sanmiguella/THM-writeup

# 🔐 TryHackMe Writeups [](https://tryhackme.com) []() []() Writeups for TryHackMe rooms. Emphasis on methodology, realistic attack chains, and understanding the *why* behind each step — not just dumping commands. Written as personal reference between professional engagements. Each writeup covers: enumeration → initial access → privilege escalation, with an ASCII attack chain diagram, key takeaways, tools used, and captured flags. ## 📋 Table of Contents - [📁 Index](#-index) - [🗂️ Structure](#%EF%B8%8F-structure) - [⚙️ Methodology](#%EF%B8%8F-methodology) - [📋 Command Reference](#-command-reference) - [⚠️ Disclaimer](#%EF%B8%8F-disclaimer) ## 📁 Index | Room | Difficulty | OS | Key Techniques | |---|---|---|---| | [Blueprint](./blueprint/) | Easy | Windows | Unpatched service exploit, hash dump, pass-the-hash | | [Chill Hack](./chill/) | Easy | Linux | Command injection + blacklist bypass, steganography, Docker group abuse | | [ColddBox: Easy](./colddbox/) | Easy | Linux | WPScan, reversePress, lxd privesc | | [Creative](./creative/) | Easy | Linux | SSRF, path traversal, SSH key abuse | | [CyberLens](./cyberlens/) | Easy | Windows | Apache Tika RCE, AlwaysInstallElevated | | [Dav](./dav/) | Easy | Linux | WebDAV default credentials, PHP shell upload via PUT, sudo cat arbitrary read | | [Gaming Server](./gamingServer/) | Easy | Linux | LFI, SSH key leak, lxd privesc | | [IDE](./ide/) | Easy | Linux | Anonymous FTP, Codiad 2.8.4 RCE (CVE-2018-14009), writable systemd service | | [Lazy Admin](./lazyadmin/) | Easy | Linux | SweetRice CMS exploit, sudo backup script abuse | | [Lian Yu](./lianyu/) | Easy | Linux | FTP enumeration, steganography, sudo pkexec | | [Mustacchio](./Mustacchio/) | Easy | Linux | XXE injection, SSH key crack, sudo path hijack | | [Overpass 3: Hosting](./overpass3/) | Medium | Linux | GPG credential leak, FTP webroot upload, NFS no_root_squash | | [Pyrat](./pyrat/) | Easy | Linux | Python eval RCE, git history credential leak | | [RootMe](./rootme/) | Easy | Linux | File upload bypass, SUID Python privesc | | [Service](./service/) | Easy | Linux | Docker abuse, service misconfiguration | | [Silver Platter](./silverplatter/) | Easy | Linux | Silverpeas CVE, lateral movement, sudoers misconfiguration | | [Source](./source/) | Easy | Linux | Webmin CVE-2019-15107 pre-auth RCE | | [Thompson](./thompson/) | Easy | Linux | Tomcat Manager default creds, WAR upload, cron script poisoning | | [Tomghost](./tomghost/) | Easy | Linux | Ghostcat (CVE-2020-1938), GPG key crack, zip2john | | [U.A. High School](./ua/) | Easy | Linux | PHP RCE, base64 credential leak, sudo env abuse | | [VulnNet: Internal](./vulnnet-internal/) | Easy | Linux | Redis RCE, SMB enumeration, TeamCity privesc | | [VulnNet: Node](./vulnnet-node/) | Easy | Linux | node-serialize deserialization RCE, npm sudo abuse, writable systemd service | | [VulnNet: Roasted](./vulnnet-roasted/) | Easy | Windows | AS-REP roasting, Kerberoasting, DCSync | | [VulnNet Entertainment](./vulnnet-entertainment/) | Medium | Linux | JS bundle subdomain leak, LFI via php://filter, ClipBucket 4.0 file upload RCE, SSH backup crack, tar wildcard injection | | [Whiterose](./whiterose/) | Easy | Linux | IDOR, EJS prototype pollution RCE (CVE-2022-29078), sudoedit bypass (CVE-2023-22809) | ## 🗂️ Structure Each room lives in its own folder with a `README.md` writeup following a consistent format: ``` THM-writeup/ ├── / │ └── README.md ← full writeup ├── Exploit-Scripts/ │ └── ... ← exploit scripts written during engagements ├── Powershell-Scripts/ │ └── ... ← PowerShell utility scripts ├── COMMANDS.md ← personal command cheatsheet (nmap, ffuf, hydra, etc.) └── README.md ← this file ``` ## ⚙️ Methodology Every writeup follows the same skeleton: 1. **Enumeration** — port scan (TCP + UDP), directory/vhost bruteforce, service fingerprinting 2. **Initial Access** — exploitation with full request/response context where relevant 3. **Privilege Escalation** — from foothold to root, with sudo/SUID/capability checks documented 4. **Attack Chain** — ASCII diagram of the full kill chain 5. **Key Takeaways** — what the box teaches, why it matters in real engagements 6. **Tools Used** — table of every tool used during the engagement 7. **Flags** — captured flag values ## 📋 Command Reference Commonly used commands across recon, enumeration, exploitation, and post-exploitation are documented in [COMMANDS.md](./COMMANDS.md). Covers nmap, ffuf, gobuster, feroxbuster, hydra, hash cracking, vhost fuzzing, shell stabilisation, and more. ## ⚠️ Disclaimer All activity documented here was conducted exclusively within TryHackMe's isolated lab environments. These writeups are intended for educational purposes and personal reference.

标签：AlwaysInstallElevated, Apache Tika, Codiad, CVE-2018-14009, Docker, LFI, LXD, Pass-the-Hash, RCE, SEO, SSH密钥, SSRF, sudo, SweetRice, TGT, TryHackMe, WebDAV, WPScan, Writeups, 初始访问, 协议分析, 命令注入, 哈希转储, 学习笔记, 安全防御评估, 实战演练, 工具分析, 应用安全, 提权, 攻击路径, 攻击链, 攻防演练, 方法论, 权限提升, 权限绕过, 枚举, 逆向工具, 防御加固