com/danielmiessler/SecLists.git /usr/share/SecLists

wfuzz -w /usr/share/SecLists/Discovery/Web-Content/common.txt -u $IP/FUZZ --hc=404 -t 40

********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer                         *
********************************************************

Target: http://10.10.60.1/FUZZ
Total requests: 4715

=====================================================================
ID           Response   Lines    Word       Chars       Payload                                                                                              
=====================================================================

000000024:   403        11 L     32 W       294 Ch      ".htaccess"                                                                                          
000000025:   403        11 L     32 W       294 Ch      ".htpasswd"                                                                                          
000000023:   403        11 L     32 W       289 Ch      ".hta"                                                                                               
000002194:   200        375 L    968 W      11321 Ch    "index.html"                                                                                         
000003571:   200        32 L     141 W      929 Ch      "robots.txt"                                                                                         
000003712:   403        11 L     32 W       298 Ch      "server-status"                                                                                      
000003802:   301        9 L      28 W       309 Ch      "simple"                                                                                                                                                       

Total time: 0
Processed Requests: 4617
Filtered Requests: 4610
Requests/sec.: 0

$ nikto -url http://$IP/simple/
- Nikto v2.5.0
---------------------------------------------------------------------------
+ Target IP:          10.10.60.1
+ Target Hostname:    10.10.60.1
+ Target Port:        80
+ Start Time:         2023-07-11 22:37:51 (GMT-4)
---------------------------------------------------------------------------
+ Server: Apache/2.4.18 (Ubuntu)
+ /simple/: The anti-clickjacking X-Frame-Options header is not present. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
+ /simple/: The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type. See: https://www.netsparker.com/web-vulnerability-scanner/vulnerabilities/missing-content-type-header/
+ /simple/: Cookie CMSSESSIDd6a5f2400115 created without the httponly flag. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Apache/2.4.18 appears to be outdated (current is at least Apache/2.4.54). Apache 2.2.34 is the EOL for the 2.x branch.
+ OPTIONS: Allowed HTTP Methods: GET, HEAD, POST, OPTIONS .
+ /: Web Server returns a valid response with junk HTTP methods which may cause false positives.
+ /simple/config.php: PHP Config file may contain database IDs and passwords.
+ /simple/admin/login.php?action=insert&username=test&password=test: phpAuction may allow user admin accounts to be inserted without proper authentication. Attempt to log in with user 'test' password 'test' to verify. See: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0995
+ /simple/doc/: The /doc/ directory is browsable. This may be /usr/doc. See: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0678
+ /simple/lib/: This might be interesting.
+ /simple/tmp/: Directory indexing found.
+ /simple/tmp/: This might be interesting.

$ sudo apt install cmseek
$ cmseek -u $IP/simple/
 ___ _  _ ____ ____ ____ _  _
|    |\/| [__  |___ |___ |_/  by @r3dhax0r
|___ |  | ___| |___ |___ | \_ Version 1.1.3 K-RONA


 [+]  CMS Scan Results  [+] 

 ┏━Target: 10.10.60.1
 ┃
 ┠── CMS: CMS Made Simple
 ┃    │
 ┃    ╰── URL: https://cmsmadesimple.org
 ┃
 ┠── Result: /home/kali/tmp/Result/10.10.60.1_simple/cms.json
 ┃
 ┗━Scan Completed in 2.48 Seconds, using 1 Requests



 CMSeeK says ~ Aabar dekha hobey

$ whatweb http://$IP/simple/
http://10.10.60.1/simple/ [200 OK] Apache[2.4.18], CMS-Made-Simple[2.2.8], Cookies[CMSSESSIDd6a5f2400115], Country[RESERVED][ZZ], HTML5, HTTPServer[Ubuntu Linux][Apache/2.4.18 (Ubuntu)], IP[10.10.60.1], JQuery[1.11.1], MetaGenerator[CMS Made Simple - Copyright (C) 2004-2019. All rights reserved.], Script[text/javascript], Title[Home - Pentest it]      

...CMS-Made-Simple[2.2.8],...