Preparing for the TryHackMe Junior Penetration Tester (PT1) exam. Detailed writeups for each room completed as part of the certification journey.
Authentication enumeration, verbose errors, reset token weaknesses, basic auth brute force, and passive discovery with archived URLs and Google dorks.
Session lifecycle, IAAA, cookie versus token sessions, fixation, expiry, termination, and how to map session behavior during testing.
JWT structure, sensitive claim disclosure, missing signature verification, weak secrets, algorithm confusion, expiry, and audience abuse.
OAuth roles, grant types, redirect URI abuse, weak state handling, implicit flow risks, token theft, and OAuth 2.1 improvements.
MFA factor types, OTP leakage, missing rate limiting, session-state logic flaws, brute-force automation, and phishing-based bypasses.
Precise sqlmap usage for GET and POST targets, parameter scoping, database enumeration, and controlled automation workflow.
Second-order SQL injection, stored payload execution, filter evasion, character encoding, no-quote injection, and whitespace bypass techniques.
MongoDB document queries, operator injection, auth bypass with $ne and $nin, regex extraction, and syntax injection.
XML structure, DTDs, entity expansion, in-band and out-of-band XXE, XXE-driven SSRF, and parser hardening.
SSTI basics, engine fingerprinting, Smarty, Pug, and Jinja2 exploitation patterns, plus SSTImap and mitigation guidance.
LDAP directory basics, filter syntax, wildcard and tautology-based auth bypass, blind LDAP extraction, and mitigation guidance.
Serialisation basics, cookie tampering, PHP object injection, magic methods, Python pickle risk, and mitigation guidance.
Local and internal server targeting, blind SSRF, out-of-band confirmation, time-based behavior, and denial-of-service impact.
LFI and RFI basics, traversal bypasses, PHP wrappers, session file inclusion, log poisoning, and escalation to RCE.
Processes and threads, TOCTOU bugs, shared-state business logic abuse, concurrent requests, and mitigation patterns.
JavaScript prototype chain abuse, dangerous keys, path-based setters, recursive merge bugs, DoS impact, and GitHub tooling references.
Reflected, stored, and DOM-based XSS, Same-Origin Policy impact, browser-side payload basics, and safe output encoding.
Classic and asynchronous CSRF, token defenses, double-submit cookie weaknesses, SameSite behavior, and common bypass conditions.
DOM fundamentals, SPA security boundaries, source-and-sink analysis, DOM open redirect, and DOM XSS weaponisation.
Same-origin rules, CORS headers, simple vs preflight requests, credential exposure, and common misconfigurations.
Request desynchronization, Content-Length vs Transfer-Encoding mismatches, CL.TE, TE.CL, TE.TE, and mitigation.
HTTP/2 downgrade desync, H2.CL, H2.TE, CRLF injection, request tunneling, h2c smuggling, and key research links.
WebSocket upgrade abuse, broken proxy tunnels, invalid version tricks, SSRF-assisted fake 101 responses, and frontend bypasses.
Keep-alive queue poisoning, client-side desync, poisoned follow-up requests, XSS chaining, and the Werkzeug CVE case.
Comprehensive introduction to penetration testing concepts, methodologies, ethics, and practical application. Essential foundation for PT1 certification.
Fundamental security principles including CIA triad, privilege management, security models, threat modeling, and incident response. Core knowledge for pentesting.
Systematic web application exploration techniques including source code analysis, developer tools usage, and network monitoring for security assessment.
Techniques for discovering hidden content, directories, and files on web applications including manual methods, OSINT, and automated tools.
Expand attack surface by discovering subdomains using OSINT (CT logs, search engines), DNS bruteforce, and virtual host discovery via Host header fuzzing.
Practical auth testing: username enumeration, brute force with ffuf, logic flaws, password reset abuse, and cookie tampering.
Access control testing: spot IDORs in query/path/API calls, test predictable IDs (base64/hash), and use two-account swaps for random IDs.
Exploit LFI/RFI and directory traversal: ../ payloads, common file targets, filter bypass patterns, and report-ready remediation.
SSRF fundamentals: entry points, regular vs blind SSRF, common impacts, and bypassing deny/allow lists (DNS tricks, open redirects, path normalization).
XSS fundamentals: reflected/stored/DOM/blind XSS, payload intentions, escaping contexts, filter bypass tricks, and a blind-XSS callback lab.
TOCTOU and concurrency bugs: double-spend, duplicate coupons, and inconsistent state. Test with parallel requests in Burp Repeater.
Command Injection (RCE) basics: detect blind vs verbose execution, use safe payloads for Linux/Windows, and understand core remediation patterns.
SQLi essentials: identify error/union/boolean/time-based injection, confirm impact with minimal proof, and report proper remediation (prepared statements + least privilege).
Burp Suite fundamentals: proxy setup, Repeater workflow, scoping, site mapping, HTTPS interception, and bypassing client-side validation.
Manual request testing with Repeater: edit and resend requests, inspect responses, use Inspector, and test validation flaws and SQLi incrementally.
Intruder fundamentals: positions, payload sets, attack types, credential stuffing, ID fuzzing, and macro handling for rotating tokens.
Supporting Burp tools: Decoder, Comparer, Sequencer, and Organizer for data transformation, response diffing, token analysis, and workflow tracking.
Burp extension basics: managing add-ons, using the BApp Store, enabling Jython for Python modules, and understanding the Extender API.
Passive recon fundamentals: WHOIS, DNS lookups with nslookup and dig, subdomain discovery with DNSDumpster, and exposure profiling with Shodan.
Active recon essentials: browser DevTools, ping, traceroute, telnet, and netcat for reachability checks, path mapping, and banner grabbing.
Nmap host discovery: ARP, ICMP, TCP SYN/ACK, and UDP ping techniques for identifying live systems before port scanning.
Nmap port scanning basics: TCP connect, TCP SYN, and UDP scans, plus scope, timing, rate, and parallelism controls.
Advanced Nmap scans: Null, FIN, Xmas, ACK, Window, custom flags, decoys, fragmentation, and idle/zombie scanning.
Post-scan enrichment with Nmap: service/version detection, OS guessing, traceroute, NSE scripts, and proper output saving.
Common cleartext protocols and services: Telnet, HTTP, FTP, SMTP, POP3, and IMAP, with their default ports and basic workflow.
Protocol attacks and mitigations: sniffing, MITM, TLS, SSH, password attacks, and Hydra basics.
Vulnerability fundamentals: common categories, CVSS vs VPR, NVD, Exploit-DB, and using version disclosure to find real exploits.
Automated vs manual exploit research, Rapid7, GitHub, Searchsploit, and a practical remote code execution workflow.
Metasploit Framework basics, core module categories, payload types, and how to work inside msfconsole.
Scanning, workspaces, the Metasploit database, service-specific modules, and the basic exploitation workflow.
How Meterpreter works, payload flavors, process context, and the core post-exploitation commands you actually use.
Reverse and bind shells, Netcat and Socat basics, shell stabilization, and encrypted shell handling.
Linux local enumeration, sudo and SUID checks, network visibility, useful find patterns, and kernel exploit basics.
Credential harvesting, scheduled tasks, AlwaysInstallElevated, weak service permissions, and unquoted service paths.
Unauthenticated Active Directory host discovery, DC identification, SMB share enumeration, and anonymous LDAP checks.
Authenticated AD enumeration with runas, MMC/RSAT, net commands, PowerShell, and BloodHound.
Initial AD credential access through NTLM services, password spraying, LDAP bind credentials, and LDAP pass-back attacks.
Moving through the network with PsExec, WinRM, services, scheduled tasks, WMI, and pivot hosts.
Credential access from files, registry, SAM, LSASS memory, password stores, and related AD sources.
Authenticated AD recon with AS-REP Roasting, native Windows commands, PowerShell modules, PowerView, and BloodHound.
Professional reporting structure, audience-aware summaries, precise finding write-ups, remediation guidance, and QA.
These challenge rooms are the hands-on follow-up to the completed PT1 learning path above. They are here to validate methodology under more practical, mixed-scenario conditions.
Deploy & hack into a Windows machine, leveraging common misconfigurations issues.
Practice the skills you have learned in the Network Security module.
A Rick and Morty CTF. Help turn Rick back into a human!
This challenge simulates a cyber-attack scenario where you must exploit an Active Directory environment.
This challenge simulates a real cyber-attack scenario where you must exploit an Active Directory.
Some mistakes can be costly.
Demonstrate your web application testing skills and the basics of Linux to escalate your privileges.
Are you able to make your way through the mountain?
Use your evasion skills to pwn a Windows target with an updated defence mechanism.
Can you breach the server?
You’ve been asked to run a vulnerability test on a production environment.
You’ve been asked to exploit all the vulnerabilities present.
Use your exploitation skills to bypass authentication mechanisms on a website and get RCE.
Use your injection skills to take control of a web app.
Use your server exploitation skills to take control of a web app.
Utilise your client-side exploitation skills to take control of a web app.
Can you help capture El Bandito before he leaves the galaxy?
