Summer Bootcamp by HackOps

I am Pravallika Susarla studying cybersecurity at GITAM university. I have joined the summer bootcamp conducted by HackOPs club. It was really fun doing the tasks in Try Hack Me. The tasks were really engaging, they give the information and asks us to answer the questions from the information. The HackOps classes really helped in solving the tasks. I wrote the final exam today(20-07-2025) I did the THM CTF EVENT which includes the tasks:

1. Overpass 3- Hosting

2. WhyHackMe

3. CyberHeroes

4. Robots

5. New York Flankees

6. Internal

7. The Impossible Challenge

8. Recovery

9. Watcher

10. Zeno

Now I will go step by step on what I learnt through these tasks.

1. Overpass 3- Hosting:

   • Focus: Linux/FTP/NFS exploitation

   • What I did: Enumerated FTP, found backup credentials → gained shell. Explored NFS share, then used root-squashing misconfiguration to escalate .

   • Takeaways: Always check for backup files and poorly mounted shares. A small misconfig can mean root access

2. WhyHackMe:

   • Focus: Web/XSS & privilege escalation

   • What I did: Used RustScan/Nmap to find services; found a blog with XSSable comment form; leveraged XSS → got web shell and grabbed flags .

   • Takeaways: Never trust inputs—comment fields can lead to full compromise!

3. CyberHeroes:

   • Focus: Simple login bypass

   • What I did: Scanned; dug through HTML/JS to reverse-engineer password; logged in and got flag .

   • Takeaways: Always look at front-end code—hidden credentials often lurk there!

4. Robots:

   • Focus: Web app enumeration & XSS → RFI → shell

   • What I did: Reviewed robots.txt for hidden paths; found login & registration forms, exploited XSS to leak cookies, then used RFI for shell .

   • Takeaways: Robots.txt can be gold. Multi-step web exploits teach you how vulnerabilities chain together!

5. New York Flankees:

   • Focus: Padding Oracle & container escape

   • What I did: Discovered debug endpoint with encrypted token, used Padding Oracle to decrypt, executed commands, ultimately escaped Docker container .

   • Takeaways: Dive into cryptography and container security—essential for modern web apps!

6. Internal:

   • Focus: Realistic pentest – WordPress + Jenkins + pivot

   • What I did: Identified WordPress RCE, pivoted via SSH into internal network, found Jenkins, exploited Docker container, climbed to host root

   • Takeaways: Real networks have pivot paths. Master SSH tunnels and service chaining!

7. The Impossible Challenge:

   • Focus: Realistic pentest – WordPress + Jenkins + pivot

   • What I did: Identified WordPress RCE, pivoted via SSH into internal network, found Jenkins, exploited Docker container, climbed to host root

   • Takeaways: Real networks have pivot paths. Master SSH tunnels and service chaining!

8. Recovery:

   • Focus: Forensics & remediation

   • What I did: Investigated a damaged web server binary (fixutil), removed backdoor accounts, restored ssh and removed malicious files .

   • Takeaways: Forensic analysis is key—look for new users, binaries, and config changes after an incident.

9. Watcher:

   Likely a web‑based forensics or log challenge. These teach analysis of visitor behavior, suspicious uploads, or API misuse—great for honing investigative skills.

10. Zeno:

    Could involve drone/IoT security, API exploitation, or automation. These rooms are terrific for students to learn modern attack surfaces.

    Conclusion:

    This tasks helped me in understanding Web Enumeration, Exploitation, Security, Forensics.

    This was really fun and helpful!!