TryHackMe Room: EasyCTF walkthrough

TryHackMe platform

A write up covering steps taken to solve Beginner level CTF : EasyCTF room in TryHackMe platform.

This blog is written as part of task of Masters Certification in Red Team Program from HackerU.

Step 1 : Connect to TryHackMe and start target machine

  1. Connect to TryHackMe by entering command :

sudo openvpn /pathtoOVPNfile.ovpn

2. Start machine in ‘easyctf’ room — target ip address will be displayed in a minute.

Step 2 : Information gathering using Nmap and dirbuster

  1. Start nmap scan of the target ip:

nmap -A -O <target ip>

nmap result

open ports

  • 21 — ftp vsftpd 3.0.3
  • 80 — http apache 2.4.18
  • 2222 — ssh

2. Accessing open ports

port 80:

running dirbuster to find folder structure: found/simple

Navigating to /simple: found cms version 2.2.8 which is vulnerable to CVE-2019–9053 sql-injection

port 21: Anonymous login was successful and found a user file under it.

Anonymous login

3. Trying ssh brute force using hydra for the user name found through ftp login:

hydra -l <usrname> -P /usr/share/wordlists/rockyou.txt 10.10.54.243 -t 4 ssh -s 2222

ssh brute force

Login through ssh using above found password

4. Exploring the current location found user.txt

user.txt

Exploring further: Found vim which needs no password to execute with root permission

sudo -l

5. Checking gtfobins site for sudo and vim

6. Trying privilege escalation :

Sudo vim –c ‘:!/bin/sh’

root access

7. Searching for root.txt file

root.txt

With this all the questions given in the room can be answered.

--

--

--

Software Tester

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Generate Privacy Policy and Terms & Conditions for mobile app in 5 minutes

The Lambda Labs Experience

Done is More Than You Think

Photo of developer by Arif Riyanto on Unsplash

Welcome to the Permaweb

Feb 9th — Feb 14th

How to Sync data from MySQL to BigQuery

Top 3 Document Generation Tools for SAP (Overview)

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
HinaK

HinaK

Software Tester

More from Medium

Tennessee Softball preview 2022

Install Cloudwatch Agent install in the Elasticbeanstalk Environment

Hack the Box | Previse

3D Sneaker Models With Object Capture