Bruteforce a websites login with Hydra, identify and use a public exploit then escalate your privileges on this Windows machine!

Task 1: Deploy the vulnerable Windows machine

Let’s do our usual first step: nmap scan!

export rhost= // our target ip
nmap -sV --script vuln $rhost -n | tee nmap-$rhost.out
grep open nmap-$rhost.out

Whats the name of the clown displayed on the homepage?

There’s a web server, so let’s go there in the browser:

Exploit Jenkins to gain an initial shell, then escalate your privileges by exploiting Windows authentication tokens.

Task 1: Initial Access

How many ports are open? (TCP only)

We do the usual nmap scan here:

export rhost= // target machine ip
nmap -sV --script vuln $rhost | tee nmap-$rhost.out
grep open nmap-$rhost.out


What is the username and password for the log in panel(in the format username:password)

In the browser, go to $rhost:8080 and we see a login page. Try the first thing that comes to mind, we’re in!

Hi! I’m a beginner to Offensive Security and Pentesting, and am doing the TryHackMe courses. Periodically I will do a writeup of some rooms which details the step by step meant for someone else who is stuck, or a log of what I did for a CTF (Capture the Flag) room.

These are mainly for my own reference and practice, but I hope it helps and/or entertains you too!

I also write about software engineering topics. These are some other stories you may like:

Can you root this Mr. Robot styled machine? This is a virtual machine meant for beginners/intermediate users.

Note: This is a log and not a writeup — It’s a record of steps taken to capture the flag, including detours.


I started with the usualnmap scan ($ip refers to the env var with the box ip):

nmap -sV --script vuln -oN nmap-$ip.out $ip

The interesting parts of the scan were:

  • Port 22 is shown running ssh, but closed
  • Port 80 and 443 are open, running http

At this point I ignored port 22 since it was closed, and port 443 (my assumption was that port 80 was the same and easier to break). …

The room: Learn about, then enumerate and exploit a variety of network services and misconfigurations.

Task 2: Understanding SMB

All the answers are found in the task description.

What does SMB stand for?

server message block

What type of protocol is SMB?


What do clients connect to servers using?


What systems does Samba run on?


Task 3: Enumerating SMB

From this task on is where the fun starts! First, let’s setup the env var to make the following commands easier.

export ip= # change it to your target machine's ip

Conduct an nmap scan of your choosing, How many ports are open?

Let’s run an nmap scan. As a reminder, these are what the flags…

Most of us do code reviews on a daily basis, and some days we review more code than we write! Code reviewing is rarely taught so most of us have our own method of giving reviews. What I had realised over time is that there is not just 1 type of review, there are 3 types of reviews! Breaking down the code reviews into 3 types has helped me give more focused reviews more efficiently. These are the 3 types:

  • Domain review
  • Style review
  • Performance review

You’ll notice that this mirrors the coding mentality of “make it work, make it beautiful, make it fast” and that makes sense; the review process should mirror the coding process. …

Photo by Mike Lewis HeadSmart Media on Unsplash

Have you ever read a piece of code and thought “I’m not reading code, I’m reading a story!”. Fluent code reads like prose; it tells a story of what the author is trying to achieve that reads like plain English. The code just flows; it takes next to no effort to read. Like beautiful prose, fluent code takes effort to create. When you read a piece of code that just reads itself, the author has taken that effort on your behalf to shape it.

I subscribe to the “make it work, make it beautiful, make it fast” mentality, and a component of beautiful code is its fluency. While writing and reviewing code, I often find myself frequently using a few “style choices” to achieve readable code. However, the readability of a piece of code is subjective and more art than science, so your mileage may vary depending on your preferences and the conventions in your environment. …

Photo by Vincent van Zalinge on Unsplash

Most software engineering features start with an effort estimate, either in terms of time, manpower, or story points. Much has been said about the provider of software estimates; how to give accurate estimates, how to gauge confidence level, and so on. However, this neglects to mention the other important party: the consumer of said estimates.

Typical estimate consumers are project managers, product managers, product owners, and engineering management. This group of people may not have the most context to size the effort required to complete a project, so they depend on the expertise of the estimate providers. Hence most estimate providers are the engineers who are going to work on the feature, or who have worked on similar features. …

A common approach to adopting Kotlin is to use it in existing projects either in new features or by gradually converting existing code from Java to Kotlin. In these scenarios it is very common for the newly written Kotlin code to interact with Java, which usually means having to handle Platform Types in Kotlin.

Platform Types are essentially types returned from Java interactions, and are denoted in IDE hints with !, for eg (String!). Since all types in Java are nullable, the Kotlin compiler cannot make any null-safety guarantees for Platform Types and will relax nullability errors during compilation. …

Do you have scenarios where different handling needs to be done according to the status of a process? Something like:

data class Result(
val isSuccess: Boolean,
val value: String?, // non-null when isSuccess is true
val errorMessage: String? // non-null when isSuccess is false

private fun process(): Result {
return ... // do something and return a Result

fun main() {
val result = process()
val text: String = if (result.isSuccess) {
} else {

This approach has several shortfalls:

  • The consumer of Result always has to remember to check the isSuccess attribute before handling it, otherwise it may access the wrong attribute. …

sy is typing

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store