This post is about my attempt to complete a CTF room on TryHackMe. I won’t post any blatant spoilers about what I did, but if you haven’t done EasyCTF yet, you might want to skip this post…
So, today after completing the day’s Advent of Cyber task on TryHackMe I decided to continue on with some more CTF practice. Today’s choice was EasyCTF. Unlike some of the other rooms I’ve been doing lately, this one was less about a guided tutorial, and more a chance to apply everything I’ve learnt so far on my own.
So, I deployed the machine and sat down to try and break in. One nmap scan later and I could see the machine was running ftp, http and ssh. The vulnerability script in nmap didn’t provide anything useful, so where to now? Well, I know it’s running a web server, so let’s see what directories are there.
Gobuster is a handy tool for quickly enumerating directories and files on a web server, and I soon found a directory that looked interesting. Viewing it in the browser gave me the default page for a CMS. Searching ExploitDB for this CMS gave me an exploit, which I promptly downloaded. Running the exploit, I was disappointed to get an error, so I looked at what was going on.
Firstly, the code was Python 2 code, and I’d tried running it in Python 3. Oh well, I’ll just use Python2, that’ll sort that out no problems. Uh, not so fast, cobber, now Python’s complaining that modules don’t exist. Well, I guess I’ll install them. Oh, what’s this, they exist for Python 3, not Python 2? Guess I’ll figure out how to make this code work in Python 3, then.
After a quick tinker with the code I managed to get it working, right up until it tried cracking the password, which got me an error about utf-8 decoding. A quick Google on the error code suggested that there might be some issues with my wordlist. I tried a few different ones, without success.
Fortunately there’s always more than one way to do something, so I fired up hydra. Hydra is a nifty network logon cracker, and it took no more than 30 seconds to get the password for the user account. Logging in through ssh gave me the user flag, leaving only the root flag to find.
So, now the job was to escalate privileges and gain root access. It’s at this point I was scratching my head a bit. I had a think about how I’d solved similar issues in the tutorial rooms, and remembered that on one the exploit was found by listing what commands the user could use with sudo. In this case the user can use sudo to run vim.
I had a look on GTFOBins for an exploit to escalate privileges. Spoiler Alert: There was an exploit. Actually, there were several exploits, but the one of interest was that when used with sudo to run a command, the command ran with root privileges. I made use of this to get a root shell, and hence get the root flag.
So, with the CTF completed, how do I think I went? All things considered, not too bad. There were a couple of head scratching moments, but with a bit of research I was able to figure them out. I’m particularly pleased that I was able to figure out the issue with the CMS exploit python script. I’ve not done a lot with Python, so I was happy enough to figure out why it wasn’t running and mostly get it working.
Just a collection of protons, neutrons and electrons…