TryHackMe Simple CTF — Complete Walkthrough & Writeup
TryHackMe Simple CTF — Complete Walkthrough & Writeup
Introduction
Simple CTF is a beginner-friendly TryHackMe room that walks you through the core steps of penetration testing — from port scanning and web exploitation to SSH access and privilege escalation. If you are new to CTFs, this is a great place to start. In this writeup, we will answer all 10 questions step by step in plain language.
Step 1 — Deploy the Machine and Scan for Open Ports
After deploying the machine, we use a two-phase scanning approach — first RustScan for fast port discovery, then Nmap for deep service enumeration.
Phase 1 — RustScan (Fast Port Discovery)
RustScan scans all 65,535 ports in seconds. It is significantly faster than a standard Nmap full-port scan and is the recommended first step in any CTF.
RustScan Output:
Open 21
Open 80
Open 2222
RustScan instantly tells us which ports are open: 21, 80, and 2222. Now we hand those ports off to Nmap for detailed fingerprinting.
Why use RustScan first? Nmap is thorough but slow when scanning all ports. RustScan finds the open ports quickly, so Nmap only needs to probe the ports that matter — saving significant time.
Phase 2 — Nmap (Detailed Service Enumeration)
Now we run Nmap with -sC (default scripts) and -sV (version detection) against only the open ports found by RustScan.
Nmap Results:
| Port | Service | Notes |
|---|---|---|
| 21/tcp | FTP (vsftpd 3.0.3) | Anonymous login allowed |
| 80/tcp | HTTP (Apache) | Web server running |
| 2222/tcp | SSH (OpenSSH 7.2p2) | Non-standard port |
Q1 — How many services are running under port 1000?
From both RustScan and Nmap output, ports 21 (FTP) and 80 (HTTP) are both below 1000.
Answer: 2
Q2 — What is running on the higher port?
RustScan found port 2222 as the highest open port. Nmap confirms it is running SSH.
Answer: ssh
Step 2 — FTP Enumeration
Since FTP allows anonymous login, let us check what is inside.
Inside the FTP server, there is a file called ForMitch.txt. Reading it reveals a hint that a user called Mitch has a weak password. This is useful intel for later.
Step 3 — Web Enumeration
Browsing to http://<TARGET_IP> shows the default Apache2 page — nothing useful here. Next, we use Gobuster to discover hidden directories.
Gobuster finds a directory at /simple. Navigating to http://<TARGET_IP>/simple reveals a CMS Made Simple installation. Scrolling to the bottom of the page shows the version: CMS Made Simple 2.2.8.
Q3 — What's the CVE you're using against the application?
We search for known vulnerabilities in CMS Made Simple 2.2.8 using searchsploit.
This returns a SQL injection exploit. The CVE number associated with this vulnerability is:
Answer: CVE-2019-9053
Q4 — To what kind of vulnerability is the application vulnerable?
The exploit found is a blind time-based SQL injection via the m1_idlist parameter in the News module.
Answer: SQLi (SQL Injection)
Step 4 — Exploiting CVE-2019-9053
We download the exploit script (ExploitDB ID: 46635) and run it with the --crack flag to extract and crack the credentials in one step.
Note: If you get a module error, install the required dependency first:
After the script runs, it returns:
- Username: mitch
- Email: admin@admin.com
- Password (cracked): secret
Q5 — What's the password?
Answer: secret
Step 5 — SSH Login
We now have valid credentials. Since SSH is open on port 2222, we log in using the credentials we just found.
We are now logged in as the user mitch.
Q6 — Where can you login with the details obtained?
Answer: SSH
Q7 — What's the user flag?
Once inside, list the files in the home directory and read the flag.
Answer: G00d j0b, keep up!
Q8 — Is there any other user in the home directory? What's its name?
Check the /home directory to see all user folders.
You will see two directories: mitch and another user called sunbath.
Answer: sunbath
Step 6 — Privilege Escalation via vim
To escalate to root, first check what sudo permissions mitch has.
The output shows that mitch can run vim as root without a password:
(root) NOPASSWD: /usr/bin/vim
This is a classic misconfiguration. We can abuse vim to spawn a root shell. Using the technique from GTFOBins:
This opens a root shell. Confirm with:
Q9 — What can you leverage to spawn a privileged shell?
Answer: vim
Q10 — What's the root flag?
Navigate to the root home directory and read the flag.
Answer: W3ll d0n3. You made it!
Summary of Findings
| Step | Technique | Outcome |
|---|---|---|
| RustScan | Fast port discovery | Found ports 21, 80, 2222 instantly |
| Nmap | Detailed service scan | Identified FTP, HTTP, SSH with versions |
| FTP anonymous login | Information gathering | Found username hint (Mitch) |
| Gobuster | Directory enumeration | Found /simple → CMS Made Simple 2.2.8 |
| CVE-2019-9053 | SQL Injection exploit | Extracted username and cracked password |
| SSH login | Credential access | Gained shell as mitch |
| sudo vim | Privilege escalation | Gained root shell |
Key Lessons
Disable anonymous FTP unless absolutely required — it leaks sensitive information. Keep CMS platforms updated — CMS Made Simple 2.2.8 was known to be vulnerable at the time of release. Enforce strong password policies — the password secret is trivially crackable. Audit sudo permissions carefully — editors like vim, nano, and less can all be abused for privilege escalation when granted with NOPASSWD. Always consult GTFOBins to understand what binaries can be weaponised.
Room Link: TryHackMe Simple CTF
Tags
Keep Reading