0xb0rn3@tryhackme:~$ cat completed_rooms.txt
Service-chaining across SMB, NFS, Redis, Rsync, and TeamCity CI/CD. Credential pivoting from NFS config leaks to Redis keystore to rsync SSH key injection. Final privesc via TeamCity build RCE as root. 4 flags captured.
Credentials leaked in HTML comments and robots.txt, leading to a command execution
panel with a blacklisted cat
trivially bypassed with less.
www-data has NOPASSWD sudo ALL — instant root. 3 ingredients found.
FTP anonymous intel leak reveals weak reused password. Time-based blind SQLi (CVE-2019-9053) in CMS Made Simple 2.2.8 extracts salted MD5 hash. Cracked creds give SSH access. Privilege escalation via vim sudo NOPASSWD — GTFOBins one-liner to root.
Read Writeup
Anonymous FTP leaks a username and custom password wordlist. Hydra brute-forces
SSH in 10 attempts. Sudo /bin/tar
with GTFOBins checkpoint callback gives instant root.
Weak XOR encryption with a 5-byte repeating key. Known-plaintext attack using
the THM{...}
flag format recovers all key bytes with zero brute-force. 2 flags captured.
User-Agent header fuzzing reveals agent identity. FTP brute-force, steganography
chain (ZIP → Base64 → steghide) extracts SSH creds.
CVE-2019-14287
sudo !root bypass gives instant root.
Valentine's Day themed Flask app — robots.txt credential leak exposes a hidden vault path and plaintext password. Directory brute-force via Gobuster reveals an admin panel. Credential stuffing captures the flag.
Complete walkthrough from recon to root: File upload filter bypass with .php5 extension + Python SUID privilege escalation. Includes automation script.