Tryhackme Simple CTF beginner frienldy room walkthrough

Hi! I'm Adbin Magar, the researcher behind TheGreyLens. If you’ve seen my previous blogs, you know I’m currently tackling a daily CTF challenge where I complete TryHackMe rooms and document the process. Today is Day 4, and I'll be walking you through the Simple CTF room.

🛠 Tools Used

Nmap: Network scanning and service enumeration.
Gobuster: Directory brute-forcing.
Exploit-DB: Identifying CVEs.
Hydra: SSH credential brute-forcing.
GTFOBins: Privilege escalation techniques.

Question 1: How many services are running under port 1000?

I used my go-to tool Nmap to scan the target. It revealed three open services. Excluding the high-port service (2222), there are two services running under port 1000.

Answer: 2

Question 2: What is running on the higher port?

Answer: ssh

Question 3: What's the CVE you're using against the application?

I used Gobuster and discovered a /simple directory.

After discovering /simple directory. I open it in my my browser and scrolling to it revealed that the site was running CMS Made Simple version 2.2.8.

After searching the Exploit Database, I found an exploit applicable to all versions lower than 2.2.10 of CMS Made Simple.

Answer: CVE-2019-9053

Question 4: To what kind of vulnerability is the application vulnerable?

looking it more I discovered example url to get the administration console which i decide to try it :

http://.../simple/admin

It show me admin panel which confirmed that the admin panel was accessible and it is in default url.

After researching the CVE I identified, I found it is vulnerable to a time-based SQL injection.

Answer: sqli

Question 5: What's the password?

Copy and paste the python code that we found on exploit db on our attacker machine as .py file for example exploit.py which i did here.

Also, for note we can get many errors while running the code. Put parathesis/brackets for every line of code starting with print. For example, print ("[+] Specify an url target")

I ran the script with:

python3 exploit.py -u http://10.48.156.226/simple/

This revealed the username mitch and passwords in hash format. But for now the username I got is very important. Using Hydra with rockyou.txt, I successfully brute-forced the mitch password.

Answer: secret

Question 6: Where can you login with the details obtained?

Answer: ssh

Question 7: What's the user flag?

I test in browser username as mitch and password as secret to see if it will logged me in or not which it did.

Then i login as mitch through SSH service. When doing just ls command it show me user.txt. When reading the file it was the flag.

Answer: G00d j0b, keep up!

Question 8: Is there any other user in the home directory? What's its name?

Secret: sunbath

Question 9: What can you leverage to spawn a privileged shell?

During privilege escalation, I used sudo -l to check my permissions. It showed that mitch can run /usr/bin/vim without a password. Referencing GTFOBins, I found that vim can be used to spawn a root shell.

Answer: vim

Question 10: What's the root flag?

Using the command sudo vim -c ':!/bin/bash' (found on GTFOBins), I spawned a root shell. I then used find command to locate the root.txt file which give me instantly where it was which in the /root directory. The using cat command I read the root flag easily.

Answer: W3ll d0n3. You made it!

🎯 Day 4 Mission Accomplished

Flag captured! That concludes Day 4 of my daily CTF journey. Today was also a great learning experience. I hope you learned something too. See you on Day 5.

Happy hacking! :)