# Bypass

**Room Link:** <https://tryhackme.com/r/room/bypass>

What is the flag value after accessing the endpoint cctv.thm/fpassword.php?id=1?

**Kali**

```
nmap -A cctv.thm
```

<figure><img src="https://1447300783-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FHtr6mVUoafpQhzSYJEjI%2Fuploads%2FEdnnWWcpSQU4HVyr4Si2%2Fimage.png?alt=media&#x26;token=9d11f467-9972-4f0a-ab52-bcc46e2b3a71" alt=""><figcaption></figcaption></figure>

**Kali**

```
ffuf -u https://cctv.thm/FUZZ -w /usr/share/wordlists/SecLists/Discovery/Web-Content/raft-medium-directories-lowercase.txt
```

<figure><img src="https://1447300783-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FHtr6mVUoafpQhzSYJEjI%2Fuploads%2FGM5mXvzroClnjiQepmZU%2Fimage.png?alt=media&#x26;token=8d812fd2-bf5e-4943-a97b-14652fb34c57" alt=""><figcaption></figcaption></figure>

<figure><img src="https://1447300783-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FHtr6mVUoafpQhzSYJEjI%2Fuploads%2FkYrAmIcg9TurpDEnGXAF%2Fimage.png?alt=media&#x26;token=fa430b7e-3de5-47cd-a40f-9d819f5a8e34" alt=""><figcaption></figcaption></figure>

<figure><img src="https://1447300783-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FHtr6mVUoafpQhzSYJEjI%2Fuploads%2FX2tviTotFOj6O9HVFpTE%2Fimage.png?alt=media&#x26;token=e2ded151-1595-4fa4-a946-ec2ad41d7801" alt=""><figcaption></figcaption></figure>

<figure><img src="https://1447300783-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FHtr6mVUoafpQhzSYJEjI%2Fuploads%2F5nvMkIAvBgjmZma9Tuez%2Fimage.png?alt=media&#x26;token=1736cacb-86fa-4768-ab0a-a2a65cf7439d" alt=""><figcaption></figcaption></figure>

I first tried using knock but it wasn't working, probably because it's not actually sending a message.

**Kali**

```
git clone https://github.com/grongor/knock.git
cd knock
./knock cctv.thm 5000:udp -v
```

**knock.py**

```
import socket

port = 5000
host = 'cctv.thm'
msg = 'Knock,Knock...TheSysRat is here!'.encode()

try:
    s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
    s.bind(('', 5000))
    s.sendto(msg, (host, port))
    s.close()
    print('Packet send correctly')
except:
    print('Something wrong')
```

**Kali**

```
python knock.py 
```

<figure><img src="https://1447300783-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FHtr6mVUoafpQhzSYJEjI%2Fuploads%2Fv7SI23h3BQptslLMp3nj%2Fimage.png?alt=media&#x26;token=618dba6b-ede9-49f4-887c-10a00650529b" alt=""><figcaption></figcaption></figure>

What is the flag value after accessing the endpoint cctv.thm/fpassword.php?id=2?

**knock.py**

```
import socket
import ssl

# Target server and port
host = "cctv.thm"
port = 443  # HTTPS port for TCP request

# Target path
path = "/fpassword.php?id=2"

# Custom headers with User-Agent
request = f"GET {path} HTTP/1.1\r\n" \
          f"Host: {host}\r\n" \
          f"User-Agent: I am Steve Friend\r\n" \
          f"Connection: close\r\n\r\n"

# Create an SSL context that ignores certificate verification
context = ssl.create_default_context()
context.check_hostname = False
context.verify_mode = ssl.CERT_NONE

# Create a TCP socket and wrap it in SSL
with socket.create_connection((host, port)) as sock:
    with context.wrap_socket(sock, server_hostname=host) as ssock:
        # Send the request
        ssock.sendall(request.encode())

        # Receive the response
        response = b""
        while True:
            data = ssock.recv(4096)
            if not data:
                break
            response += data

# Decode and print the response to get the flag
print(response.decode())

```

<figure><img src="https://1447300783-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FHtr6mVUoafpQhzSYJEjI%2Fuploads%2FXeOzJ6qBYOARIOwJHzQb%2Fimage.png?alt=media&#x26;token=c0b820f3-86ef-4041-9881-791f8654f919" alt=""><figcaption></figcaption></figure>

What is the flag value after accessing the endpoint cctv.thm/fpassword.php?id=3?

What is the flag value after accessing the endpoint cctv.thm/fpassword.php?id=4?

What is the flag value after accessing the endpoint cctv.thm/fpassword.php?id=5?

What is the password value for the first layer of security for the CCTV web panel?

What is the lsb\_release -r -s command output from the attached machine?

What is the username for the CCTV web panel?

What is the flag value after logging into the CCTV web panel?


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://jeffgthompsons-organization.gitbook.io/red-team/walkthroughs/tryhackme/bypass.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.