# Simple CTF
```
___
( _ ) _ __ ___ __ _ _ __
/ _ \| '_ ` _ \ / _` | '_ \
| (_) | | | | | | (_| | |_) |
\___/|_| |_| |_|\__,_| .__/
|_|
[+] Scanning 10.10.25.17 [65535 ports]
[+] Enumerating 10.10.25.17 [21,80,2222]
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-04-30 10:25 CDT
Nmap scan report for 10.10.25.17
Host is up (0.13s latency).
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_Can't get directory listing: TIMEOUT
| ftp-syst:
| STAT:
| FTP server status:
| Connected to ::ffff:10.9.209.91
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 4
| vsFTPd 3.0.3 - secure, fast, stable
|_End of status
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-title: Apache2 Ubuntu Default Page: It works
|_http-server-header: Apache/2.4.18 (Ubuntu)
| http-robots.txt: 2 disallowed entries
|_/ /openemr-5_0_1_3
2222/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 29:42:69:14:9e:ca:d9:17:98:8c:27:72:3a:cd:a9:23 (RSA)
| 256 9b:d1:65:07:51:08:00:61:98:de:95:ed:3a:e3:81:1c (ECDSA)
|_ 256 12:65:1b:61:cf:4d:e5:75:fe:f4:e8:d4:6e:10:2a:f6 (ED25519)
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 38.29 seconds
[+] Enumerating 10.10.25.17 for vulnerabilities [21,80,2222]
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-04-30 10:26 CDT
Pre-scan script results:
|_broadcast-avahi-dos: ERROR: Script execution failed (use -d to debug)
Nmap scan report for 10.10.25.17
Host is up (0.13s latency).
PORT STATE SERVICE
21/tcp open ftp
80/tcp open http
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-dombased-xss: Couldn't find any DOM based XSS.
| http-slowloris-check:
| VULNERABLE:
| Slowloris DOS attack
| State: LIKELY VULNERABLE
| IDs: CVE:CVE-2007-6750
| Slowloris tries to keep many connections to the target web server open and hold
| them open as long as possible. It accomplishes this by opening connections to
| the target web server and sending a partial request. By doing so, it starves
| the http server's resources causing Denial Of Service.
|
| Disclosure date: 2009-09-17
| References:
| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6750
|_ http://ha.ckers.org/slowloris/
| http-enum:
|_ /robots.txt: Robots file
2222/tcp open EtherNetIP-1
Nmap done: 1 IP address (1 host up) scanned in 319.78 seconds
[+] Completed!
```
```
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v2.1.0-dev
________________________________________________
:: Method : GET
:: URL : http://10.10.25.17/FUZZ
:: Wordlist : FUZZ: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200-299,301,302,307,401,403,405,500
________________________________________________
# on atleast 2 different hosts [Status: 200, Size: 11321, Words: 3503, Lines: 376, Duration: 131ms]
# This work is licensed under the Creative Commons [Status: 200, Size: 11321, Words: 3503, Lines: 376, Duration: 132ms]
# [Status: 200, Size: 11321, Words: 3503, Lines: 376, Duration: 133ms]
# or send a letter to Creative Commons, 171 Second Street, [Status: 200, Size: 11321, Words: 3503, Lines: 376, Duration: 900ms]
# Attribution-Share Alike 3.0 License. To view a copy of this [Status: 200, Size: 11321, Words: 3503, Lines: 376, Duration: 1892ms]
# directory-list-2.3-medium.txt [Status: 200, Size: 11321, Words: 3503, Lines: 376, Duration: 2895ms]
[Status: 200, Size: 11321, Words: 3503, Lines: 376, Duration: 2899ms]
# [Status: 200, Size: 11321, Words: 3503, Lines: 376, Duration: 3904ms]
# Priority ordered case sensative list, where entries were found [Status: 200, Size: 11321, Words: 3503, Lines: 376, Duration: 3905ms]
# license, visit http://creativecommons.org/licenses/by-sa/3.0/ [Status: 200, Size: 11321, Words: 3503, Lines: 376, Duration: 4913ms]
# [Status: 200, Size: 11321, Words: 3503, Lines: 376, Duration: 4919ms]
# Copyright 2007 James Fisher [Status: 200, Size: 11321, Words: 3503, Lines: 376, Duration: 4919ms]
# [Status: 200, Size: 11321, Words: 3503, Lines: 376, Duration: 4919ms]
# Suite 300, San Francisco, California, 94105, USA. [Status: 200, Size: 11321, Words: 3503, Lines: 376, Duration: 4921ms]
simple [Status: 301, Size: 311, Words: 20, Lines: 10, Duration: 125ms]
[Status: 200, Size: 11321, Words: 3503, Lines: 376, Duration: 130ms]
```
```
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ ---------------------------------
Exploit Title | Path
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ ---------------------------------
Bolt CMS < 3.6.2 - Cross-Site Scripting | php/webapps/46014.txt
CMS Made Simple < 2.2.10 - SQL Injection | php/webapps/46635.py
Composr-CMS Version <=10.0.39 - Authenticated Remote Code Execution | php/webapps/51060.txt
Concrete CMS < 5.5.21 - Multiple Vulnerabilities | php/webapps/37225.pl
Concrete5 CMS < 5.4.2.1 - Multiple Vulnerabilities | php/webapps/17925.txt
Concrete5 CMS < 8.3.0 - Username / Comments Enumeration | php/webapps/44194.py
DeDeCMS < 5.7-sp1 - Remote File Inclusion | php/webapps/37423.txt
Drake CMS < 0.2.3 ALPHA rev.916 - Remote File Inclusion | php/webapps/2713.txt
Kirby CMS < 2.5.7 - Cross-Site Scripting | php/webapps/43140.txt
Monstra CMS < 3.0.4 - Cross-Site Scripting (1) | php/webapps/44855.py
Monstra CMS < 3.0.4 - Cross-Site Scripting (2) | php/webapps/44646.txt
Mura CMS < 6.2 - Server-Side Request Forgery / XML External Entity Injection | cfm/webapps/43045.txt
Redaxo CMS Mediapool Addon < 5.5.1 - Arbitrary File Upload | php/webapps/44891.txt
zKup CMS 2.0 < 2.3 - Arbitrary File Upload | php/webapps/5220.php
zKup CMS 2.0 < 2.3 - Remote Add Admin | php/webapps/5219.php
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ ---------------------------------
Shellcodes: No Results
```
Bruh .\_.
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://pnpt.adot8.com/linux-privilege-escalation/sudo/simple-ctf.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.