s1gn 1n subscr1b3

Simple CTF - Full Walkthrough

Simple CTF - Full Walkthrough

This post covers my full approach to the TryHackMe box Simple CTF, a beginner-friendly machine that turned out to be a lot more versatile than expected. What I appreciated most about this box is that it allows multiple paths to root, and depending on how you think, you might completely bypass one vector in favor of another.

That’s exactly what happened in my case. I found myself skipping the web vulnerability entirely and going in through a much simpler, and arguably more realistic, route. I’ll go into detail below.

Initial Recon and Enumeration

The first step in any CTF is a good scan. I used Nmap to scan all TCP ports and identify versions and services running on the target system:

nmap -sV -sC -p- -T4 10.10.68.253

This revealed three interesting open ports:

  • 21/tcp - FTP (vsftpd 3.0.3)
  • 80/tcp - HTTP (Apache 2.4.18)
  • 2222/tcp - SSH (OpenSSH 7.2p2, custom port)

While I did a quick check on the webserver and found only the default Apache page, I didn't pursue it further. No custom content, no directory listing, and no application banner caught my eye immediately, so I moved on to more promising targets.

Anonymous FTP Access

The FTP service caught my attention, especially since it's not unusual for misconfigured servers to allow anonymous access. I tested this by connecting directly with the ftp command and using "anonymous" as the username:

ftp 10.10.68.253
Name: anonymous
Password: [enter]

I gained access without issue. Inside the /pub directory, there was a single file: ForMitch.txt. I downloaded it with the get command and read the contents:

Dammit man... you're the worst dev I've seen. You set the same pass for the system user, and the password is so weak... I cracked it in seconds. Gosh... what a mess!

This clearly pointed to the existence of a user named "mitch" and implied the password was both reused and extremely weak. Time to brute-force.

Brute-Forcing SSH on Port 2222

I now had a username (mitch) and a strong hint that the password was weak enough to be found in common wordlists. I targeted the SSH service, which was running on the non-standard port 2222. I used Hydra for the brute-force attempt, specifying the popular rockyou.txt list that comes preinstalled on Kali Linux:

hydra -l mitch -P /usr/share/wordlists/rockyou.txt -s 2222 -t 4 10.10.68.253 ssh

The attack didn’t take long to succeed. Hydra returned valid credentials for SSH:

[2222][ssh] host: 10.10.68.253 login: mitch password: secret

Armed with those, I connected directly to the machine:

ssh -p 2222 mitch@10.10.68.253

User Shell & User Flag

Once on the box as user mitch, I explored the home directory. As expected in CTFs, there was a file named user.txt. Reading it gave me the first flag:

cat user.txt
G00d job, keep up!

This confirmed the foothold was successful. From here, the next goal was to escalate privileges and gain full root access.

Privilege Escalation via Vim (sudo misconfig)

I ran the classic privilege escalation check:

sudo -l

This revealed a significant misconfiguration:

User mitch may run the following commands on Machine:
    (root) NOPASSWD: /usr/bin/vim

This meant that the user mitch could execute vim as root without a password. Since vim can spawn shell commands, this essentially allowed a root shell without needing an exploit.

I ran:

sudo vim

And from inside vim, executed a shell with:

:!bash

This dropped me into a root shell instantly.

Finding the Root Flag

With root access, the last task was to locate the final flag. Although many CTFs place the flag in /root/, I verified its location using the find command:

find / -name root.txt 2>/dev/null

The file was indeed located in /root/. Reading it gave me:

cat /root/root.txt
W3ll d0n3. You made it!

Root access achieved, challenge complete.

About Those Two Unanswered Questions

TryHackMe also asks:

  • What CVE are you using?
  • What kind of vulnerability is the application vulnerable to?

And this is where it gets interesting. I didn’t use any CVE. I never touched the actual web app that apparently runs CMS Made Simple 2.2.8, which is vulnerable to CVE-2019-9053 (a blind time-based SQLi in the m1_idlist parameter).

My path was through misconfigurations and weak credentials, much more common in real-world environments than obscure CMS zero-days.

So initially I had no idea what to answer for those questions. Only later, after reading a walkthrough out of curiosity, I found out where that CVE came into play.

Conclusion

Simple CTF might be an entry-level box, but it does a great job at showing how important enumeration is, and how multiple paths to root can exist. Whether you come in through the web app, the filesystem, or just some sloppy user hygiene, there’s always more than one way in.

In my case, weak credentials and a sudo misconfiguration were enough.

Highly recommend this box for beginners and anyone getting back into the CTF mindset.