Writeups for TryHackMe rooms. Emphasis on methodology, realistic attack chains, and understanding the why behind each step — not just dumping commands. Written as personal reference between professional engagements.
Each writeup covers: enumeration → initial access → privilege escalation, with an ASCII attack chain diagram, key takeaways, tools used, and captured flags.
| Room | Difficulty | OS | Key Techniques |
|---|---|---|---|
| All in One | Easy | Linux | Vigenère cipher decode, WordPress theme editor RCE, malicious plugin upload, cron world-writable script hijack, /etc/passwd backdoor, sudo socat, LXD group abuse |
| Archangel | Easy | Linux | Vhost discovery via email leak, LFI filter bypass, PHP filter chain RCE, cron world-writable script, PATH hijacking SUID binary |
| Blueprint | Easy | Windows | Unpatched service exploit, hash dump, pass-the-hash |
| The Cheese Shop | Easy | Linux | SQLi OR filter bypass, LFI via php://filter, PHP filter chain RCE, SUID xxd privesc |
| Chill Hack | Easy | Linux | Command injection + blacklist bypass, steganography, Docker group abuse |
| ColddBox: Easy | Easy | Linux | WPScan, reversePress, lxd privesc |
| Creative | Easy | Linux | SSRF, path traversal, SSH key abuse |
| CyberLens | Easy | Windows | Apache Tika RCE, AlwaysInstallElevated |
| Dav | Easy | Linux | WebDAV default credentials, PHP shell upload via PUT, sudo cat arbitrary read |
| Gaming Server | Easy | Linux | LFI, SSH key leak, lxd privesc |
| IDE | Easy | Linux | Anonymous FTP, Codiad 2.8.4 RCE (CVE-2018-14009), writable systemd service |
| Jack-of-all-trades | Easy | Linux | Swapped ports, multi-layer encoding, steganography, SUID strings arbitrary file read |
| Lazy Admin | Easy | Linux | SweetRice CMS exploit, sudo backup script abuse |
| Magician | Medium | Linux | ImageTragick CVE-2016-3714 RCE, curl file:// SSRF exfil, SSRF to local Flask oracle, CVE-2021-3493 OverlayFS LPE |
| Lian Yu | Easy | Linux | FTP enumeration, steganography, sudo pkexec |
| mKingdom | Easy | Linux | Concrete5 default creds, PHP webshell, /etc/hosts poison, cron HTTP hijack |
| Mustacchio | Easy | Linux | XXE injection, SSH key crack, sudo path hijack |
| Overpass 3: Hosting | Medium | Linux | GPG credential leak, FTP webroot upload, NFS no_root_squash |
| Pyrat | Easy | Linux | Python eval RCE, git history credential leak |
| Publisher | Easy | Linux | SPIP CVE-2023-27372 RCE, SSH key leak, AppArmor bypass via at |
| RootMe | Easy | Linux | File upload bypass, SUID Python privesc |
| Service | Easy | Linux | Docker abuse, service misconfiguration |
| Soupedecode | Medium | Windows | Guest SMB RID cycling, username=password spray, Kerberoasting, machine account Pass-the-Hash |
| Silver Platter | Easy | Linux | Silverpeas CVE, lateral movement, sudoers misconfiguration |
| Source | Easy | Linux | Webmin CVE-2019-15107 pre-auth RCE |
| Thompson | Easy | Linux | Tomcat Manager default creds, WAR upload, cron script poisoning |
| Tomghost | Easy | Linux | Ghostcat (CVE-2020-1938), GPG key crack, zip2john |
| U.A. High School | Easy | Linux | PHP RCE, base64 credential leak, sudo env abuse |
| VulnNet: Internal | Easy | Linux | Redis RCE, SMB enumeration, TeamCity privesc |
| VulnNet: Node | Easy | Linux | node-serialize deserialization RCE, npm sudo abuse, writable systemd service |
| VulnNet: Roasted | Easy | Windows | AS-REP roasting, Kerberoasting, DCSync |
| VulnNet Entertainment | Medium | Linux | JS bundle subdomain leak, LFI via php://filter, ClipBucket 4.0 file upload RCE, SSH backup crack, tar wildcard injection |
| Wgel CTF | Easy | Linux | Exposed SSH key via web directory, sudo wget /etc/passwd overwrite |
| Whiterose | Easy | Linux | IDOR, EJS prototype pollution RCE (CVE-2022-29078), sudoedit bypass (CVE-2023-22809) |
The generic-agents/ folder is a plug-and-play multi-agent framework for TryHackMe and CTF engagements, built for Claude Code. Drop the folder into a working directory, open Claude Code, and the agents coordinate automatically — routing each task to the right specialist without you having to think about which one to call.
Every task goes through the Coordinator, which reads your input, classifies it, and invokes the right agent. You never call a sub-agent directly. Type an IP and it kicks off recon. Say "got a shell" and it asks Linux or Windows, then hands off to the right privesc agent. Say "writeup" and the whole publish pipeline runs end to end.
When HexStrike MCP is running locally (port 8888), the coordinator routes recon, web enumeration, privesc, cracking, web vulns, stego, and forensics through it — 150+ tools in one call. When it's not available, it falls back to the individual specialist agents automatically.
1. Copy the folder into your CTF working directory:
cp -r generic-agents/ ~/your-ctf-dir/
cd ~/your-ctf-dir/2. Edit USER-CONFIG.md — this is the only file you need to change:
WRITEUP_REPO_URL: https://github.com/YOUR_GITHUB_USERNAME/THM-writeup
COMMANDS_RAW_URL: https://raw.githubusercontent.com/YOUR_GITHUB_USERNAME/THM-writeup/main/COMMANDS.md
SECLISTS_PATH: ~/SecLists
Replace YOUR_GITHUB_USERNAME with your GitHub username. Set SECLISTS_PATH to wherever SecLists is installed on your machine (e.g. /usr/share/seclists on Kali).
3. Create the wordlist symlinks (run once from your working directory):
ln -sf ~/SecLists/Discovery/DNS/ DNS
ln -sf ~/SecLists/Passwords/ Passwords
ln -sf ~/SecLists/Usernames/ Usernames
ln -sf ~/SecLists/Discovery/Web-Content/ Web-Content
ln -sf /etc/hosts hosts4. Open Claude Code in that directory and start a session. The framework bootstraps itself on first run.
No writeup repo yet? Fork this repo to get a pre-built
COMMANDS.mdand writeup index to start from, then pointUSER-CONFIG.mdat your fork.
| Agent | Trigger | What it does |
|---|---|---|
| Coordinator | Everything — entry point | Reads input, classifies the task, routes to the right agent. Never calls sub-agents directly. |
| HexStrike | IP, URL, hash, "shell", binary, OSINT (MCP up) | Primary agent when HexStrike MCP is running. Registered as a stdio MCP server (/usr/bin/hexstrike_mcp) — tools appear as mcp__hexstrike__*. Invokes 150+ tools: rustscan, nmap, feroxbuster, nuclei, linpeas/winpeas, hashcat, ghidra, volatility, shodan, and more. |
| Recon | IP or hostname (MCP down) | Full TCP connect scan + top 200 UDP ports via nmap. Outputs open ports and service versions. |
| ffuf | URL, web port discovered (MCP down) | Directory and file enumeration. Handles vhost fuzzing and extension sweeps. |
| Brainstorm | Recon dump, "stuck", "what next" | Reads box-state.md automatically for full session context, then reasons over findings and surfaces the most promising attack paths. Always available, runs after every recon. |
| LinPrivesc | "shell" + Linux (MCP down) | Runs the full Linux privesc checklist: sudo, SUID, cron, writable paths, capabilities, services. |
| WinPrivesc | "shell" + Windows (MCP down) | Windows privesc: token abuse, unquoted paths, AlwaysInstallElevated, scheduled tasks, credential hunting. |
| Payload | LHOST + LPORT, "reverse shell", "web shell" | Generates reverse shells, web shells, and msfvenom payloads. Always available — HexStrike doesn't do this. |
| Cracking | Hash, "crack", credential file (MCP down) | Identifies hash type, picks the right hashcat mode or john rule, handles SSH/zip/KeePass extraction. |
| Exploit Scripting | CVE ID, "write an exploit" | Writes Python 3 exploit scripts from a CVE or vuln description. Always available. |
| OWASP Top 10 | "OWASP", XSS/SSRF/IDOR/injection (MCP down or chained) | Full OWASP Top 10:2025 analysis and exploitation. Also chains after HexStrike for deep manual bypass logic. |
| GTFOBins | Binary name + privesc context | Looks up shell escapes, file read/write, SUID, sudo, and capability abuse for any Unix binary. Always available. |
| SearchSploit | Service + version, "find exploit" | Searches Exploit-DB, evaluates matches, adapts the exploit to the target. Always available. |
| CTF Commands | "how do I", "command for", technique name | Fetches the live COMMANDS.md from your repo on every call and returns exact, context-filled commands ready to run. |
| THM Writeup | "writeup", box completion | Generates the full writeup, runs a standards compliance check, audits COMMANDS.md, updates the repo index, and pushes everything in one commit. Supports dual-path writeups — prompts before writing whether the box was solved via Human+AI Assisted path, a fully Autonomous AI path, or both, and structures the writeup accordingly. |
Each room lives in its own folder with a README.md writeup following a consistent format:
THM-writeup/
├── <room>/
│ └── README.md ← full writeup
├── Exploit-Scripts/
│ └── ... ← exploit scripts written during engagements
├── Powershell-Scripts/
│ └── ... ← PowerShell utility scripts
├── generic-agents/
│ └── ... ← reusable Claude agent definitions (open for anyone to use)
├── COMMANDS.md ← personal command cheatsheet
└── README.md ← this file
Every writeup follows the same skeleton:
- Enumeration — port scan (TCP + UDP), directory/vhost bruteforce, service fingerprinting
- Initial Access — exploitation with full request/response context where relevant
- Privilege Escalation — from foothold to root, with sudo/SUID/capability checks documented
- Attack Chain — ASCII diagram of the full kill chain
- Key Takeaways — what the box teaches, why it matters in real engagements
- MITRE ATT&CK Mapping — techniques mapped to ATT&CK tactics and IDs
- Tools Used — table of every tool used during the engagement
- Flags — captured flag values
Commonly used commands across recon, enumeration, exploitation, and post-exploitation are documented in COMMANDS.md. Covers nmap, ffuf, wpscan, cadaver, sqlmap, LFI via php://filter and PHP filter chain RCE, SMB/NFS/Redis enumeration, Tomcat WAR deployment, GPG decryption, hash cracking (MD5 through Kerberoasting), steganography, shell stabilisation, and Linux/Windows privilege escalation.
All activity documented here was conducted exclusively within TryHackMe's isolated lab environments. These writeups are intended for educational purposes and personal reference.