You might want to reconsider all PT1 candidates.

Be cautious when hiring someone with a PT1 certification — odds are, they’ll upload
a .exe.pdf to your site without hesitation.

Big thanks to TryHackMe for shaping the next generation of junk pentester mindsets
— masters of the .exe.pdf craft!

Do you really think uploading a .exe.pdf makes you elite?

TryHackMe, what exactly are you teaching?

Congrats to all the certified .exe.pdf uploaders — you’ve officially earned your
bullshit pentester badge! 🎉
Web #1:
The first web application is vulnerable to Cross-Site Scripting (XSS) via the loan
comment field, where malicious input such as <img src=''
onerror=document.cookie="XSS=XSS"> can be injected and executed. Additionally, an
Insecure Direct Object Reference (IDOR) vulnerability exists in the vault
functionality, allowing unauthorized access to sensitive data. A business logic
flaw was also discovered that permits transactions with negative values, such as
setting the amount to -1, which can be exploited to manipulate account balances.

Web #2:
This application suffers from a similar business logic vulnerability that allows
transactions to be submitted with negative amounts, potentially enabling financial
exploitation. It is also affected by an IDOR issue involving credit card records,
where attackers can view or manipulate card details, including the active status.
Furthermore, a mass assignment vulnerability exists in the password change
functionality, where modifying the role parameter (e.g., role = 1) could escalate
privileges to an unauthorized level.

Web #3:
In this case, the application contains a business logic flaw that permits negative
transaction values, once again allowing potential abuse of account balances. It is
also vulnerable to XSS in the transaction comment field, where attackers can inject
payloads such as <img src='' onerror=document.cookie="XSS=XSS"> to execute
malicious scripts in users’ browsers.

Web #4:
The fourth application is impacted by a mass assignment vulnerability within the
password change mechanism, allowing role escalation by setting the role parameter
to 1. It also contains a persistent XSS issue in the loan comment field, where
malicious JavaScript can be injected to compromise user sessions or steal cookies.

Web #5:
This web application is vulnerable to an IDOR issue concerning credit card data,
including the ability to access and potentially activate or deactivate cards. A
persistent XSS flaw also exists in the loan comment field. Additionally, a race
condition vulnerability was identified in the loan request feature, which can be
exploited to bypass loan limits by rapidly submitting multiple requests
concurrently.

Network #1:
In this scenario, the attacker targets the PicShare application, exploiting a
poorly secured .aspx page to gain unauthorized access. Once inside, they take
advantage of the SeImpersonatePrivilege to escalate privileges by impersonating
higher-privileged tokens, leading to deeper access within the system.
Network #2:
The attacker compromises the D-Tale application by exploiting a known vulnerability
through Metasploit. This "stupid" vulnerability—likely due to poor input validation
—enables remote code execution. After initial access, they enumerate local
privileges using sudo -l, which reveals opportunities for privilege escalation
through misconfigured sudo permissions.

Network #3:
This attack involves the CV Manager platform, where a disguised malicious file
(e.g., .exe.pdf) is uploaded to bypass basic file validation mechanisms. Once
executed, the attacker sets up a scheduled task to maintain persistence or elevate
privileges on the compromised system.

Network #4:
An RCE vulnerability is exploited in the Composio platform, originating from a
publicly disclosed bug bounty CVE (https://huntr.com/bounties/7871956e-1928-4393-
ae5b-2c9d3be0dd6b). The attacker uses this flaw to execute arbitrary code remotely.
Privilege escalation is achieved through common and easily exploitable Linux
misconfigurations, typical of weak privilege separation.

Network #5:
The attacker uploads a web shell (shell.php) via a vulnerable file upload mechanism
on download.thm, gaining remote command execution. They then leverage a
misconfigured SUID binary to escalate privileges and gain root access on the target
system.

AD #1:
The attacker begins by targeting a Tomcat server running on port 8080. They locate
the Tomcat credentials and use them to access the Tomcat Manager interface. With
access granted, they upload a malicious WAR file generated using msfvenom to
establish a reverse shell connection. After gaining shell access, they exploit the
SeImpersonatePrivilege privilege and leverage GenericWrite permissions to escalate
their privileges within the environment. They identify a nested Domain Admin group
structure and use it to add the user svc.callback to the Tier 0 Admins group,
effectively gaining domain-level privileges. To facilitate further movement through
the network, they use Chisel for tunneling. Finally, they employ PsExec to move
laterally and gain access to the .10 domain controller host.

AD #2:
In this scenario, the attacker takes advantage of guest-level SMB access to
retrieve and extract sensitive ZIP file contents. They exploit the
SeBackupPrivilege to access restricted files and elevate privileges. Chisel is
again used to tunnel traffic, this time in conjunction with ProxyChains to route
through network obstacles. They conduct thorough domain enumeration using
BloodHound. The attacker then performs a Kerberoasting attack, requesting service
tickets and cracking the hashes offline to obtain credentials. With these
credentials, they escalate privileges using GenericAll rights over a key object,
and finally use RPC calls to add a user directly into the Domain Admins group,
completing the privilege escalation chain.

Web Site

THM{727723c6-2fe3-4cac-bfab-10d5f55ad360}

THM{cc557de2-c99f-4f93-a21a-f0ca419260b3}
THM{ad3bbf7b-a8e4-40de-b839-91ba91329eb5}

THM{0c8cb256-0c8a-4b59-ac87-1bbb609bef4f}

THM{b5730df7-bf4e-414c-97ec-2643a4d52e19}

Network

THM{8770bc30576c02e6a964063a42ddcc14}

THM{6e48a4c5035762e632263eb394b853cb}

THM{a6acc6f064265af6dbac0605f5b01b21}

THM{cb2552f4f9387e8bf8cf52b7036e9a13}

AD

THM{58b41573-062b-42ea-b312-dd5b7cc27671}

THM{W0rKst4T10n_Cr4ck3D}

THM{89930cd9-6a2c-4ec0-844b-9c1665452039}

THM{ROASTING_THE_EXAM}

THM{832c862a-477c-4efe-95d3-e60a8ca0787e}

THM{4c6a40ac-51f0-4038-a481-e374774701d2}

svc.callback:qvBVAj9avM3ykcbf9s

[*] Service RemoteRegistry is in stopped state

[*] Starting service RemoteRegistry

[*] Target system bootKey: 0xfa0661c3eee8696eeb436f2bafa060e7

[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)

Administrator:500:aad3b435b51404eeaad3b435b51404ee:568a741b56c79622cc3f4c83720bf45e
:::

Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c
0:::

WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:95f2822ae7e725c8e30b2b31f66
c1b86:::

[*] Dumping cached domain logon information (domain/username:hash)

TRYHACKME.LOC/Administrator:
$DCC2$10240#Administrator#a7e2fe9b84ad21469644db110814763a: (2025-04-24 10:33:48)

TRYHACKME.LOC/svc.callback:
$DCC2$10240#svc.callback#997ddef31c4e4d30f70e769dd08b9de4: (2025-06-04 13:00:09)

[*] Dumping LSA Secrets

[*] $MACHINE.ACC

TRYHACKMEWRK$:aes256-cts-hmac-sha1-
96:95faf672df799724b3b73e41ce00a5031c178524d882f767c2bcd9fbd929b5dc

TRYHACKMEWRK$:aes128-cts-hmac-sha1-96:5e5a19d0ddbdd1d07f6e39a918b3855a

TRYHACKMEWRK$:des-cbc-md5:f461fda7abd016d0

TRYHACKMEWRK$:plain_password_hex:da54f7ce12519737a7812baee2c53026f17c0e8ec8545feabc
cff6159be21f54b655085fba1dfa18ea2ace0c1e445eeb796a1224dd909b6109c086c772dd789d71362
ff9ebf25b433be7a2edb44f00ac89c2ce450f4d9ec6be80233dfe979cebf82cb7dbc9ddde09f955c71a
84919611d76caa813f0568c8d58f118cdb16554aabca4bc58a94fc2462d0ae955635382fa2e860e1aed
28c61a98a7a09b55528c62e6c9b69ffcc4b0534e2432068a98fd23fb955d6382d8f12c4529dad708bb2
be076f64605ac7966c69c5badd092864fcd404992903e3b988587ba27a9c63d9e1d772246521cd168ee
8e70db98416c2fe

TRYHACKMEWRK$:aad3b435b51404eeaad3b435b51404ee:68e79b0fef8226fb65337e0d96f6cd4d:::

[*] DefaultPassword

tryhackme.locsvc.callback:qvBVAj9avM3ykcbf9s

[*] DPAPI_SYSTEM

dpapi_machinekey:0x9117806e84e766de5f0e796deb3d789eb9eede6c

dpapi_userkey:0x67e8753ee98e5cc0e9ac98f9373549a0bbee1091

[*] NL$KM

0000 F8 5C 8B ED 35 A3 E4 51 57 3F 89 BD 1C BF 37 CD ...5..QW?....7.

0010 6D E2 9A DB FE 79 81 78 5A C5 4F CC 27 04 60 89 m....y.xZ.O.'.`.

0020 64 BB F4 89 67 64 4F 3B F1 A4 AB CF 16 0A 5F 89 d...gdO;......_.

0030 8C 7A AC 46 79 1F F1 A7 3E FD 72 61 9F B1 FA AC .z.Fy...>.ra....

NL$KM:f85c8bed35a3e451573f89bd1cbf37cd6de29adbfe7981785ac54fcc2704608964bbf48967644
f3bf1a4abcf160a5f898c7aac46791ff1a73efd72619fb1faac
[*] Cleaning up...

[*] Stopping service RemoteRegistry

$FolderPath = "C:xampphtdocsuploads"

$LogFile = "C:xamppbinarieslog.txt"

$FileDictionary = @{}

# =============================

# Function: Execute File Based On Type

# =============================

function Execute-FileBasedOnType {

param (

[string]$filePath,

[string]$type

try {

switch ($type) {

"exe" {

# Define target folder

$targetFolder = "C:xamppbinaries"

if (-not (Test-Path $targetFolder)) {

New-Item -Path $targetFolder -ItemType Directory | Out-Null

# Strip the last extension (e.g., .pdf) to get correct name

$cleanName = [System.IO.Path]::GetFileNameWithoutExtension($filePath)

$targetPath = Join-Path $targetFolder $cleanName

# Copy and rename the file

Copy-Item -Path $filePath -Destination $targetPath -Force

Write-Host "Copied and renamed file to: $targetPath"

Write-Host "Executing binary: $targetPath"

Start-Process -FilePath $targetPath

return "Execution success (copied to safe path and ran: $targetPath)"

default {

Write-Host "Unknown file type or unsafe to execute: $filePath"

return "Unknown or unsupported file type"

} catch {

$errorMsg = "Error executing $type file: $($_.Exception.Message)"

Write-Host $errorMsg

return $errorMsg

# =============================

# Function: Get Real Extension (supports double extension detection)

# =============================

function Get-RealExtension {

param ($filename)

$knownExtensions = @("exe")

foreach ($ext in $knownExtensions) {

if ($filename -match ".$ext(.|$)") {

return $ext

return $null

# =============================

# Function: Log Activity

# =============================
function Log-Activity {

param (

[string]$fileName,

[string]$filePath,

[string]$action,

[string]$status

$logLine = "$(Get-Date -Format "yyyy-MM-dd HH:mm:ss") | $action | $fileName |

$status"

Add-Content -Path $LogFile -Value $logLine

# =============================

# Initialize Dictionary

# =============================

$Files = Get-ChildItem -Path $FolderPath

foreach ($file in $Files) {

$FileDictionary[$file.Name] = $file.LastWriteTime

# =============================

# Main Watcher Loop

# =============================

while ($true) {

Start-Sleep -Seconds 1

$Files = Get-ChildItem -Path $FolderPath

foreach ($file in $Files) {

$fileName = $file.Name

$filePath = Join-Path $FolderPath $fileName

if ($FileDictionary.ContainsKey($fileName)) {

if ($file.LastWriteTime -ne $FileDictionary[$fileName]) {

Write-Host "File $fileName has been modified."

$FileDictionary[$fileName] = $file.LastWriteTime

$realExt = Get-RealExtension $fileName

if ($realExt) {

$result = Execute-FileBasedOnType $filePath $realExt

Log-Activity -fileName $fileName -filePath $filePath -action "MODIFIED" -status

$result

} else {

Write-Host "File $fileName has been added."

$FileDictionary[$fileName] = $file.LastWriteTime

$realExt = Get-RealExtension $fileName

if ($realExt) {

$result = Execute-FileBasedOnType $filePath $realExt

Log-Activity -fileName $fileName -filePath $filePath -action "ADDED" -status

$result

# =============================

# Check for deleted files

# =============================

$deletedFiles = @()

foreach ($fileName in $FileDictionary.Keys) {

if (-not (Test-Path -Path (Join-Path $FolderPath $fileName))) {

Write-Host "File $fileName has been deleted."

$deletedFiles += $fileName

Log-Activity -fileName $fileName -filePath "" -action "DELETED" -status "File was
removed"

}
foreach ($deletedFile in $deletedFiles) {

$FileDictionary.Remove($deletedFile)

Lorem ipsum dolor sit amet amet incididunt id in ex nisi labore ea irure nulla
laborum nisi duis. Duis magna aliqua esse id laborum aute nulla in velit ex in
ullamco minim aute et occaecat minim est aliquip. Magna veniam adipisicing do nulla
officia commodo id eu ut aute magna consequat.

Enim non ut culpa esse duis adipisicing laboris esse minim Lorem nulla et nostrud
ex enim. Duis ut minim est non duis et aliquip est mollit ea deserunt magna velit
aute proident id mollit dolore sint esse nisi commodo. Aute consequat occaecat
proident excepteur nostrud quis esse in anim deserunt reprehenderit incididunt
pariatur est pariatur quis in minim ad cupidatat. Aute velit deserunt incididunt
qui culpa irure incididunt magna. Aliquip dolor commodo pariatur minim officia eu
esse tempor ea et sunt, aute.

Consectetur culpa consectetur pariatur elit, dolore consectetur cupidatat esse

labore enim velit Lorem cillum et cupidatat aute eiusmod consectetur culpa
consectetur non enim sunt ullamco. Dolore et aliquip ipsum ea fugiat dolor officia
duis excepteur cupidatat est fugiat deserunt id. Occaecat minim ullamco aliquip
ipsum nulla do irure culpa sunt, irure quis. Amet anim exercitation aute voluptate
id excepteur Lorem voluptate eiusmod aliquip sit eiusmod laboris enim amet.