A detailed TryHackMe CTF writeup for a hard-rated Linux machine running a misconfigured Spring Boot application. The attack chain starts with recovering source code via an exposed .git directory, extracting credentials and a non-standard IP trust header to bypass actuator restrictions, then chaining a fake Spring Cloud Config Server response with H2 database INIT SQL injection to achieve RCE as 'nobody'. Lateral movement to 'johnsmith' uses pattern-based su brute force derived from two known passwords and a revealing commit message. Root escalation exploits a root-owned systemd service using tee to write logs into a user-writable directory — pre-creating symlinks pointing at /root/.ssh/authorized_keys and using the app's Hello World endpoint as a write primitive to inject an SSH public key. The writeup concludes with a full vulnerability summary and detailed mitigations for each finding.
Table of contents
8. Defense and Mitigation8.1 Exposed .git Directory8.2 Hardcoded Credentials in Version-Controlled Configuration8.3 Actuator Misconfiguration and IP Bypass8.4 Blank keys-to-sanitize8.5 Injectable Spring Cloud Config URI with H2 INIT8.6 Predictable Password Pattern8.7 Root Process Writing to User-Writable DirectorySort: