Simple CTF - Write-up

Overview

Platform: TryHackMe
Target: Simple CTF
Difficulty: Easy
Objective: User + Root access

Methodology

This assessment followed a structured offensive security methodology:

Reconnaissance
Enumeration
Initial Access
Privilege Escalation

Attack Flow

Port scan → services discovered
Directory enumeration → /simple
CMS identification → version disclosure
Exploit search → SQLi
Credential extraction → SSH access
Privilege escalation → sudo vim

Reconnaissance

Nmap Scan

sudo nmap -sS -sV -p- -v 10.128.190.228

Nmap scan results

Findings

The scan revealed three open TCP ports:

21/tcp — FTP (vsftpd 3.0.3)
80/tcp — HTTP (Apache 2.4.18)
2222/tcp — SSH (OpenSSH 7.2p2)

The majority of ports were filtered, suggesting a restricted attack surface limited to these exposed services.

Analysis

The presence of an HTTP service on port 80 indicates a primary attack vector through a web application. This is typically the most promising entry point and was prioritized during further enumeration.

The FTP service running on port 21 may allow anonymous access or misconfigurations, making it a secondary target worth investigating.

Interestingly, the SSH service is exposed on a non-standard port (2222), which may indicate an attempt to obscure remote access. This suggests that valid credentials could later be leveraged to gain shell access.

Overall, the attack surface is relatively small, allowing focused enumeration on the identified services, with particular emphasis on the web application.

Enumeration

Web Enumeration

Following the identification of an HTTP service, the root page was first accessed manually to assess the exposed content.

Default Apache page

Initial Observations

The web server returned the default Apache Ubuntu page, indicating that no application was directly exposed at the root of the web server.

This suggests that:

the web server is correctly installed and running
no meaningful application is hosted at /
additional content may exist in hidden directories

Directory Enumeration

Given the lack of functionality on the root page, directory enumeration was performed to uncover hidden resources.

gobuster dir -u http://10.128.190.228 -w /usr/share/wordlists/dirb/common.txt

Gobuster results

Findings

The enumeration revealed several endpoints:

/robots.txt (200 OK)
/simple (301 Redirect → /simple/)
restricted configuration files (.htaccess, .htpasswd) returning 403 responses

Application Analysis

CMS Identification

After discovering the /simple directory, the web application was accessed directly.

CMS Made Simple homepage

Observations

The application clearly identified itself as CMS Made Simple, as visible in the page header.

Further inspection of the page source and footer revealed the exact version:

CMS version disclosure

CMS Made Simple version 2.2.8

Analysis

The disclosure of both the CMS name and its version is highly valuable from an offensive security perspective, as it allows for precise vulnerability research.

At this stage, the attack surface becomes significantly more focused, enabling the identification of known vulnerabilities affecting this specific version.

Initial Access

Vulnerability Identified

A known vulnerability exists for CMS Made Simple 2.2.8. Using Searchsploit, a matching exploit was identified for this version of the CMS.

searchsploit cms made simple 2.2.8

Searchsploit results

Vulnerability Details

CVE: CVE-2019-9053
Type: SQL Injection
Affected Component: CMS Made Simple (<= 2.2.10)

This vulnerability allows unauthenticated attackers to extract sensitive data from the database, including user credentials.

The exploit leverages a blind SQL injection vulnerability in the CMS search functionality, allowing extraction of password hashes from the backend database.

Exploitation

The exploit was first copied locally from the Exploit-DB repository:

searchsploit -m 46635

Exploit copied locally

The exploit was then executed against the target instance:

python3 46635.py -u http://10.128.190.228/simple --crack -w /usr/share/wordlists/rockyou.txt

Exploit execution
_{Note: A custom shell function was used during execution to run the exploit inside a Docker container providing a legacy Python environment.}

Result

The exploit retrieved password hashes, which were then cracked using a wordlist attack.

Credentials recovered

Recovered credentials:

Username: mitch
Password: secret

These credentials provided a valid entry point for remote access over SSH.

SSH Access

With valid credentials identified, SSH access was established on the non-standard port exposed during reconnaissance.

ssh mitch@10.128.190.228 -p 2222

SSH login as mitch

Result

This provided an interactive shell as the user mitch.

Under this user context, it became possible to:

read the user flag
enumerate local privileges and misconfigurations
investigate privilege escalation paths

Privilege Escalation

Local Enumeration

Once authenticated as mitch, local privilege enumeration was performed. A review of sudo permissions quickly revealed a dangerous misconfiguration:

sudo -l

Sudo privilege enumeration

Findings

The user was allowed to execute vim as root without being prompted for a password.

This is a critical privilege escalation vector because vim allows shell execution from within the editor.

Exploitation

The misconfigured sudo permission allows execution of vim as root.

A shell can be spawned directly from within vim using the following command:

sudo vim -c ':py3 import os; os.setuid(0); os.execl("/bin/sh", "sh", "-c", "reset; exec sh")'

Root access obtained

Privilege level obtained: Root
Impact: Full system compromise

Conclusion

Key Takeaways

Initial access vector: SQL injection in CMS Made Simple 2.2.8 leading to credential extraction
Privilege escalation vector: Misconfigured sudo permissions allowing vim execution as root
Main lesson learned: Even a limited attack surface can result in full compromise when vulnerable applications and unsafe privilege assignments are chained together

Impact

The combination of a vulnerable web application and misconfigured sudo permissions resulted in full system compromise, demonstrating how chained vulnerabilities can lead to complete privilege escalation.

Final Notes

The compromise followed a straightforward but effective chain of exploitation. After discovering a CMS Made Simple instance during web enumeration, a public exploit was used to abuse a SQL injection vulnerability and recover valid credentials. These credentials enabled SSH access as a low-privileged user. Local enumeration then revealed that vim could be executed as root via sudo, resulting in immediate privilege escalation and full system compromise.

Remediation

Recommended Fixes

Patch or upgrade CMS Made Simple 2.2.8 to a non-vulnerable version
Remove unnecessary public exploits from the attack path by keeping web applications up to date
Restrict sudo permissions and avoid granting interpreters or editors elevated execution rights
Apply the principle of least privilege to all user accounts
Review exposed services and reduce unnecessary attack surface
Enforce strong password hygiene and credential rotation
Improve monitoring and logging for authentication events and suspicious command execution

Tools Used

Nmap
Gobuster
Searchsploit
Python
SSH

Summary

Phase	Outcome
Reconnaissance	Identified FTP, HTTP, and SSH services
Enumeration	Discovered `/simple` and identified CMS Made Simple 2.2.8
Initial Access	Exploited SQL injection to recover valid credentials
Privilege Escalation	Abused sudo misconfiguration on `vim` to obtain root

Skills Practiced

Service enumeration
Web application fingerprinting
Vulnerability research with Searchsploit
Exploit execution and credential recovery
SSH-based post-exploitation
Privilege escalation through sudo misconfiguration
Documentation and reporting