Introduction

In this walkthrough, I’ll demonstrate how to tackle the “Spicy” challenge on TryHackMe — an easy-level CTF box well-suited for beginners looking to sharpen their enumeration, exploitation, and privilege escalation skills. We’ll step through each phase, from initial reconnaissance to achieving root access.

Step 1: Initial Port Scanning and Service Enumeration

After starting the target machine, the first step is to identify which ports are open and what services are running. This helps narrow down possible attack vectors.

I ran the following command to scan for open ports along with service versions:

nmap -sCV -vv <target-ip>

The scan revealed three open ports:

• Port 21: FTP service
• Port 22: SSH service
• Port 80: HTTP service

Knowing these ports are active tells us we have access to web, file transfer, and secure shell services potentially exploitable during this challenge.

Step 2: Exploring the Web Service and Directory Enumeration

With port 80 open, the next logical step is to visit the web page hosted on the target machine.

Opening a browser and navigating to http://<target-ip> showed a basic webpage with no immediately useful information or vulnerabilities.

To discover hidden directories or files on the web server, I used a directory enumeration tool called Gobuster. The command I ran was:

gobuster dir -u http://<target-ip> -w /usr/share/wordlists/dirb/common.txt

This scan revealed an interesting directory named /files.

Visiting http://<target-ip>/files did not show anything particularly useful at this point, so I decided to explore other entry points.

Step 3: Connecting to the FTP Service

With port 21 open, I decided to check the FTP service for potential entry points.

Using the command below, I connected to the FTP server:

ftp <target-ip>

When prompted for username and password, I tried the common anonymous login credentials:

• Username: anonymous
• Password: anonymous

The login was successful, giving me access to the FTP server.

To see the available files and directories, I ran:

ls

Interestingly, I found that I had write access in this directory, which meant I could upload files — an important foothold for exploitation.

Step 4: Uploading a Reverse Shell via FTP

Since I had write access on the FTP server, I proceeded to upload a PHP reverse shell to gain remote command execution.

First, I navigated to the FTP directory where files could be accessed via the web server:

cd ftp

Then, I uploaded the PHP reverse shell:

put php-reverse-shell.php

The upload was successful.

To receive the reverse shell connection, I set up a Netcat listener on my machine on the port specified inside the PHP reverse shell script:

nc -lnvp 5555

Finally, I triggered the reverse shell by accessing the uploaded PHP shell through the web server, which gave me a remote shell on the target.

Step 5: Stabilizing the Reverse Shell

Once I obtained the reverse shell, the next task was to stabilize it for better interaction and usability.

I used Python to spawn a fully interactive Bash shell by running the following command on the reverse shell session:

python3 -c 'import pty; pty.spawn("/bin/bash")'

This allowed me to interact smoothly with the target system’s shell, making it easier to run commands and explore further.

The first piece of information I retrieved from the system was the answer to one of the initial challenges:

Answer: love

Step 6: Analyzing Suspicious Files on the Server

While exploring the FTP directory, I found a file named suspicious.pcapng. To investigate further, I copied this file to the web-accessible directory so I could download and analyze it:

cp suspicious.pcapng /var/www/html/files/ftp

Once the file was successfully copied, I accessed http://<target-ip>/files/ftp/suspicious.pcapng to download it to my local machine.

Using Wireshark, I opened the pcapng file to analyze the network traffic. This helped uncover valuable information hidden inside the capture.

Step 7: Extracting Credentials from the Network Capture

After opening the suspicious.pcapng file in Wireshark, I focused on the TCP streams to find any sensitive information.

Right-clicking on a TCP packet and selecting “Follow” → “TCP Stream” allowed me to view the entire communication.

By cycling through the stream numbers, I found on Stream 7 some cleartext credentials:

• Username: lennie
• Password: c4ntg3t3n0ughsp1c3

These credentials would be very useful for the next stage: gaining SSH access.

Step 8: Gaining SSH Access with Extracted Credentials

Using the username and password found in the network capture, I attempted to log in via SSH:

ssh lennie@<target-ip>

After entering the password c4ntg3t3n0ughsp1c3, I successfully gained SSH access to the target machine as the user lennie.

With this access, I located and captured the user flag to complete the user-level objectives.

Step 9: Privilege Escalation — Initial Enumeration

Now that I had user access, the next step was to escalate privileges to obtain root access.

I started by checking sudo privileges:

sudo -l

However, this command did not return any sudo permissions.

Next, I listed all files and directories with detailed permissions:

ls -la

In one directory named scripts, I noticed some scripts with root ownership, which could be a potential privilege escalation vector.

Step 10: Exploiting Root-Owned Scripts for Privilege Escalation

I navigated to the scripts directory, where I found a script named planner.sh:

cd scripts
ls
cat planner.sh

The contents of planner.sh revealed that it executes another script called print.sh with elevated privileges.

To exploit this, I edited print.sh to include a reverse shell payload.

Using a text editor like nano, I replaced the existing content of print.sh with my generated reverse shell script. To generate the payload, I used an online reverse shell generator and configured it with my TryHackMe IP and preferred listening port.

Before saving the script, I set up a Netcat listener on my local machine to catch the reverse shell:

nc -lnvp 9001

After saving and executing print.sh, I waited patiently and soon received a root shell on my listener.

Conclusion

With root access achieved, the challenge is complete. The “Spicy” TryHackMe box is an excellent entry-level CTF that combines basic enumeration, exploitation via FTP, and privilege escalation through script abuse. It highlights the importance of thoroughly probing all open services and analyzing network captures for hidden clues.

Thanks for following along! Consider clapping if you found this walkthrough helpful, and stay tuned for the next write-up.

Happy hacking! :)