Simple CTF

CMS Made Simple Exploit - Vim Binary Exploitation

Initial Recon

There were only three ports open - 21, 80 and 2222
Enumerating port 80 gave us an endpoint called /simple and had a disallowed content called openemr-5_0_1_3
Since the /simple endpoint, lead to a CMS site called CMS Made Simple - we had a publicly available exploit
Using that exploit, we could find the username and password - mitch:secret
Logging to the ssh port using the above creds found - port 2222

Privilege Escalation

When we tried to check sudo lists using the sudo -l command - we found that /usr/bin/vim was running as a root user
Quickly surfed using the gtfobins - sudo vim -c ':!/bin/bash'
Grabbed the root.txt :)

PreviousBounty Hacker NextAgent Sudo

Last updated 1 year ago