This walkthrough details how to complete the βYear of the Rabbitβ CTF challenge on TryHackMe, focusing on enumeration, web exploitation, and privilege escalation. It showcases a step-by-step approach to discovering hidden directories, extracting credentials, and escalating privileges to capture flags. #TryHackMe #YearOfTheRabbit
Keypoints
- Initial enumeration involved Nmap scans revealing open ports 21, 22, and 80.
- Web fuzzing uncovered a hidden directory β/sup3r_s3c3rt_fl4g.phpβ and secret files.
- Hidden image analysis with exiftool and strings helped retrieve FTP credentials and usernames.
- Credentials were brute-forced with Hydra, allowing FTP login to access sensitive data.
- Privilege escalation was achieved through Sudo and vi, leading to root access and flag retrieval.