TryHackMe: Crocc Crew
This box is rated insane difficulty on THM and has a general theme of hacking an already compromised Domain Controller to discover the trail left behind by t...
This box is rated insane difficulty on THM and has a general theme of hacking an already compromised Domain Controller to discover the trail left behind by t...
This box is rated hard difficulty on THM. It involves us discovering an Atlassian BitBucket instance running on a higher HTTP port, leading us to a GitHib re...
This box is rated medium difficulty on THM. It involves us discovering an old API parameter that allows us to read files on the web server. Using this grab t...
This box is rated hard difficulty on THM. It involves us finding an SSRF vulnerability that allows access to internal resources on the web server. Using that...
This box is rated hard difficulty on THM. It involves us AS-REP roasting a user’s hash in order to get an initial foothold on the system. From there we abuse...
This box is rated hard difficulty on THM. It involves us discovering an employee spreadsheet in a backup directory on the web server that leads to AS-REP roa...
This box is rated hard difficulty on THM. It involves us exploiting a Server-Side Request Forgery attack to enumerate an internal web server and bypassing a ...
This box is rated hard difficulty on THM. It involves us finding default credentials for domain users through LDAP anonymous binds and abusing a misconfigura...
This box is rated medium difficulty on THM. It involves us discovering an SSRF vulnerability on a website that allows for internal service enumeration. We fi...
This box is rated hard difficulty on THM. It involves us grabbing a network packet capture file from SMB which holds a development virtual host inside of a P...
This box is rated medium difficulty on THM. It involves us using default credentials to log into an ActiveMQ instance as Admin. That discloses the version wh...
This box is rated hard difficulty on THM. It involves us Kerberoasting a user who’s SPN we can modify and abusing Guest permissions to perform an RBCD attack...
This box is rated medium difficulty on THM. It involves us discovering an eCommerce website that’s vulnerable to SQL injection and a subdomain hosting Wordpr...
This box is rated easy difficulty on THM. It involves us finding a version of OsCommerce that is vulnerable to RCE which grants us a high-level shell on the ...
This box is rated medium difficulty on THM. It involves us peforming a reverse tabnabbing attack to steal administrator credentials on a website. That same p...
This box is rated medium difficulty on THM. It involves us exploiting a blind-based SQL injection to dump user credentials on the website. Doing so rewards u...
This box is rated medium difficulty on THM. It involves us exploiting a SQL injection in an old CMS site, which leads to dumping user credentials. Using a re...
This box is rated medium difficulty on THM. It involves us exploiting a PHP web application via LFI to gain Remote Code Execution by poisoning access logs. T...
This box is rated hard difficulty on THM. It involves us finding out that a web application is vulnerable to Second-Order SQL injection, which could be used ...
This box is rated hard difficulty on THM and is apart of the advanced track in the Love at First Breach ‘26 event. It involves us getting LFI/RCE in the webs...
Box link– https://tryhackme.com/room/rocket
This box is rated hard difficulty on THM. It involves us exploiting a web application built with BlogEngine to get a reverse shell through three CVEs. Once o...
This box is rated hard difficulty on THM. It involves us exploiting SQL injection to extract an HMAC-SHA256 signing secret, allowing us to perform a PHP filt...
This box is rated medium difficulty on THM. It involves us exploiting plenty of Active Directory components to pivot through accounts and find grab a remote ...
This box is rated hard difficulty on THM. It involves us finding a Wordpress application that’s vulnerable to LFI, allowing us to read the server’s configura...
This box is rated medium difficulty on THM. It involves us brute forcing a few protected files to gain SSH access to the box as a low-level user. Then, we re...
This box is rated medium difficulty on THM. It involves us using a lesser-known programming language to grab a reverse shell on the web server, along with es...
This box is rated hard difficulty on THM. It involves us enumerating a python webapp to find an old register API. Then, we grab a shell on the box with SSTI ...
This box is rated hard difficulty on THM. It involves us chaining SSRF to an LFI vulnerability in order to read files on the web server. Doing so gives us ad...
This box is rated medium difficulty on THM. It involves us exploiting directory traversal vulnerabilities in a few applications to grab low-level shells on t...
This box is rated hard difficulty on THM and is more of a game then a realistic box. It involves us enumerating various directories in a subdomain on HTTPS t...
This box is rated medium difficulty on THM. It involves us exploiting command substitution to grab a reverse shell through a custom pinging tool, as well as ...
This box is rated hard difficulty on THM. It involves us exploiting a second-order SQL injection vulnerability to dump user credentials, finding SSTI in a si...
This box is rated hard difficulty on THM. It involves us port knocking to access a Werkzeug web server, exploiting XSS to steal an admin session, grabbing a ...
This box is rated medium difficulty on THM. It involves us enumerating a developer subdomain to find a temporary password used at an administrator panel. The...
This box is rated hard difficulty on THM. It involves us exploiting a race conditions to add gold to our account, allowing us to buy premium functions on the...
This box is rated medium difficulty on THM. It involves us exploiting SQL injection to grab low level user credentials, brute forcing another user’s login, a...
This box is rated medium difficulty on THM. It involves us using an XSS vulnerability to capture an admin token on a website which leads to a dumping a datab...
This box is rated hard difficulty on THM and directly translates to “Time flies harder”.
This box is rated medium difficulty on THM. It involves us updating an admin account’s password using a built-in function on the webpage which allows us to u...
This box is rated medium difficulty on THM. It involves us brute forcing an admin login page with hydra, exploiting a known vulnerability within a blog engin...
This box is rated medium difficulty on THM and has a cool theme revolving around hacking an APT hacking group to find out who they’re targeting next.
This box is rated medium difficulty on THM. It involves us using the Shellshock vulnerability to get RCE on the system which grants us a shell, and abusing a...
This box is rated hard difficulty on THM and is the third installment in the Windcorp series. It involves us finding an exposed XML file containing employee ...
This box is rated medium difficulty on THM. It involves abusing buffer overflow on a vulnerable binary found on an SMB share and extracting credentials from ...
This box is rated medium difficulty on THM and is the sequel to Blog. It has a pretty funny storyline as after we hacked his blog page, Billy Joel makes a sh...
This box is rated hard difficulty on THM; it’s absolutely brutal so prepare yourself.
This box is rated hard difficulty on THM. It involves using NoSQL injection in JSON format to bypass a login panel, getting a reverse shell with the site’s b...
Box link– https://tryhackme.com/room/ra2
This box is rated medium difficulty on THM and has many web parts for us to attack. It involves us brute forcing an account and OTP code with custom wordlist...
This box is rated medium difficulty on THM and is a simulation of a real intermediate penetration test. It involves us uploading an aspx shell via an SMB sha...
This box is rated medium difficulty on THM. It involves us finding the correct SSH port with a binary search, solving a Vigenère cipher to get credentials fo...
This box is rated medium difficulty on THM. It involves us brute forcing a Wordpress login, grabbing a low level shell via a known upload vulnerability, and ...
This box is rated hard difficulty on THM. It involves us brute forcing steganography on an image using a wordlist found with it, uploading a shell via FTP &a...
This box is rated medium difficulty on THM, it’s centered around us finding login credentials and exploiting three binaries in different ways.
Box link– https://tryhackme.com/room/ra
This box is rated medium difficulty on THM, it involves us brute forcing a login panel, exploiting a known vulnerability within the Codiad framework, and esc...
Zeno is a medium-ranked difficulty box on TryHackMe, it requires us to enumerate the system’s attack surface, exploit an outdated service, and abuse service ...
Wonderland is a medium-difficulty ranked box on TryHackMe, it involves enumerating a webpage and good knowledge of linux privilege escalation to grab root ac...
This box is ranked easy-difficulty on TryHackMe, it involves enumerating SMB shares and escalating privileges in order to foil a tech scammer’s plans to defr...
This is an easy-difficulty ranked box, it involves us uploading a reverse shell via FTP anonymous login and escalating privileges by snooping around files an...
This TryHackMe box is ranked as an easy-difficulty box that aims to test our Active Directory enumeration skills. We must compromise a domain controller by e...
Smol is a medium difficulty room on TryHackMe that requires us to exploit a WordPress website and perform privilege escalation in order to grab both flags.
This box is ranked hard difficulty on THM, it involves us enumerating a webpage, leading to leaked RDP credentials, and finally escalating privileges to Admi...
This box is ranked easy-difficulty on TryHackMe and is one of the most popular challenges as it puts our fundamentals to the test. The goal is to exploit a p...
One Piece is a medium difficulty room on TryHackMe that tests our enumeration, cryptography, and privilege escalation skills.
This is an easy ranked box on THM, it involves enumerating Samba shares, exploiting a vulnerable version of ProFtpd, and privilege escalation through Path Va...
This box is rated hard difficulty on THM, it involves us exploiting WordPress to grab a low level shell on the system, port forwarding an internal Jenkins ap...
This box is ranked medium-difficulty on THM, it involves us escalating privileges on a web application, SSRF on an internal API to read admin credentials, an...
This box is ranked medium difficulty on THM, it consists of enumerating hidden endpoints on a web server, exploiting code to bypass authentication, and a coo...
This box is ranked as medium-difficulty and requires us to use our exploitation skills to bypass authentication mechanisms on a website and get Remote Code E...
This box is ranked easy-difficulty and involves enumeration, bypassing a login form, uploading a reverse shell, and escalating privileges to grab both flags.
This box is ranked hard-difficulty on TryHackMe, it involves us using SQLi to compromise a Joomla CMS account, cracking hashes, and a unique privilege escala...
This is a medium-ranked difficulty box, it involves us dodging plenty of rabbit holes, exploiting command injection on an obscure endpoint, and escalating pr...
This Men In Black-esque CTF is catered towards beginners and puts a good range of skills to the test. Overall, it was a fun challenge.
Box link– https://tryhackme.com/room/yearofthepig
Box link– https://tryhackme.com/room/yearoftheowl
Box link– https://tryhackme.com/room/yearofthejellyfish
Box link– https://tryhackme.com/room/yotf
Box link– https://tryhackme.com/room/yearofthedog
This box is ranked medium on THM, it involves us mounting a file share to get access to RSA key pair integers, which we can use to recover an SSH private key...
This box is rated medium difficulty on THM. It involves us exploiting an LFI vulnerability to leak credentials, uploading a reverse shell via FTP, and pivoti...
This box is ranked easy difficulty on THM, it involves us exploiting Apache Jserv to read files arbitrarily, leading to an encrypted pgp file and a binary ex...
This box is the first of five side quest challenges in THM’s Advent of Cyber ’25. It’s ranked hard difficulty and is easily the most time consuming of all. I...
This box is rated hard difficulty on THM, it involves us using SQL injection to dump passwords, using a known binary exploit with Sudo to grab root privilege...
This box is rated hard difficulty on THM. It involves us brute forcing a WordPress website with XML-RPC enabled, updating our profile to allow for admin perm...
This box is rated hard difficulty on THM. It involves us brute forcing an admin login on a subdomain, grabbing a shell via SSRF in a query search function, a...
This box is ranked medium difficulty on THM and is a sort of capstone challenge to the Injection Attacks module, so all methods will be of that nature.
This box is ranked medium difficulty on THM, it involves us reversing a cryptographic API to generate a valid invite code so we can login to a webpage. Then,...
This box is ranked easy difficulty on THM, it involves us getting a hash via steganography on a jpg, grabbing a shell with RCE on a webpage, using sudo to es...
This box is ranked hard difficulty on THM, it involves us employing plenty of cryptographic methods in order to crack encrypted archives and passwords. We th...
This box is the third side quest for THM’s Advent of Cyber ’25 and is ranked medium difficulty.
This box is the final side quest for THM’s Advent of Cyber ‘25, it is ranked hard difficulty and involves enumerating server files, pivoting through applicat...
This box is ranked medium difficulty on THM and is centered around the Resident Evil game. The overarching challenge of this box is cryptography and enumerat...
This box is ranked hard difficulty on THM, it involves us decrypting a special string which grants us SSH creds to the system. Then, we exploit a custom bina...
This box is ranked medium difficulty on THM, it involves us uploading a reverse shell using FTP anonymous login and then abusing a SUID bit set on an importa...
This box is rated easy difficulty on THM. It involves us brute forcing an FTP login after finding a password list from hidden image data, decoding an obscure...
Box link– https://tryhackme.com/room/k2room
This box is rated hard difficulty on HTB. It involves us enumerating a pre-created machine account whose password is the same as its samAccountName value. Fr...
This box is rated hard difficulty on HTB. It involves us compromising a Linux web server running an outdated version of Icinga Web 2 through a File Disclosur...
This box is rated hard difficulty on HTB. It involves us finding a plaintext user password in one of the website’s images and using that account to Kerberoas...
This box is rated medium difficulty on HTB. It involves us finding a default password in an onboarding PDF located inside of a Guest-readable SMB share. Spra...
This box is rated insane difficulty on HTB. It involves finding a writeable directory in an SMB share that we mounted, leading to an NTLMv2 hash theft and th...
This box is rated hard difficulty on HTB. It involves us discovering a Zabbix instance on a web server that allows for guest logins. Using an event notice, w...
This box is rated insane difficulty on HTB. It involves us getting a foothold on a domain-joined Linux web server through insecure deserialization. Then we d...
This box is rated hard difficulty on HTB. It involves us finding a subdomain with an exposed code repository, leading us to forge a valid JWT with a secret k...
This box is rated insane difficulty on HTB. It involves us performing unauthenticated Kerberoasting via AS-REP Roasting and cracking the hash in order to get...
This box is rated hard difficulty on HTB. It involves us registering an account on a website where we can reset our password in order to bypass an activation...
This box is rated hard difficulty on HTB. It involves us grabbing password hashes from a website vulnerable to Time-Based SQL injection, letting us login. Us...
This box is rated hard difficulty on HTB. It involves us discovering a path traversal vulnerability in Splunk that lets us grab an encrypted LDAP bind passwo...
This box is rated medium difficulty on HTB. It involves us discovering a LUKS encrypted backup image on a non-standard SMB share that gives us access to the ...
This box is rated insane difficulty on HTB. It involves us creating a username wordlist via image metadata pulled from a website which is used to AS-REP Roas...
This box is rated hard difficulty on HTB. It involves us discovering a private key and certificate in an NFS export that can be used to get a user’s NTLM has...
This box is rated insane difficulty on HTB. It involves us discovering a search function on the website that is prone to SQL injection, which requires encodi...
This box is rated hard difficulty on HTB. It involves us finding a login page which is vulnerable to SQL injection, allowing us to dump the users table to ge...
This box is rated medium difficulty on HTB. It involves us discovering a password within an image on an NFS share, giving us valid domain credentials. We fin...
This box is rated medium difficulty on HTB. It involves us discovering a developer subdomain on a web server that has a file read vulnerability in a download...
This box is rated hard difficulty on HTB. It involves us chaining Cross-Site Scripting with Cross-Site Request Forgery in order to perform NoSQL injection on...
This box is rated hard difficulty on HTB. It involves us combining a file upload with an LFI vulnerability to get a reverse shell on the machine as www-data....
This box is rated medium difficulty on HTB. It involves us exploiting a file upload feature on a website in order to capture a user’s NTLMv2 hash and crack i...
This box is rated easy difficulty on HTB. It involves us discovering a backdoor vulnerability within an outdated IRC server, allowing us to execute commands ...
This box is rated easy difficulty on HTB. It involves us grabbing a PDF from an available SMB share that hints at unpatched CVEs on the Domain Controller. Us...
This box is rated medium difficulty on HTB. It involves adding ourselves to a Developers group to gain access to an SMB share containing a password-protected...
This box is rated medium difficulty on HTB. It involves us configuring our system for Kerberos authentication in order to grab a password-protected excel spr...
This box is rated medium difficulty on HTB. It involves us discovering Ansible vault passwords in an exposed SMB share. After cracking the corresponding pass...
This box is rated hard difficulty on HTB. It involves us discovering a KeePass database file on an FTP server allowing anonymous logins. After cracking the p...
This box is rated easy difficulty on HTB. It involves us enumerating LDAP through anonymous binds, creating a wordlist that can be used to AS-REP Roast a ser...
This box is rated easy difficulty on HTB. It involves us pillaging an FTP server to grab a Microsoft Access Database file and an encrypted Zip archive. After...
This box is rated easy difficulty on HTB. It involves us discovering an NFS share which can be mounted to grab a backup of the website. Digging through the s...
This box is rated medium difficulty on HTB. It involves us finding a file upload vulnerability in a Torrent Hosting application that allows us to execute a r...
This box is rated easy difficulty on HTB. It involves us finding an SSRF vulnerability on a file scanning application that allows us to view an internal pass...
This box is rated medium difficulty on HTB. It involves brute-forcing an SNMP community string which leads to us finding a password being used an argument. U...
This box is rated medium difficulty on HTB. It involves us finding a SQL injection vulnerability in a custom web application that allows us to dump a databas...
This box is rated medium difficulty on HTB. It involves us enumerating an SMB share to collect an Excel spreadsheet with macros enabled. Inspecting the VBA d...
This box is rated hard difficulty on HTB. It involves us finding a backup API on the site’s admin virtual host, allowing us to create a backup of nginx confi...
This box is rated easy difficulty on HTB. It involves us finding a Support site that allows guest logins. On the site, we read a chat history between a user ...
This box is rated medium difficulty on HTB. It involves us enumerating ACLs to pivot between users, eventually landing on the CA_Operator account. Using this...
This box is rated easy difficulty on HTB. It involves us discovering an exposed Git repository on a content management site that gives us user credentials. A...
This box is rated easy difficulty on HTB. It involves us discovering a developer virtual host that contains an exposed Git directory. After downloading all t...
This box is rated easy difficulty on HTB. It involves us discovering an LFI vulnerability in the website, which allows us to get the hMailServer’s Administra...
This box is rated medium difficulty on HTB. It involves us enumerating Access Control Lists (ACLs) over privileged objects in order to pivot between several ...
This box is rated easy difficulty on HTB. It involves us discovering the location of a password list over anonymous FTP login, and utilizing a vulnerable NVM...
This box is rated easy difficulty on HTB. It involves us finding a virtual host on a website running a vulnerable version of Xwiki. We can get RCE on the sys...
This box is rated medium difficulty on HTB. It involves us enumerating domain users by brute-forcing RIDs and password spraying to get valid credentials for ...
This box is rated easy difficulty on HTB. It involves us enumerating a Spring Boot web application to find an exposed actuator endpoint which allows us to st...
This box is rated easy difficulty on THM. It involves us extracting a certificate and private key from a PFX file on an SMB share to get a shell via WinRM, g...
This box is rated medium difficulty on HTB. It involves us pivoting between user accounts with GMSA, targeted Kerberoasting, force changing passwords, and gr...
This box is rated medium difficulty on HTB. It involves us gathering credentials over SNMP which can be used for a disabled account on the website. Using the...
This box is rated easy difficulty on HTB. It involves us using default credentials on a subdomain that’s running a CRM site. Being an outdated version, we ca...
This box is rated easy difficulty on HTB. It involves us getting administrative access to a file manager website using default credentials and exploiting a p...
This box is rated hard difficulty on HTB. It involves LFI, NTLM theft, password spraying, uploading reverse shells, plenty of enumeration, port forwarding, a...
This box is rated easy difficulty on THM. It involves using Guest authentication to discover a default password on an SMB share, finding more passwords throu...
This box is rated easy difficulty on HTB. It involves us exploiting SQL injection to dump a web application’s database and sign in as an Administrator. Then ...
This box is rated easy difficulty on HTB. It involves us logging into a ticket support site with default credentials which leads to grabbing a plaintext pass...
This box is rated medium difficulty on HTB. It involves us grabbing a reverse shell by using Jenkins’ script console, decrypting a KeePass database file to g...
This box is rated medium difficulty on HTB. It involves us bypassing both a login page via SQL injection and a file upload filter by manipulating magic bytes...
This box is rated medium difficulty on HTB. It involves us exploiting a vulnerable Jenkins application to read files on the server. Parsing XML files grants ...
This box is rated easy difficulty on HTB. It involves us bypassing file upload filters to get a shell on the box as Apache, exploiting a vulnerable cronjob t...
This box is rated easy difficulty on HTB. It involves us using an SSRF vulnerability within the site’s upload feature to fuzz for internal APIs. In doing, so...
This box is rated easy difficulty on THM. It involves us gathering plaintext credentials via SNMP to get a shell on the system, port forwarding an internal w...
This box is rated easy difficulty on THM. It involves us guessing default credentials on a webserver to disclose what version of ActiveMQ is running. Looking...
This box is rated medium difficulty on THM. It involves us enumerating LDAP to find that a user’s account contains a legacy password attribute that we can us...
This box is rated hard difficulty on HTB. It involves us grabbing Bcrypt hashes through second-order SQL injection, getting RCE on the site via the Imagick P...
This box is rated medium difficulty on HTB and took me a very long time to complete. It involves us dumping the website’s database via MSSQL injection, explo...
This box is rated hard difficulty on HTB. It involves us enumerating valid users via SMB guest authentication and AS-REP roasting a support account which giv...
This box is rated medium difficulty on HTB. It involves us password spraying on SMB to find an XML file with user credentials inside, as well as abusing Azur...
This box is rated medium difficulty on HTB. It involves us getting access to a developer subdomain via an exposed Git repository on the main site. Then, we g...
This box is ranked easy difficulty on HTB. It involves us exploiting an SSRF vulnerability to forward a web server running internally on port 80. Then, we us...
This box is rated medium difficulty on HTB. It involves us finding msSQL credentials inside of a PDF on an SMB share, which allows us to logon as a service a...
This box is rated easy difficulty on HTB. I’m starting to go down the list on TJNull’s OSCP-like boxes list for good practice and get a head start on what I ...
This post covers Impel, a Linux-native RPC coercion surface scanner we built as the final tool in our Windows authentication coercion research series. The pr...
Part one covered the mechanic and the lineage. This part is operational. We reproduce CVE-2026-24294 against a default Windows Server 2025 environment, docum...
Authentication reflection is a family of attacks that keeps getting declared dead and keeps coming back. It looks like a footnote to NTLM relay until you exa...
All testing in this writeup was performed in an isolated, fully self-contained lab environment (corp.lab) with no internet connectivity and no production ...
In Part 1 and Part 2 of this series I laid out the research goal: build an isolated lab running current Windows Server 2025 defaults, then systematically tes...
Part 1 covered the shape of the chain: coercion produces an authentication attempt, relay forwards it somewhere useful, and the protections that matter all l...
Every technique in this series traces back to one design decision in Windows authentication: a machine will authenticate to whatever endpoint it’s told to co...
This post covers ESC13 and ESC15 as full deep dives, then provides a consolidated reference for the remaining ESC techniques across the full taxonomy. The go...
This post covers the relay attack class in AD CS, where an attacker coerces authentication from a target machine, relays those credentials to a CA enrollment...
This post covers the AD object write attack class, where a write primitive on a PKI or account object is sufficient to introduce or directly exploit a certif...
This post covers the certificate-to-account mapping layer in Active Directory and how it becomes an attack surface. It walks through the KB5014754 strong map...
This post covers the foundational mechanics of Active Directory Certificate Services: how the PKI trust model is structured in AD, where configuration lives ...
This writeup covers the development, architecture, and OPSEC testing of DeleGator — a Linux-native Active Directory delegation abuse framework. It is split i...
This is vulnerable machine was a side project of mine that also served as great practice for Python, web exploitation, and Linux privilege escalation techniq...
This post covers Impel, a Linux-native RPC coercion surface scanner we built as the final tool in our Windows authentication coercion research series. The pr...
This writeup covers the development, architecture, and OPSEC testing of DeleGator — a Linux-native Active Directory delegation abuse framework. It is split i...
This post covers Impel, a Linux-native RPC coercion surface scanner we built as the final tool in our Windows authentication coercion research series. The pr...
This writeup covers the development, architecture, and OPSEC testing of DeleGator — a Linux-native Active Directory delegation abuse framework. It is split i...