Author: moncef fennan — Date: 2025-11-03 tags:
-
ctf
-
tryhackme
-
nmap
-
enumeration
-
ssh
-
web
Start with a full TCP port scan to discover services.
nmap -sT -p- <TARGET_IP>
Note
Question: How many services are running under port 1000?
Answer: 2
We go service by service: grab banners, poke the web app, and hunt for flags.
Note
Question: What is running on the higher port?
Answer: The service on port 2222 is ssh.
SSH on a non-standard port — nothing fancy, just remember to connect with -p 2222
Directory enumeration showed a /simple path which pointed to CMS Made Simple. I checked Exploit‑DB and found an exploit for it.
I confirmed the CVE and vulnerability type from the exploit details.
Note
Question: What's the CVE you're using against the application?
Answer: CVE-2019-9053
Note
Question: To what kind of vulnerability is the application vulnerable?
Answer: sqli (SQL injection)
This SQLi lets us dump database data — including a password hash.
CTFs love decoys. After hitting /simple, I spent a little time exploring other obvious paths and creds that looked promising but led nowhere useful. Those dead ends included some directories that had no flags. I kept notes, pivoted back to the CMS exploit, and saved time — that’s the trick: try quickly, document the dead end, then move on.
I used the exploit from Exploit‑DB to pull a hashed password and the username, then cracked the hash locally with hashcat.
![[nano exploit.py.png]]
We will be using the exploit from Exploit-DB to extract a hashed password and username.
we will attempt to crack this hashed password using hashcat
Note
Question: What's the password?
Answer: secret
Use the recovered credentials to SSH into the host.
Note
Question: Where can you login with the details obtained?
Answer: ssh
After logging in, the user flag was found inside /usr.txt.
Note
Question: What's the user flag?
Answer: G00d j0b, keep up!
I checked /home and found another user folder.
Note
Question: Is there any other user in the home directory? What's its name?
Answer: sunbath
We checked allowed sudo commands to find a path to root.
sudo -lThe output showed the current user can run vim as root without a password. This can be leveraged to spawn a root shell.
Note
Question: What can you leverage to spawn a privileged shell?
Answer: vim
Example escalation command (run as the vulnerable user):
sudo vim -c ':!/bin/sh'
# or
sudo vim -c 'set shell=/bin/sh' -c ':shell'
After escalating to root, I read the root flag.
Note
Question: What's the root flag?
Answer: W3ll d0n3. You made it!
Nice and clean box — good practice flow:
-
Full port scan first — nonstandard ports matter (SSH on
2222). -
Directory enumeration found
/simpleand exposed CMS Made Simple. -
Exploit‑DB led to
CVE-2019-9053(SQLi) which dumped a hash. -
Cracked hash with hashcat → got creds → SSH → user flag.
-
Checked
sudo -land usedvimto escalate to root and get the root flag.