So… this is the first vulnerable machine i’ve made. It’s available on Try Hack Me platform. I know it’s not going to be that great, but that’s the way you learn. Also a feedback would be appreciated on discord.
Let’s start by deploying the machine and giving it a full port scan.
Let’s login to ftp and see if there is anything there. It turns out it’s a rabbit hole.
We’re done with the FTP, so let’s move on. There is an apache server running. Let’s access it and see what we find.
From the information from the file we retrieved we know there gotta be an application that must be running, so let’s run gobuster and see if it finds anything.
Accessing robots.txt there is a directory called openemr-5_0_1_3. Trying to access the directory, it returns it’s not found.
But gobuster found another directory, called simple. Accessing it i found CMS Made Simple running. Even if the index page was not optimized, scrolling down we find a version(version 2.2.8).
Using searchsploit, i found that the version is vulnerable to SQL Injection. I downloaded the exploit, and fired it up agains the CMS by using the following command:
By listing all items in the current directory we find the user flag.
By doing a sudo -l i see i can leverage vim to spawn a privileged shell.
Just type sudo vim, and inside the text editor invoke the shell by typing :!bash