CTF
  • ⚡Simple CTF
Powered by GitBook
On this page
  • 1.How many services are running under port 1000?
  • ANS:- 2
  • 2.What is running on the higher port?
  • ANS:- SSH
  • 3.What's the CVE you're using against the application?
  • ANS:- CVE-2019-9053
  • 4. To what kind of vulnerability is the application vulnerable?
  • ANS:- Sqli
  • 5. What's the password?
  • ANS:- secret
  • 6. Where can you login with the details obtained?
  • ANS:- SSH
  • 7.What's the user flag?
  • ANS:- G00d j0b, keep up!
  • 8. Is there any other user in the home directory? What's its name?
  • ANS:- sunbath
  • 9. What can you leverage to spawn a privileged shell?
  • ANS:- VIM
  • 10.What's the root flag?
  • ANS:- W3ll d0n3. You made it!

Simple CTF

Last updated 1 year ago

1.How many services are running under port 1000?

  • First, we need to perform a port scan, and for that, we can use Nmap. We can use the '-sS' flag for stealth scanning and the '-sV' flag to determine the version of services running on the scanned ports.

ANS:- 2

2.What is running on the higher port?

ANS:- SSH

3.What's the CVE you're using against the application?

  • First, we need to enumerate the target website. We can use Dirsearch for this, and specify the URL with the '-u' flag.

  • After scanning, we found the '/simple' endpoint, which indicates the presence of a website. We also found a CMS service application at the bottom of the page, and its version was identified as 2.2.8.

  • We searched for this version on ExploitDB and found an SQL injection exploit.

  • To download the exploit, we can use 'searchsploit -m', which allows us to download exploits using the command line interface.

ANS:- CVE-2019-9053

4. To what kind of vulnerability is the application vulnerable?

ANS:- Sqli

5. What's the password?

  • Here, we found a CVE that we could exploit. We downloaded the corresponding program and ran it, which allowed us to discover the password. To run the program, we used the '-u' flag to specify the URL (e.g. https://IP/simple), and the '-w' flag to provide a wordlist for the program to use.

ANS:- secret

6. Where can you login with the details obtained?

ANS:- SSH

7.What's the user flag?

  • Okay, we successfully logged in using SSH. We can use the 'ls' command to list the files and directories on the system, and we found a file named 'user.txt'

ANS:- G00d j0b, keep up!

8. Is there any other user in the home directory? What's its name?

ANS:- sunbath

9. What can you leverage to spawn a privileged shell?

  • When we ran 'sudo -l', we found that we have permission to run '/usr/bin/vim' with root privileges

ANS:- VIM

10.What's the root flag?

  • To escalate our privileges, we used GTFOBins to find a way to take advantage of our 'vim' permissions. We copied the path '/usr/bin/vim' and searched for it on GTFOBins, which gave us the command 'sudo vim -c ':!/bin/sh''. By running this command, we were able to gain a root shell.

ANS:- W3ll d0n3. You made it!

⚡