TryHackMe - Valley Writeup

October 16, 2023

ctf

"Can you find your way into the Valley?"

Before completing this machine, I recommend you get familiar with:-

  • Basic web application testing
  • Privilege escalation
  • Nmap and network services

Nmap

Starting off with the Nmap scan, we see 3 open ports:-

  • 22 - ssh
  • 80 - http
  • 37370 - running FTP

Getting the first flag

When we visit the machine's IP, we see a pretty old looking website which has a bunch of images on it, as well as a pricing page.

The first thing that came to mind was enumerating the directories.

Using ffuf, we discover:-

  • /gallery
  • /static
  • /pricing

It's always a good step to re-enumerate any directories you find, so I ran ffuf on /static again..

As you can see, we get all the images stored in /static, however, "00" is not present in the /gallery webpage, as the first image is "1".

Checking /static/00, we find this odd note, that also reveals a hidden directory.

The hidden webpage is a login portal for the site's developers, after digging around some more, I found hard-coded credentials in an attached JavaScript file.

Using those credentials, we get redirected to another helpful note on the site.

"Stop reusing credentials".. hmm.

Initial access is gained by using the same credentials over an FTP connection.

From there, we can use "mget" to download all the PCAP files.

After checking each PCAP file with Wireshark, we stumble upon credentials passed in a POST request.

Now, using those credentials, we can connect to the machine via SSH, and get the first flag.

Getting the root flag

Checking sudo privs yields nothing, but there is an interesting executable file in "/home".

By setting up a simple HTTP server using Python on the machine, we can use "wget" to download the executable.

If you've ever done any reverse engineering or cryptography CTFs before, you know that checking files with "strings" can sometimes be useful.

So, I used "strings" to make a new file, and then checked for any mentions of "user" or "password", and I saw what looks like a hash.

You can use CrackStation to crack this MD5 hash, which will give us the password for the other user on the machine, "valley".

After switching to the user "valley", using find we can see which files are owned by the "valleyAdmin" group.

The base64.py file is owned by "valleyAdmin", and it's used in the cronjob that runs every 1 minute.

So, all we've got to do is modify the base64.py file to escalate our privileges.

And just like that, we're root (because we have the effective user-id of root).

Related Articles
Proving Grounds - BBSCute Writeup
June 1, 2026
ctf
linux
The target is compromised via Remote Code Execution (RCE) in CuteNews v2.1.2 through a vulnerable avatar upload feature. Privilege escalation is achieved by abusing SUID permissions on /usr/sbin/hping3, enabling root-level command execution.
Proving Grounds - Dawn Writeup
May 31, 2026
ctf
linux
This lab demonstrates the exploitation of a misconfigured SMB share and scheduled cron jobs to achieve remote code execution. By uploading malicious files to an open SMB share, the attacker leverages a cron job to execute them. Privilege escalation is accomplished through a misconfigured SUID binary, zsh, which provides root access.
Proving Grounds - FunboxEasyEnum Writeup
May 31, 2026
ctf
linux
Karam Chatra
Blog
Karam Chatra
Junior Threat Intelligence Analyst
Navigation
HomeBlogDisclaimer
© 2026 Karam Chatra.