July 5, 2026
TryHackMe: Fools Mate Walkthrough
Introduction

By 5um1t0x
2 min read
Introduction
In this walkthrough, I will be solving the Fools Mate room on TryHackMe. The goal of this room is to enumerate the target machine, discover open services, investigate possible attack paths, and eventually gain access to the system.
Initial Enumeration
The first step was to scan the target IP address using nmap.
nmap 10.64.168.78nmap 10.64.168.78Nmap Scan Results
From the scan results, two open ports were discovered:
The scan shows that the machine is running an SSH service on port 22 and a web server on port 80.
Web Enumeration
Navigating to http://10.64.168.78 reveals a chess application named EndgameTrainer. Because the app handles user inputs to facilitate gameplay, it presents a potential attack surface for Command Injection.
Triggering the Vulnerability
I decided to solve the displayed "Mate-in-one" puzzle by moving the rook from a1 to a8 (Ra8).
As soon as the move was played, the following popup appeared:
- Window Title:
/usr/lib32 - Message: "I'll shut down your PC if you play that."
Request Tampering with Burp Suite & Retrieving the Flag
Instead of playing Ra8 directly (which triggered a suspicious popup), I first moved the rook from a1 to a3 on the board.
This generated a POST request to /api/move. Using Burp Suite as a proxy, I intercepted the request and modified the JSON payload:
Original:
{"from": "a1", "to": "a3"}{"from": "a1", "to": "a3"}Modified:
{"from": "a1", "to": "a8"}{"from": "a1", "to": "a8"}After forwarding the tampered request, the server accepted the move. The response contained the flag, and the interface displayed "Checkmate — White wins".
This revealed a classic client-side trust vulnerability — the application did not validate moves on the server side.
Conclusion
In this walkthrough, we successfully compromised the Fools Mate machine by exploiting a Command Injection vulnerability within the "EndgameTrainer" web application.
By using Nmap for initial discovery and Burp Suite to perform Request Tampering, we were able to manipulate a chess move from a1 -> a3 to a1 -> a8, bypassing client-side restrictions and forcing the server to return the flag. This exercise highlights the critical importance of performing rigorous server-side validation to prevent attackers from manipulating application logic.
Proof of Completion:
Powered by Sukshield
Follow me on
LinkedIn: Sumit Battani | Twitter: https://twitter.com/5um1t0x TryHackMe: TryHackMe | 5um1t0x