This is a Hard Rated CTF on TryHackMe.The client requests an external, web app, and internal assessment of the provided virtual environment. The client has asked that minimal information be provided about the assessment, wanting the engagement conducted from the eyes of a malicious actor (black box penetration test)

Firstly we need to add the ip of our target machine in the /etc/hosts in kali

we begin with an nmap scan on All ports(-p-) and find 22 and 80 open

On visiting port 80 in browser, we find apache server running so lets find all directories using dirsearch which is much faster than dirbuster(You can install it from github)

we find a phpmyadmin page however default credentials dont work

We find a login page for wordpress

On using the username and password as admin:admin we get a error which says that the password entered for the username admin is incorrect.This means we have a valid username called “admin” and we can bruteforce the password.

But before bruteforcing, lets enumerate wordpress a bit more using wpscan

The version is 5.4.2

We found the version but nothing interesting…so lets proceed with bruteforcing.This can also be done by wpscan

and we finally found the password and now we can log in as admin.

Now we need to get a shell.In wordpress, This can be done by uploading a malicious plugin or editing the code of a theme.We will go with the second option.Do read this guide as we will be following the same process shown in this article.

We edit the default theme(twentyseventeen) and on the right side we see a file called 404.php which we will edit and put the code of php reverse shell from pentestmonkey.Make sure to change the IP and Port in the script.

After saving, we just have to start our netcat listener and visit the url in our browser(make sure to change your ip)

And we finally get a shell.However we need to make it stable which can be done by running the command:

python -c ‘import pty;pty.spawn(“/bin/bash”)’

After lots of digging,we find a username:password info in the /opt directory.We cam use these credentials to access SSH.

We found the first flag.

jenkins.txt seems interesting

We also find an info of Jenkins running on port 8080 in jenkins.txt. Jenkins is a server used by developers for continuous development and building.Now this is a place where i was stuck and got a hint of ssh tunnelling on a discord server.Moreover the direcroty called “snap” gives us a hint of Docker running.

Running the command ss -tulpn shows us all the hidden listening ports and we find 8080 running as well.This can be accessed by reverse ssh tunnelling.If you are new to this concept, do solve the room GameZone on tryhackme which explains it pretty well(however its a paid room)

we se port 8080 listening

Now all we have to do is add the ip and port in /etc/hosts of our kali machine

This is the command we use for SSH Tunnelling

ssh -L 8080:localhost:8080 aubreanna@ipaddress

Once done, we have to type localhost:8080 on our browser and we finally find the Jenkins login page.

jenkins login page

We can try using dirsearch to find all directories but are unable to find anything interesting.Lets bruteforce the login page with username “admin” and for password we will use rockyou.txt.For this work, lets fire up Burp.

Intercept the request > send to Intruder > highlight the password field > use sniper attack. In the payloads we have to load the rockyou.txt list which can be found in /usr/share/wordlists/rockyou.txt

click on Length

And we finally find the password spongebob .This does not take much time as the password is present within the 100 words of rockyou.txt


Use admin:spongebob to login into Jenkins

Go to Manage Jenkins > then go to Script Console

Now Jenkins has a place called Script Console where you can run a script called Groovy Script(read the first line….it says “type in an arbitary groovy script”) Basically we have to put a Groovy Reverse Shell and run it to get a shell.

You can refer to this article as a guide-

The Groovy reverse shell can be found in-

Once we have put the code, dont forget to change your ip and port.The ip will be that of your kali machine(tun0). Also a small change we have to make in the script is replacing cmd.exe to /bin/bash as we are attacking a linux target.(i found this info on github after using google)

This is what my final script will looked like-

And we finally got a shell which we need to stablize by running

python -c ‘import pty;pty.spawn(“/bin/bash”)’

In the /opt directory we find some credentials.

ssh to the root user using the password we found and we are in!

And We finally found the root flag!!!

This was was a fun ctf.Althrough it is rated hard, however i found it a bit easy since i had worked with jenkins and wordpress in previous ctfs.The only tricky part was finding out about ssh tunnelling and this room sure was a bit lengthy.Shout out to Joe Helle (The Mayor)for developing this room and i hope you learned from this walkthrough-ZEUS



I am a Penetration Tester, Currently pursuing OSCP. Skilled in Network Pen-testing and Developing Hacking Tools using Python. YouTube-ZeusCybersec

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store

I am a Penetration Tester, Currently pursuing OSCP. Skilled in Network Pen-testing and Developing Hacking Tools using Python. YouTube-ZeusCybersec