TryHackMe Hackfinity Battle Encor walkthrough begins with a warm greeting and a heads-up about the video’s two-hour runtime. The creator sets the tone for an immersive ethical hacking experience. The TryHackMe Hackfinity Battle is presented as a well-rounded CTF with categories including forensics, cryptography, reversing, game hacking, and blockchain exploitation.
Overview of Hackfinity Battle CTF
The walkthrough begins with a warm greeting and a heads-up about the video’s two-hour runtime. The creator sets the tone for an immersive ethical hacking experience. The TryHackMe Hackfinity Battle is presented as a well-rounded CTF with categories including forensics, cryptography, reversing, game hacking, and blockchain exploitation.
Real-World Image Forensics
We are tasked with identifying a location from a street photo. The walkthrough demonstrates practical analysis techniques: identifying textual clues on walls, tracing them via Google, and matching them to venues like burger restaurants nearby. It teaches geographic inference using visual evidence and online tools.
Decrypting Pigpen Cipher in CCTV Image
A cryptic message is hidden in a CCTV image using Pigpen Cipher. Using online tools, the speaker translates symbols to plain text (e.g., “meet at THM tori portal”). This segment bridges steganography and classic pen-and-paper ciphers, emphasizing creativity in uncovering covert messages.
RSA Debugging Exploit to Recover Private Key
Debugging data left on an infected machine helps recover RSA private keys using mathematical scripts (e.g., ChatGPT-generated Python). The process includes retrieving n
and e
, calculating p
, q
, and d
, and decrypting stolen files—offering a real-world look into exploiting poor cryptographic hygiene.
Exploiting Web App with Insecure Direct Object Reference (IDOR)
Web challenges test parameter tampering. Using simple URL manipulation (note_id=1,2,3,...
) without needing sophisticated tools, the speaker reveals hidden notes and flags. It highlights how simple logic flaws can lead to major data leaks in real-world web applications.
Command Injection and Netcat Listener
We test for command injection in the recipient input field. When direct output fails, a blind injection with Netcat (e.g., piping whoami
to a listener on port 4545) confirms server-side code execution. The technique simulates real-world pen-testing workflows when dealing with black-box systems.
Creating a Malicious Word Document for Social Engineering
Using Metasploit, the speaker crafts a macro-enabled Word document to send from one compromised email to another target (Cipher). This demonstrates the power of phishing in compromising systems through trust exploitation, emphasizing payload stealth and listener setup.
Blockchain Smart Contract Takeover and Treasury Drain
Ethereum contracts are manipulated using cast
commands. By calling changeOwnership()
without checks and then withdraw()
, the player transfers 200 ETH to their wallet. It illustrates flawed contract design and the critical need for secure smart contract development.
Godot Game File Reversing for Hidden Flags
Game reverse engineering involves extracting Godot project files, locating score thresholds, and lowering them to reveal hidden content. By editing .gd
files and rerunning the game, flags appear with minimal interaction, showing how games can hide secrets in logic or interface triggers.
AI Prompt Injection – Fooling the Assistant
Challenges with “Evil GPT” bots demonstrate social engineering of AI. By pretending to be an admin or a creator and avoiding trigger keywords like “flag,” the speaker bypasses filters to extract sensitive data. It’s a deep dive into adversarial prompting and natural language attacks on AI models.
Kernel Backdoor Analysis
In a forensic task, logs show suspicious kernel modules like spatch.ko
linked to the attacker “Cipher.” By extracting hex-encoded secrets from these modules using strings
and CyberChef, the flag is revealed—highlighting how even kernel-level threats leave trails if logging is thorough.
Network Forensics with NFS and Wireshark
Through Wireshark, the speaker filters NFS packets, follows TCP streams, and identifies a ZIP archive (PK
header). After cracking the MD5 password with CrackStation, they recover a hidden QR code flag, demonstrating end-to-end digital forensics from packet to payload.
SQL Injection via Blind Boolean-Based Attacks
The SQLi challenge involves analyzing thousands of crafted requests with blind payloads and timing/differential responses. A Python script parses requests and correlates successful ones to uncover the correct values—modeling realistic slow, meticulous, but effective attack strategies.
TryHackMe Hackfinity Battle Encore Answers
Catch Me if You Can
THM{coringa_do_beco}
Catch Me if You Can 3
THM{83_galvao_bueno}
Notepad Online
THM{i_can_see_your_notes}
Dark Encryptor
THM{pgp_cant_stop_me}
Dark Encryptor2
THM{going_in_bl1nd_2394}
Order
THM{the_hackfinity_highschool}
Dark Matter
THM{d0nt_l34k_y0ur_w34k_m0dulu5}
Ghost Phishing
THM{gh0st_ph1sh1ng_exp0s3d}
Dump
THM{1nj3ctBr34k3r5}
Shadow Phishing
THM{3m41l_ph1sh1ng_1s_3z}
PassCode
THM{web3_h4ck1ng_code}
Heist
THM{web3_h31st_d0ne}
The Game
THM{I_CAN_READ_IT_ALL}
The Game v2
THM{MEMORY_CAN_CHANGE_4R34L$-$}
Evil-GPT
THM{AI_HACK_THE_FUTURE}
Evil-GPT v2
THM{AI_NOT_AI}
Stolen Mount
THM{n0t_s3cur3_f1l3_sh4r1ng}
Infinity Shell
THM{sup3r_34sy_w3bsh3ll}
Sneaky Patch
THM{sup3r_sn34ky_d00r}
Hide and Seek
THM{y0u_g0t_3v3ryth1ng_d0wn}
Sequel Dump
THM{r3tr13v1ng_th3_dump}
Shadow Phishing 2
THM{3m41l_ph1sh1ng_1s_n0t_s0_3z}
Cipher’s Secret Message
THM{a_sm4ll_crypt0_message_to_st4rt_with_THM_cracks}
Cryptosystem
THM{Just_s0m3_small_amount_of_RSA!}
Flag Vault
THM{password_0v3rfl0w}
Flag Vault 2
THM{format_issues}
Cloud Sanity Check
THM{for_your_eyes_only}
A Bucket of Phish
THM{this_is_not_what_i_meant_by_public}
Encrypted Data
THM{crypto_cloud_conundrum}
Avengers Hub
Initial Reconnaissance and Discovery: We start with scanning the given IP, revealing open ports 22 and 80. A GoBuster scan detects hidden directories, including admin
and a backup.zip
file, which becomes a key target.
Zip File Cracking for Credentials: The backup archive is password-protected, so we usezip2john
and john
with a wordlist to crack it. Inside the archive is a file containing an MD5 hash, identified as the admin password.
CMS Enumeration and Exploitation: The WBCE CMS is identified on the target site. A Google search reveals a Remote Code Execution (RCE) vulnerability in version 1.6.2 using .inc
file uploads, which you can exploit via the media uploader.
Remote Shell via Exploit Script: An exploit script is modified to match our environment and uploads a payload. It connects back using Netcat to establish a shell. We confirm command execution (ls
, whoami
) in the web server context.
Bypassing PHP Function Restrictions: Many PHP shell payloads fail due to disabled functions (e.g., system
, shell_exec
). We identifie which are available and selects popen()
as a viable function for successful shell interaction.
Stabilizing the Shell and Gaining Further Access: After achieving a limited shell, we create SSH keys, add the public key to the .ssh/authorized_keys
file of the void
user, and then SSH in for a stable session.
Privilege Escalation via Kernel Module: The final escalation is achieved by compiling and loading a custom kernel module with a reverse shell. We uses a Makefile
and C code to build the module, which then execute with root privileges.
Flag Retrieval and Wrap-Up: Root access allows reading the final flag.
Compute Magic
THM{s0m3_mag1c_that_can_b3_computed}
Old Authentication
THM{just_a_simple_encryption_for_you_to_r3}
Serverless
Initial AWS CLI Configuration: We start by configuring the AWS CLI with provided credentials. The instructor sets environment variables including the access key, secret key, and region (us-east-1
), then validates the identity with aws sts get-caller-identity
, confirming user ID and permissions.
S3 Bucket Reconnaissance: We list contents in a bucket named “red-red-bucket” but face permission errors. This leads to further probing of available IAM roles and attached policies using commands like aws iam list-roles
and aws iam list-attached-group-policies
.
IAM Roles and Policy Discovery: Key roles such as “Dev R2” and “Red Team Lambda” are identified. The policy named RedTeamPolicy
attached to the group provides read permissions which become crucial later. The permissions include the ability to read objects from certain buckets.
Direct Web Access to S3: Knowing the bucket name and region, we accesse it via a public S3 web URL. A file admin/index.html
is found, but it’s not available anymore—hinting that versioning could reveal older data.
Retrieving Deleted File Versions: Leveraging the S3 versioning feature, we list all past versions of files, isolates a larger-size index.html
from the admin
folder, and retrieves it using a version-specific download command.
Hidden Web Function & SSRF Setup: Inside the old HTML file, JavaScript reveals a fetch()
call to a hidden admin endpoint, suggesting potential for Server-Side Request Forgery (SSRF). We use curl to test various inputs to the vulnerable endpoint.
Command Injection Achieved: The endpoint processes input URLs which we manipulate to include shell commands. Payloads like whoami
, ls
, and even file reads (e.g., /etc/passwd
) are successfully injected and the responses are shown via the server.
AWS Keys via Environment Variables: From the /proc/self/environ
file, we extract a new set of AWS credentials. This enables assuming a more privileged role (red-team-app-lambda
) using the sts assume-role
command.
Privilege Escalation & Role Chaining: With the new role, we accesse the Dev
role which grants further administrative capabilities. This chained escalation mimics real-world cloud privilege abuse techniques.
Final Enumeration & Database Access: The final flag is located in a DynamoDB table. Using the aws dynamodb scan
command, we accesse a read-mar
table to extract flag 3, completing the CTF challenge.