TryHackMe Room: EasyCTF walkthrough

TryHackMe platform

A write up covering steps taken to solve Beginner level CTF : EasyCTF room in TryHackMe platform.

This blog is written as part of task of Masters Certification in Red Team Program from HackerU.

  1. Connect to TryHackMe by entering command :

sudo openvpn /pathtoOVPNfile.ovpn

2. Start machine in ‘easyctf’ room — target ip address will be displayed in a minute.

  1. Start nmap scan of the target ip:

nmap -A -O <target ip>

nmap result
  • 21 — ftp vsftpd 3.0.3
  • 80 — http apache 2.4.18
  • 2222 — ssh

2. Accessing open ports

port 80:

running dirbuster to find folder structure: found/simple

Navigating to /simple: found cms version 2.2.8 which is vulnerable to CVE-2019–9053 sql-injection

port 21: Anonymous login was successful and found a user file under it.

Anonymous login

3. Trying ssh brute force using hydra for the user name found through ftp login:

hydra -l <usrname> -P /usr/share/wordlists/rockyou.txt 10.10.54.243 -t 4 ssh -s 2222

ssh brute force

Login through ssh using above found password

4. Exploring the current location found user.txt

user.txt

Exploring further: Found vim which needs no password to execute with root permission

sudo -l

5. Checking gtfobins site for sudo and vim

6. Trying privilege escalation :

Sudo vim –c ‘:!/bin/sh’

root access

7. Searching for root.txt file

root.txt

With this all the questions given in the room can be answered.

Software Tester