From Curiosity to a Reverse Shell: My First Guided Web Pentest Journey

That was the moment I sat back in my chair and smiled.

Not because I had found some super-advanced exploit.

Not because I wrote hundreds of lines of code.

But because, for the first time, I understood how real attackers think.

Recently, I completed the Guided Pentest: Web room on TryHackMe, and honestly, it felt less like solving a CTF and more like experiencing a real penetration test from start to finish.

And trust me…

I forgot things.

I ran commands twice.

Sometimes three times.

At one point I opened a browser tab and immediately forgot why I opened it.

If you've ever felt like that while learning cybersecurity, this story is for you.

Starting With Absolutely No Idea

Imagine someone asks:

"Can you tell me if my house is secure?"

You wouldn't start smashing windows.

You'd first walk around.

• How many doors are there?
• Are any windows open?
• Is the garage locked?
• Is there a secret entrance?

That's exactly what Reconnaissance is.

Before trying to exploit anything, I needed to understand the target.

So I opened the terminal and ran:

nmap -sV -sC -p- MACHINE_IP

nmap -sV -sC -p- MACHINE_IP

And suddenly, information started appearing.

• SSH running on port 22
• Apache web server on port 80
• MySQL database on port 3306
• Another HTTP service on port 8080

At first, it looked like random text.

But then I realized:

This wasn't just a website.

It was:

Apache + PHP + MySQL

A classic web stack.

Like opening the hood of a car and finally recognizing the engine.

Then Curiosity Took Over

I started exploring.

Clicking links.

Looking at headers.

Checking hidden directories.

Running Gobuster.

And suddenly I found things like:

• /admin
• /api
• /reset.php
• /uploads

Immediately my brain started asking questions:

Why is there an admin panel?

Why does the API exist?

Why is there an uploads folder?

Why do I feel like this password reset page is going to betray someone?

(Spoiler: it did.)

The Moment I Understood IDOR

While exploring profiles, I noticed something interesting.

User profiles were referenced by a simple ID in the URL.

At first glance, it looked harmless.

But then I asked the question every curious hacker eventually asks:

"What happens if I change this?"

That simple question led me to discover an IDOR vulnerability.

Insecure Direct Object Reference.

Sounds complicated.

But imagine this.

You're staying at a hotel.

Your room number is 104.

And somehow…

your key also opens room 105.

And 106.

And 107.

The hotel never checks if you're supposed to enter those rooms.

That's basically IDOR.

The application trusted the user too much.

By changing the ID, I could view information belonging to other users.

And among those users…

I found the administrator.

Sarah Mitchell.

I remember staring at the screen thinking:

"Wait… this actually happens in real applications?"

Apparently…

yes.

More often than we'd like.

Small Mistakes Can Become Big Problems

Now that I knew the administrator's email address, I became interested in the password reset page.

I entered my own email first.

The website generated a reset token.

And…

displayed it directly on the page.

I actually laughed.

Because the whole point of a password reset token is:

The user shouldn't see it unless it's sent securely to their email.

But here it was.

Right in front of me.

Which meant:

If I knew the admin's email…

I could request a reset.

See the token.

Reset the password.

And log in.

No brute force.

No fancy exploit.

Just:

1. Find email
2. Request reset
3. Receive token
4. Change password
5. Become administrator

And somehow…

that worked.

The Door I Could Finally Open

Earlier during enumeration, I found:

/admin

/admin

At that time, it was locked.

Now I had the keys.

Inside the admin panel, I found a file upload feature.

The page claimed:

✅ PDF

✅ DOCX

✅ Images

❌ PHP files

I tried uploading:

test.php

test.php

Blocked.

Okay.

Fair enough.

Then I remembered something.

Web servers sometimes execute other PHP extensions.

So I tried:

test.phtml

test.phtml

And…

it worked.

I just sat there for a second.

Because this wasn't some crazy vulnerability.

The developers blocked:

.php

.php

But forgot:

.phtml

.phtml

One tiny oversight.

Huge consequences.

The Moment Everything Connected

I uploaded a small web shell.

Visited:

shell.phtml?cmd=whoami

shell.phtml?cmd=whoami

And got:

www-data

www-data

I stared at the output.

Not because it was complicated.

But because a few hours earlier:

• I had no credentials.
• I knew nothing about the application.
• I had no idea where vulnerabilities existed.

And now…

I was executing commands on the server.

That feeling is difficult to describe.

It's part excitement.

Part disbelief.

And part:

"Okay… cybersecurity is actually awesome."

The Entire Attack Chain

What fascinated me the most wasn't any single vulnerability.

It was how they connected.

The journey looked like this:

Reconnaissance
      ↓
IDOR
      ↓
Discover Admin Email
      ↓
Weak Password Reset
      ↓
Admin Account Access
      ↓
Upload Bypass
      ↓
Remote Code Execution

Reconnaissance
      ↓
IDOR
      ↓
Discover Admin Email
      ↓
Weak Password Reset
      ↓
Admin Account Access
      ↓
Upload Bypass
      ↓
Remote Code Execution

No vulnerability alone was catastrophic.

But together?

They led to a complete compromise.

And that's how many real-world attacks work.

Not through magic.

Not through movie-style hacking.

Through patience.

Observation.

And connecting small mistakes.

What I Really Learned

I learned commands.

I learned vulnerabilities.

But honestly…

that's not what I'll remember most.

I'll remember these lessons:

1. Enumeration is everything

The answers are often sitting right in front of you.

Headers.

Directories.

APIs.

URLs.

The best hackers are often just very curious people.

2. Small flaws become huge problems

IDOR.

Weak password reset.

Bad upload validation.

None of these are exotic.

But chained together?

They become devastating.

3. Forgetting things is normal

I forget commands.

I forget syntax.

I sometimes forget why I opened a browser tab.

Cybersecurity can feel overwhelming.

You look at other people and think:

"How do they remember all this?"

Here's what I've realized.

Most people don't.

Good hackers aren't walking encyclopedias.

They're people who:

• Stay curious
• Take notes
• Google things
• Break things
• Fix things
• Keep learning

And slowly…

the pieces start fitting together.

Final Thoughts

When I started this room, I thought:

"I hope I can finish this."

By the end, I was thinking:

"I understand how attackers think."

And honestly…

that's one of the best feelings I've had while learning cybersecurity.

Because every expert once stared at an Nmap scan and wondered:

"Okay… now what?"

If that's where you are right now,

keep going.

Keep asking questions.

Keep breaking things in labs.

Keep being curious.

One day you'll look back and realize:

You didn't become good overnight.

You just kept taking one small step after another.

And eventually…

those small steps became your biggest achievement.

Thanks for reading ❤️

I'm still learning, still forgetting things occasionally, and still getting excited every time I discover something new.

But that's the fun part of the journey.

What's one cybersecurity moment that made you stop and think:

"Wait… that's actually possible?!"