Skip to content
Hackatorium

TryHackMe CTFs

Below are the write-ups of the key details of each TryHackMe room that was done.

Difficulty: Easy

basicpentestingjt Enumerate Samba users (`enum4linux.pl`), `ssh2john` to crack private key.
picklerick Use `hydra` with `R1ckRul3s`, `sudo` to root the box.
rrootme TBD
ohsint TBD
cowboyhacker Anonymous FTP with password list. Can `sudo` tar, and we use `--checkpoint`
crackthehash Use `hash-identifier`, CrackStation, and `hashcat`.
inclusion All Local File Inclusion (did not login)
agentsudoctf Send custom `User-Agent`; `hydra` against FTP; `steghide`, `binwalk`, and `zip2john`; sudo with `-u#-1`
overpass Improper session handling; `ssh2john` to crack private key; `cron` job runs `buildscript.sh` that we edit. Metasploit option too.
lazyadmin SweetRice CMS; Exposed `.sql` file; File Upload Bypass; Sudo `backup.pl` which calls our script.
ignite Fuel CMS; ExploitDB Python script or File Upload Bypass; CVE with different paths; Shared MySQL password with root.
startup Writable FTP for reverse shell; PCap in 'incidents' has password; External cron runs `print.sh` that we control.
tomghost Ghostcat exploits Apache Jserv Protocol; `john` and `gpg` cracking; We `sudo zip` and leverage `--unzip-command`.
chillhack A `/secret/` URL lets you run commands. `account.php` has DB credentials shared with user; send our SSH key to login; `steghide` and `fcrackzip` to PE. Docker filesystem breakout!
bruteit We `hydra` brute force into website; `ssh2john` and `john` to login with SSH keys; Crack `passwd` and `shadow` with `john`.
fowsniff-ctf Simulated leaked creds on pastebin; Crack MD5 hashes; Credential Stuffing against SSH and POP3; Read emails, check for non-changed passwords; Command Injection for MOTD or ExploitDB for old Kernel.

Difficulty: Medium

mrrobot Use `hydra` to brute force password for `elliot`; Edit Wordpress theme file to set up reverse shell; We can `su` because of crackable hash.
dogcat Use Local File Inclusion and HTTP header injection; Can sudo `env` so we get root, but in a container; Reverse shell container breakout via `backup.sh`.

Difficulty: Hard

dailybugle Joomla SQL Injection on old OS and kernel; `john` to decrypt one `bcrypt` password. PE by running `yum` plug-in since we can `yum` as `sudo`.
internal Wordpress site; Hydra to brute-force password; We find Jenkins container; port-forward that and brute-force that password. PE: is an exposure of a file