Through The Walls — A Structured Web-to-Root Attack Chain Room

A narrative-driven web-to-root CTF room focused on logic, enumeration, and realistic attack chains.

Rahul V H

~3 min read · February 11, 2026 (Updated: February 11, 2026) · Free: Yes

I recently built a TryHackMe-style room titled "Through The Walls", designed as a narrative-driven web-to-root compromise focused on logical progression and careful enumeration.

The room avoids brute force and guessing. Each step intentionally reveals the next through observation.

Room Link : https://tryhackme.com/jr/throughthewalls

Overview

This room covers:

Web reconnaissance
Hidden parameter discovery
HTTP response header analysis
SQL injection
Base64 credential decoding
Non-standard service enumeration
Linux privilege escalation via SUID

The attack chain is designed to reward attention to detail.

Phase 1 — Homepage Recon & First Flag

The attacker begins by exploring the public-facing site.

Viewing the homepage source reveals:

The first flag hidden inside an HTML comment.
A narrative clue suggesting that public records are sanitized and staff access exists.

This establishes the idea that hidden functionality may be controlled through unseen mechanisms.

Phase 2 — Discovering the Hidden Access Parameter

Visiting the /research page shows normal public content.

Inspecting the HTML source of /research reveals a critical clue inside a comment:

mode=public

Importantly:

There is no visible parameter in the URL.
The application does not expose mode openly.

Based on this comment, the attacker manually appends:

?mode=public

The page loads normally.

Changing it logically to:

?mode=staff

reveals restricted content.

Inspecting the HTTP response headers now reveals a hidden clue:

staff?role=#

This clue does not appear in the page body and must be observed through response inspection.

This phase teaches:

Inspecting page source for hidden hints
Manually injecting parameters
Analyzing response headers for further clues

Phase 3 — Role Enumeration & SQL Injection

Using the discovered header clue:

/staff?role=1

reveals the username:

drbrenner

Testing additional numeric values confirms the endpoint is dynamic.

Now that a valid user is identified, sqlmap is used directly against this endpoint:

sqlmap -u "http://<IP>/staff?role=1" --dump

This extracts database content.

The password is stored using Base64 encoding, not hashing.

After decoding the Base64 value, the attacker obtains the plaintext password.

This phase demonstrates:

Logical endpoint targeting
Structured SQL injection
Recognizing reversible encoding

Phase 4 — Non-Default SSH Port Discovery

With credentials obtained, the attacker attempts SSH on port 22.

Port 22 is closed.

A full port scan reveals:

53535/tcp open ssh

Connecting using:

ssh drbrenner@<IP> -p 53535

grants shell access.

Inside the home directory:

The user flag is found
A README hints that something is listening internally

This reinforces proper service enumeration rather than assuming defaults.

Phase 5 — Internal Service Discovery

Running:

ss -tulnp

reveals a service bound to:

127.0.0.1:9001

Because it is bound to localhost, it cannot be accessed externally.

Using:

curl http://127.0.0.1:9001

reveals a message referencing diagnostic utilities co-located with the controller.

This directs the attacker to:

/opt/gate_service

Phase 6 — Privilege Escalation via SUID Binary

Inside /opt/gate_service/bin, the attacker finds:

gate_diagnostic

Listing permissions shows:

-rwsr-xr-x

The SUID bit indicates the binary executes with root privileges.

Executing the binary spawns a root shell, allowing retrieval of:

/root/root.txt

Key Learning Points

This room teaches:

Inspecting HTML comments for hidden logic
Manually injecting hidden parameters
Analyzing HTTP response headers
Leveraging structured SQL injection
Identifying Base64 encoding
Enumerating non-standard service ports
Discovering localhost-bound services
Exploiting SUID misconfigurations

Design Philosophy

The room was built with a focus on:

Logical progression
Clear but subtle hinting
No brute force
No unrealistic privilege escalation
Consistent narrative

Each phase intentionally guides the attacker toward the next.

Final Thoughts

"Through The Walls" demonstrates how minor oversights — hidden parameters, exposed header hints, reversible encoding, non-standard service configurations, and misconfigured binaries — can combine into full system compromise.

Building this room strengthened my understanding of:

Attack chain design
Web exploitation flow
Linux privilege models
Structured CTF creation

More rooms coming soon.

#cybersecurity #ethical-hacking #ctf #linux #web-security