Challenges

CTF Writeups

0xb0rn3@tryhackme:~$ cat completed_rooms.txt

23 rooms pwned
Platform
Difficulty
TryHackMe Medium

Year of the Pig

Porco Rosso-themed PHP webapp. Password derived from Savoia S.21 theme lore, MD5 client-side hashing exploited via API replay, SSH pivot on timed 120s window, PHP webshell via web-developers group write, SUID rootbash for full root. 3 flags captured.

3 flags
MD5 Cracking PHP Webshell SUID Privesc Medium
Read Writeup
TryHackMe Medium

Cheese CTF

The Cheese Shop — SQL injection auth bypass (time-based blind + UNION), LFI via raw include(), RCE through Synacktiv PHP filter chain, SSH lateral move via world-writable authorized_keys, privesc via writable systemd timer to SUID xxd.

2 flags
SQLi LFI → RCE PHP Filter Chain Systemd Abuse Medium
Read Writeup
TryHackMe Medium

Relevant

Windows Server 2016. Anonymous SMB write to IIS webroot, ASPX webshell upload, SeImpersonatePrivilege → PrintSpoofer → SYSTEM.

2 flags
SMBASPX WebshellPrintSpooferWindows
Read Writeup
TryHackMe Medium

0day

Shellshock (CVE-2014-6271) via CGI User-Agent → DirtyCOW (CVE-2016-5195) kernel race → /etc/passwd overwrite → root. Fully automated.

2 flags
CVE-2014-6271CVE-2016-5195ShellshockDirtyCOW
Read Writeup
TryHackMe Hard

Ghizer

WordPress plugin upload to webshell, JDWP port forwarding + JDB Log4j breakpoint exploitation on Ghidra process for lateral movement, Python import hijack via sudo for root.

2 flags
JDWP WordPress RCE Import Hijack Hard
Read Writeup
TryHackMe Medium

Dogcat

PHP LFI with ext= bypass, Apache log poisoning for RCE, sudo env root inside Docker, bind mount cron hijack for host escape. 4 flags across container and host.

4 flags
LFI Log Poisoning Docker Escape Medium
Read Writeup
TryHackMe Easy

Wgel CTF

Exposed SSH private key via /.ssh/id_rsa in web directory. Sudo wget NOPASSWD — exfiltrate root files via --post-file.

2 flags
Exposed SSH Key Sudo wget Easy
Read Writeup
TryHackMe Medium

Wonderland

Reversed flag locations. 4-user lateral chain: hidden web creds → Python import hijack → SUID PATH hijack → Perl cap_setuid for root. Alice in Wonderland themed.

2 flags
Import Hijack PATH Hijack cap_setuid Medium
Read Writeup
TryHackMe — AoC 2023 Insane

Snowy ARMageddon

ARMv5 IoT camera exploitation. Port knock bypass via full nmap sweep, stack buffer overflow in embedded web server with custom ARM shellcode (bad char avoidance, ROP to bx sp), credential harvest from firmware, visual flag from MJPEG stream, then MongoDB NoSQL injection for the second key.

2 flags
ARM Buffer Overflow IoT / Shellcode NoSQL Injection Insane
Read Writeup
TryHackMe Medium

VulnNet: Internal

Service-chaining across SMB, NFS, Redis, Rsync, and TeamCity CI/CD. Credential pivoting from NFS config leaks to Redis keystore to rsync SSH key injection. Final privesc via TeamCity build RCE as root. 4 flags captured.

THM{e8996faea46df09dba5676dd271c60bd}
Credential Chain TeamCity RCE SSH Injection Medium
Read Writeup
TryHackMe Easy

Pickle Rick

Credentials leaked in HTML comments and robots.txt, leading to a command execution panel with a blacklisted cat trivially bypassed with less. www-data has NOPASSWD sudo ALL — instant root. 3 ingredients found.

Command Injection Sudo Abuse Web Exploit Easy
Read Writeup
TryHackMe Easy

Simple CTF

FTP anonymous intel leak reveals weak reused password. Time-based blind SQLi (CVE-2019-9053) in CMS Made Simple 2.2.8 extracts salted MD5 hash. Cracked creds give SSH access. Privilege escalation via vim sudo NOPASSWD — GTFOBins one-liner to root.

CVE-2019-9053 Blind SQLi vim PrivEsc Easy
Read Writeup
TryHackMe Easy

Bounty Hacker

Anonymous FTP leaks a username and custom password wordlist. Hydra brute-forces SSH in 10 attempts. Sudo /bin/tar with GTFOBins checkpoint callback gives instant root.

THM{80UN7Y_h4cK3r}
SSH Brute-Force GTFOBins tar FTP Enum Easy
Read Writeup
TryHackMe Easy

W1seGuy

Weak XOR encryption with a 5-byte repeating key. Known-plaintext attack using the THM{...} flag format recovers all key bytes with zero brute-force. 2 flags captured.

THM{BrUt3_ForC1nG_XOR_cAn_B3_FuN_nO?}
Cryptography XOR Attack Known-Plaintext Easy
Read Writeup
TryHackMe Easy

Agent Sudo

User-Agent header fuzzing reveals agent identity. FTP brute-force, steganography chain (ZIP → Base64 → steghide) extracts SSH creds. CVE-2019-14287 sudo !root bypass gives instant root.

root flag
CVE-2019-14287 Steganography User-Agent Abuse Easy
Read Writeup
TryHackMe Medium

Chill Hack

Command injection blacklist bypass → sudo script injection → MySQL credential dump → steganography chain → SSH as docker group user → docker run -v /:/host → root. Four lateral moves, three users.

root flag
Docker Escape Command Injection Steganography Medium
Read Writeup
TryHackMe Medium

Crypto Failures

PHP DES-crypt cookie scheme in ECB mode. Source backup disclosure reveals block-independent hashing. ECB block-swap forges admin session, then a chosen-plaintext DES oracle recovers the full encryption key byte-by-byte. OWASP A02:2021.

key recovered
ECB Block-Swap DES Oracle Chosen-Plaintext Medium
Read Writeup
TryHackMe Medium

Silver Platter

Two chained CVEs in Silverpeas 6.3.1: CVE-2024-36042 auth bypass + CVE-2023-47323 IDOR leaks SSH creds. Journal log analysis exposes Docker DB password → credential reuse → sudo root.

root flag
CVE-2024-36042 CVE-2023-47323 Credential Reuse Medium
Read Writeup
TryHackMe Medium

Rabbit Store

Deep 5-stage chain: mass assignment bypasses activation, SSRF discovers internal RabbitMQ, hidden chatbot endpoint vulnerable to Jinja2 SSTI gives RCE as azrael, Erlang cookie enables RPC to extract root password hash — SHA-256 hex is the Linux root password.

root flag
Jinja2 SSTI Erlang RPC Mass Assignment SSRF
Read Writeup
TryHackMe Easy

The Sticker Shop

Stored XSS in a Flask feedback form — admin bot renders unsanitized input on the same machine as the web server. Relative-URL fetch("/flag.txt") bypasses CORS (same-origin), base64 exfiltration via Image beacon. No CSP.

flag captured
Stored XSS Same-Origin Exfil Easy
Read Writeup
February 2026 TryHackMe

Hidden Deep Into My Heart

Valentine's Day themed Flask app — robots.txt credential leak exposes a hidden vault path and plaintext password. Directory brute-force via Gobuster reveals an admin panel. Credential stuffing captures the flag.

THM{l0v3_is_in_th3_r0b0ts_txt}
Info Disclosure Credential Leak Dir Bruteforce Easy
Read Writeup
TryHackMe Medium

Blog

WordPress 5.0.0. PHP-JPEG polyglot survives GD at 100×100 crop only. CVE-2019-8943 path traversal drops shell into theme dir; CVE-2019-8942 unprotected save-attachment-compat sets _wp_page_template → RCE. SUID checker binary with getenv("admin") privesc. Custom Node.js exploit.

2 flags
CVE-2019-8942 CVE-2019-8943 JPEG Polyglot SUID Privesc Medium
Read Writeup
February 2026 TryHackMe

RootMe — Full Exploitation Chain

Complete walkthrough from recon to root: File upload filter bypass with .php5 extension + Python SUID privilege escalation. Includes automation script.

File Upload SUID Privesc Web Shell Easy
Read Writeup