R ritvik.singh/portfolio
~/portfolio/ blog/ tryhackme-series
// ctf 2025.09.22·6 min read

12 days of TryHackMe: notes from the writeup series.

What shipping 12 walkthroughs back-to-back actually taught me. Privilege escalation patterns, the OSINT habits that keep paying off, and the rooms I'd skip.

Why 12 rooms, 12 days

TryHackMe rooms are self-contained — each one is a few hours of focused work on a specific technique. The problem is cherry-picking: you naturally gravitate to what you already know. Committing to 12 consecutive rooms with written documentation forced breadth. You can't skip the rooms you find uncomfortable when you've told people you're publishing every day.

The format was simple: document the methodology as if explaining to someone who's never seen the tool. No "just run linpeas" — show what linpeas found and why that specific finding matters.

The 12 rooms covered

Basic Pentesting
privesc · enumeration
RootMe
web · file upload bypass
Pickle Rick
command injection · osint
OhSINT
osint · metadata
Hydra
brute force · credential attacks
Simple CTF
sqli · ssh
Kenobi
nfs · samba · path hijack
Nmap
methodology deep-dive
Vulnversity
web · suid escalation
Steel Mountain
windows · metasploit
Blaster
windows · rdp
Startup
forensics · wireshark

Top 3 privilege escalation patterns

Across the 12 rooms, the same escalation paths appeared repeatedly. In rough order of how often they show up in CTF contexts:

1. SUID binaries

A binary with the SUID bit set runs with the owner's privileges (often root) regardless of who executes it. The one-liner that finds them:

// find suid binaries
$ find / -perm -u=s -type f 2>/dev/null # check GTFOBins for each result # e.g. /usr/bin/find → find . -exec /bin/sh \; -quit

2. Writable cron jobs

Cron jobs run as root by default. If any of the scripts they invoke are writable by the current user, you can insert a reverse shell. Check /etc/crontab, /etc/cron.d/, and /var/spool/cron/crontabs/.

3. Path injection via $PATH manipulation

If a SUID binary calls another binary without an absolute path (e.g., calls service instead of /usr/sbin/service), you can create a malicious service binary in a directory you control, add it to the front of $PATH, and have it execute with the SUID binary's privileges.

The OSINT habit that kept paying off

ExifTool on every image, every time. Metadata leaks are embarrassingly common. OhSINT was the textbook case — a single JPEG leaked the author's name, GPS coordinates, email, and operating system. From those, every other question in the room was solvable via public search.

// metadata extraction
$ exiftool image.jpg Author : OWoodflint GPS Latitude : 51 deg 30' 51.90" N GPS Longitude : 0 deg 5' 49.70" W # → cross-reference Twitter, GitHub, email

Rooms worth skipping

The Nmap room teaches methodology but the questions are answered by reading the man page — you don't build a mental model by filling in flag names. Better to run Nmap against a real target (any of the other rooms) and observe how the output changes. The guided format removes the part of Nmap that actually takes skill: deciding what to scan for.

The real value of CTF writeups isn't the flags — it's forcing yourself to articulate why each step works. If you can't explain the exploit chain in plain English, you don't understand it well enough to spot it in a real engagement.
← scapy sniffer next: fastapi security →