Beginner level ctf ….
Hi folks, today I am going to solve TryHackMe box, named Simple CTF, made by MrSeth6797..
Initial Recon :
1- First we will do a port scan using nmap
sudo nmap -Pn -T5 -p- 10.10.28.215 
-p- : To scan All Ports (65535)
-Pn : Treat all hosts as online — skip host discovery ( “ disable ping scan “)
-T5 : to speed up time
Now we have three open ports ( “ 21 ,80,2222 “ ) :
We need to know more information about these ports ..
sudo nmap -Pn -T5 -A 10.10.28.215 -p 21,80,2222 --script http-enum
FTP → Enumeration :
Can we access ftp files by anonymous user?
ftp 10.10.28.215
We can login with an anonymous user :
But we don’t have permissions to download files ,
Note: Sometimes we can upload a file in ( ftp ) and read it from the web server in this case we upload reverse shell ….
I tried brute force ( SSH ) : 2222 >> But to no avail ….
HTTP → Enumeration :
First we need to know the hidden ( DIR ), gobuster
But before running gobuster let’s see ( robots.txt )
Tried Access /openemr-5_0_1_3 , but to no avail
sudo gobuster dir -w /usr/share/wordlists/dirb/small.txt -u http://10.10.28.215
gobuster found :
/simple
Now we can see it is running Cms Made simple it is a Content Manager with version 2.2.8. Now we can use Searchsploit to know if the CMS 2.2.8 is vulnerable or not.
Use searchsploit in general as ( simple cms ) without specifying the version for public knowledge ….
searchsploit cms made simple
We can determine the version to know the vulnerabilities in a particular version …
searchsploit cms made simple 2.2.8
We can see the CMS is vulnerable to SQL or SQLi injection …
To get the exploitation code :
┌──(root💀localhost)-[~]
└─# locate php/webapps/46635.py
/usr/share/exploitdb/exploits/php/webapps/46635.py┌──(root💀localhost)-[~]
└─# cp /usr/share/exploitdb/exploits/php/webapps/46635.py .
Or you can get it from ( EXPLOIT DB ) :
https://www.exploit-db.com/exploits/46635
