Simple CTF

Scan the Machine

If you are unsure how to tackle this, I recommend checking out the Nmap Tutorials by Hack Hunt.

nmap -sV -Pn <IP>

Nmap Scan

Looks like we have three ports open: 21, 80, 2222

How many services are running under port 1000?

2

What is running on the higher port?

SSH

Checked the website, nothing much.
Checked robots.txt, found some details. I think I found a username. Will investigate later.

Robot.txt

Run GoBuster -> gobuster dir http://<IP> -w /usr/share/wordlists/dirb/common.txt

GoBuster

There is one directory that catches my eye is /simple. So I checked the site http://<IP>/simple. Seems like CMS Made Simple Webpage. At the bottom there is version of it mentioned as well.

CMS

The CMS made simple 2.2.8 can be searched on CVE Details website for vulnerability or searchsploit database can be used, CMD -> searchsploit cms made simple 2.2.8

Searchsploit Result

Looks like we found an SQL Injection with this version and the exploit is located in /usr/share/exploitdb/exploits/php/webapps/46635.py

Check the file data to get the CVE number.

CVE Details

What’s the CVE you’re using against the application?

CVE-2019-9053

To what kind of vulnerability is the application vulnerable?

SQLi

Run the file -> sudo python /usr/share/exploitdb/exploits/php/webapps/46635.py

Run file

If you have an error for termcolor.

Python Error

Download the binaries from the Official Website. Unzip the file using command tar -xf <file_name>. Change directory to the extracted folder and run sudo python setup.py install. This will solve your termcolor error.

Run the file with sudo python usr/share/exploitdb/exploits/php/webapps/46635.py -u http://<IP>/simple --crack -w /usr/share/seclists/Passwords/Common-Credentials/best110.txt

Script Run