A write up covering steps taken to solve Beginner level CTF : EasyCTF room in TryHackMe platform.
This blog is written as part of task of Masters Certification in Red Team Program from HackerU.
Step 1 : Connect to TryHackMe and start target machine
- Connect to TryHackMe by entering command :
sudo openvpn /pathtoOVPNfile.ovpn
2. Start machine in ‘easyctf’ room — target ip address will be displayed in a minute.
Step 2 : Information gathering using Nmap and dirbuster
- Start nmap scan of the target ip:
nmap -A -O <target ip>
open ports
- 21 — ftp vsftpd 3.0.3
- 80 — http apache 2.4.18
- 2222 — ssh
2. Accessing open ports
port 80:
running dirbuster to find folder structure: found/simple
Navigating to /simple: found cms version 2.2.8 which is vulnerable to CVE-2019–9053 sql-injection
port 21: Anonymous login was successful and found a user file under it.
3. Trying ssh brute force using hydra for the user name found through ftp login:
hydra -l <usrname> -P /usr/share/wordlists/rockyou.txt 10.10.54.243 -t 4 ssh -s 2222
Login through ssh using above found password
4. Exploring the current location found user.txt
Exploring further: Found vim which needs no password to execute with root permission
sudo -l
5. Checking gtfobins site for sudo and vim
6. Trying privilege escalation :
Sudo vim –c ‘:!/bin/sh’
7. Searching for root.txt file
With this all the questions given in the room can be answered.
