TryHackMe — The Great Disappearing Act — Walkthrough

Introduction

Cybersecurity challenges often combine multiple attack vectors into a single scenario, forcing participants to think like real-world attackers. The Great Disappearing Act from TryHackMe is a perfect example of this approach.

Set inside the fictional HopSec Asylum, the challenge places us in an environment designed to test enumeration, web exploitation, privilege escalation, and infrastructure abuse skills. The ultimate goal is to escape the facility by collecting three hidden flags and unlocking the final invitation code.

Throughout this challenge, I leveraged several offensive security techniques, including:

• Open-Source Intelligence (OSINT)
• Web Enumeration
• HTTP Parameter Pollution (HPP)
• API Abuse
• Information Disclosure
• Privilege Escalation
• Docker Misconfiguration Exploitation
• SCADA System Interaction

In this article, I'll walk through the complete attack path that led to a successful escape from HopSec Asylum.

Challenge Overview

The challenge is divided into several stages:

1. Unlock Hopper's Cell
2. Bypass Psych Ward Security
3. Gain Access to Internal Systems
4. Access the SCADA Infrastructure
5. Unlock the Main Gate
6. Escape the Facility

Each phase introduces a new layer of complexity and requires combining information gathered from previous steps.

Initial Reconnaissance

The first step was identifying the services exposed by the target machine.

nmap -sV -p- TARGET_IP

nmap -sV -p- TARGET_IP

The scan revealed several interesting services:

PortService8000Fakebook Application8080HopSec Security Console13400Video Portal13401Video Streaming API21337Side Quest Unlock Page

Although the Security Console looked like the most obvious entry point, further investigation revealed that the attack chain actually began with the Fakebook application.

Phase 1: OSINT and Credential Discovery

The Fakebook application contained profiles of facility employees. During enumeration, I discovered an account belonging to a security guard:

guard.hopkins@hopsecasylum.com

guard.hopkins@hopsecasylum.com

The profile exposed several useful details:

• Name: John Hopkins
• Nickname: Johnnyboy
• Birth Year: 1982

These details suggested a predictable password pattern.

Possible password candidates included:

Johnnyboy1982
Johnnyboy1982!
Johnnyboy82
Hopkins1982

Johnnyboy1982
Johnnyboy1982!
Johnnyboy82
Hopkins1982

After testing several combinations, valid credentials were obtained:

Username: guard.hopkins@hopsecasylum.com
Password: Johnnyboy1982!

Username: guard.hopkins@hopsecasylum.com
Password: Johnnyboy1982!

This demonstrates how seemingly harmless personal information can significantly weaken authentication security.

Phase 2: Accessing the Security Console

Using the recovered credentials, I logged into the HopSec Security Console.

While reviewing available functionality, I discovered a CGI endpoint responsible for controlling facility doors:

/cgi-bin/key_flag.sh

/cgi-bin/key_flag.sh

Interacting with the endpoint unlocked Hopper's cell and returned the first flag:

fetch("/cgi-bin/key_flag.sh?door=hopper")

fetch("/cgi-bin/key_flag.sh?door=hopper")

Response:

{
  "ok": true,
  "flag": "THM{h0pp1ing_m4d}"
}

{
  "ok": true,
  "flag": "THM{h0pp1ing_m4d}"
}

Flag 1

THM{h0pp1ing_m4d}

THM{h0pp1ing_m4d}

Phase 3: Investigating the Video Infrastructure

The next target was the Video Streaming API running on port 13401.

After authenticating with the same credentials, I enumerated available camera feeds:

GET /v1/cameras

GET /v1/cameras

One entry immediately stood out:

cam-admin

cam-admin

Access was restricted to administrators, indicating that an authorization bypass might be possible.

Phase 4: Exploiting HTTP Parameter Pollution

Further testing revealed an interesting behavior.

The application accepted authorization parameters from both:

• URL Query Parameters
• JSON Request Bodies

This created an opportunity for HTTP Parameter Pollution (HPP).

The exploit involved sending conflicting values:

POST /v1/streams/request?tier=admin

POST /v1/streams/request?tier=admin

Request body:

{
  "camera_id": "cam-admin",
  "tier": "guard"
}

{
  "camera_id": "cam-admin",
  "tier": "guard"
}

Because the application processed the query parameter first, administrator privileges were incorrectly granted.

As a result, an administrative stream ticket was generated and access controls were bypassed.

Phase 5: Discovering Hidden API Endpoints

While analyzing the stream data, I noticed references to undocumented endpoints:

/v1/ingest/diagnostics
/v1/ingest/jobs

/v1/ingest/diagnostics
/v1/ingest/jobs

These endpoints were not publicly documented and exposed sensitive operational information.

After triggering diagnostic jobs and reviewing the results, I obtained a leaked internal token:

{
  "console_port": 13404,
  "token": "REDACTED"
}

{
  "console_port": 13404,
  "token": "REDACTED"
}

This token provided access to an internal management console.

Phase 6: Internal Console Access

Using the leaked token, I connected to the internal console service.

During post-exploitation enumeration, I located a file containing part of the second flag:

cat user_part2.txt

cat user_part2.txt

Output:

j3stered_739138}

j3stered_739138}

Combining the recovered fragment with previously obtained data revealed the complete second flag.

Flag 2

THM{Y0u_h4ve_b3en_j3stered_739138}

THM{Y0u_h4ve_b3en_j3stered_739138}

Phase 7: Accessing the SCADA Environment

Further enumeration revealed an internally exposed SCADA system running locally:

127.0.0.1:9001

127.0.0.1:9001

Connecting to the service presented the HopSec Asylum Control Interface.

Interestingly, the second flag itself acted as the authentication token:

THM{Y0u_h4ve_b3en_j3stered_739138}

THM{Y0u_h4ve_b3en_j3stered_739138}

After successful authentication, full access to the control terminal was granted.

Phase 8: Privilege Escalation and Docker Abuse

The SCADA interface required a secret unlock code to open the facility gate.

Local enumeration uncovered an unusual SUID binary:

/usr/local/bin/diag_shell

/usr/local/bin/diag_shell

Further analysis revealed that the binary executed commands with elevated privileges.

Additionally, Docker group permissions were available, creating a privilege escalation opportunity.

Using Docker, I accessed a privileged container and extracted the protected gate code:

docker exec -u root asylum_gate_control cat /root/.asylum/unlock_code

docker exec -u root asylum_gate_control cat /root/.asylum/unlock_code

Output:

739184627

739184627

This stage highlights why Docker group membership should often be treated as equivalent to root access.

Phase 9: Unlocking the Main Gate

Returning to the SCADA console, I supplied the recovered unlock code:

unlock 739184627

unlock 739184627

Response:

Gate Status: UNLOCKED

Gate Status: UNLOCKED

With the gate unlocked, a final CGI endpoint became accessible:

POST /cgi-bin/exit_check.sh

POST /cgi-bin/exit_check.sh

The endpoint returned the third flag:

{
  "ok": true,
  "flag": "THM{p0p_go3s_THe_W3as3l}"
}

{
  "ok": true,
  "flag": "THM{p0p_go3s_THe_W3as3l}"
}

Flag 3

THM{p0p_go3s_THe_W3as3l}

THM{p0p_go3s_THe_W3as3l}

The Final Escape

After collecting all three flags, the final escape endpoint became available:

POST /cgi-bin/escape_check.sh

POST /cgi-bin/escape_check.sh

Submitting the required flags successfully completed the challenge and revealed the final invitation code.

Final Invite Code

THM{There.is.no.EASTmas.without.Hopper}

THM{There.is.no.EASTmas.without.Hopper}

Vulnerabilities Exploited

Throughout the challenge, several security weaknesses were chained together:

VulnerabilityImpactWeak Password PolicyInitial AccessOSINT Information DisclosureCredential DiscoveryHTTP Parameter PollutionAuthorization BypassHidden API EndpointsExpanded Attack SurfaceToken LeakageInternal Console AccessSUID MisconfigurationPrivilege EscalationDocker MisconfigurationContainer Escape / Elevated Access

Key Takeaways

This challenge serves as an excellent example of how small security weaknesses can combine into a complete compromise.

Some important lessons include:

• Publicly exposed employee information can enable credential attacks.
• Hidden API functionality often exposes sensitive administrative capabilities.
• HTTP Parameter Pollution remains a dangerous and frequently overlooked vulnerability.
• Information disclosure issues can quickly escalate into full system compromise.
• SUID binaries should be carefully audited and monitored.
• Membership in the Docker group can effectively provide root-level privileges.
• Industrial and SCADA environments should be isolated from traditional IT infrastructure whenever possible.

Conclusion

The Great Disappearing Act is a well-designed TryHackMe challenge that combines web exploitation, privilege escalation, API abuse, and SCADA interaction into a realistic attack chain.

By carefully enumerating exposed services, exploiting authorization flaws, abusing leaked information, and escalating privileges through Docker, I successfully collected all three flags and escaped HopSec Asylum.

Challenges like this reinforce a critical lesson in offensive security: attackers rarely rely on a single vulnerability. Instead, they chain together multiple weaknesses until a complete compromise becomes possible.

Happy Hacking! 🚀

If you enjoyed the article, feel free to follow me for more walkthroughs and answers.

And you can also follow me on:

Linkedin: Nayanjyoti Kumar

GitHub: NayanjyotiKumar(Nayanjyoti Kumar)

Instagram: নয়ন জ্যোতি কুমাৰ (@nayan.kumar_)