This repository contains my personal TryHackMe writeups, study notes and walkthroughs from the TryHackMe Web Application Red Teaming learning path.
The purpose of this repository is to document my methodology, commands, observations, mistakes, exploitation chains and lessons learned while working through advanced web application red teaming rooms. These notes are intended for revision, portfolio building, technical reference and continuous improvement.
Each writeup is based on work completed within an authorised TryHackMe training environment. The rooms and systems covered are intentionally designed for cyber security education, practical exploitation and controlled experimentation.
Where relevant, the writeups may include IP addresses assigned during a lab session. Testing is performed using the TryHackMe AttackBox or a personal Kali Linux virtual machine connected to the TryHackMe network through OpenVPN.
PLEASE NOTE: This repository focuses on the Web Application Red Teaming path. The writeups may involve advanced exploitation concepts, including cryptographic weaknesses, custom tooling, vulnerability chaining, web application firewall bypass techniques and attacks against LLM-enabled applications.
The format of each entry will vary according to the room, objective and level of complexity. Some rooms may focus on a single technique, while others may require several weaknesses to be chained together into a full exploitation path.
Important
This repository will NEVER contain material taken from TryHackMe professional certification examinations or other restricted assessments. It will NOT* provide any flags, passwords, cracked credentials or confidential material that will slow the rate of learning.
If you are looking for any assistance, answers, guides, specific walkthroughs you will NOT find any of those here, help/assistance is limited, but available via the TryHackMe Discord.
Depending on the room, module and learning objective, a writeup may contain:
- Room and module overview;
- Learning objectives;
- Environment and tooling notes;
- Target and attacker IP details where relevant;
- Enumeration and reconnaissance steps;
- Web application mapping;
- Request and response analysis;
- Vulnerability identification and validation;
- Cryptographic weakness analysis;
- Custom tooling or automation logic;
- Exploitation chain development;
- WAF bypass methodology;
- LLM attack surface analysis;
- Initial access methodology where applicable;
- Shell handling or session management where applicable;
- Commands and selected sanitised output;
- Mistakes, troubleshooting and alternative approaches;
- Key findings and lessons learned;
- Defensive recommendations or remediation notes; and
- References and supporting documentation.
Writeups are intended to explain the methodology and decision-making process rather than provide a simple answer list.
Learning Path: Web Application Red Teaming
This path focuses on taking web application pentesting beyond vulnerability discovery and into practical exploitation. It covers complex vulnerability chains and shows how individual weaknesses can be combined to demonstrate meaningful impact in a controlled red team-style environment.
The path currently includes:
| Section | Focus Area |
|---|---|
| Cryptographic Failures | Understanding and exploiting weaknesses in cryptographic implementation. |
| Custom Tooling | Building or adapting tools to automate exploitation workflows. |
| Chaining Vulnerabilities | Combining multiple issues to achieve a larger objective. |
| Bypassing WAF | Understanding web application firewall behaviour and bypass techniques. |
| Attacking LLMs | Exploring prompt injection, insecure output handling, privacy risks and model-related abuse cases. |
The learning path is designed to strengthen practical exploitation methodology, technical reasoning and the ability to show the real impact of discovered vulnerabilities.
| No. | Section | Challenge | Difficulty | Status |
|---|---|---|---|---|
| 1 | Custom Tooling | CAPTCHApocalypse | ||
| 2 | Chaining Vulnerabilities | Extract | ||
| 3 | Chaining Vulnerabilities | Voyage | ||
| 4 | Chaining Vulnerabilities | Sequence | ||
| 5 | Bypassing WAF | Padelify | ||
| 6 | Bypassing WAF | Farewell | ||
| 7 | Attacking LLMs | Juicy | ||
| 8 | Attacking LLMs | BankGPT | ||
| 9 | Attacking LLMs | HealthGPT |
The tools used will vary by room, objective and target behaviour. The following list is representative rather than exhaustive.
| Reconnaissance and Enumeration | Web and Application Testing | Exploitation and Access | Custom Tooling and Automation |
|---|---|---|---|
| Nmap | Burp Suite | Metasploit Framework | Python |
| RustScan | OWASP ZAP | Netcat | Requests |
| Gobuster | ffuf | Hydra | Beautiful Soup |
| Feroxbuster | SQLmap | PayloadsAllTheThings | Playwright |
| WhatWeb | Postman | GTFOBins | Selenium |
| Nikto | Browser Developer Tools | CyberChef | Bash scripting |
| Cryptography and Encoding | WAF and Filtering Analysis | LLM Security Testing | Supporting References |
|---|---|---|---|
| OpenSSL | Burp Suite Repeater | Manual prompt testing | OWASP Web Security Testing Guide |
| Hashcat | Burp Suite Intruder | Input and output handling review | OWASP Top 10 |
| John the Ripper | Encoding and case manipulation | Data leakage testing | OWASP API Security Top 10 |
| CyberChef | Payload mutation | Indirect prompt injection review | OWASP Top 10 for LLM Applications |
| hashpump | Header and parameter tampering | Model behaviour analysis | PortSwigger Web Security Academy |
My general workflow is:
- Review the room objectives and identify any prerequisite knowledge.
- Prepare the lab environment and record the relevant connection details.
- Confirm the target scope before running active testing.
- Map the application, endpoints, parameters, authentication flow and observable controls.
- Capture baseline requests and responses before making changes.
- Identify possible weaknesses and validate them carefully.
- Build a repeatable exploitation path rather than relying on one-off behaviour.
- Chain vulnerabilities only within the authorised lab scope.
- Record commands, observations, failed approaches and important output.
- Redact flags, answers, credentials, hashes, tokens and other restricted material.
- Explain why each successful technique worked rather than listing commands without context.
- Record lessons learned and link the activity to wider cyber security practice.
- Add defensive recommendations or remediation notes where appropriate.
- Review the finished writeup for accuracy, clarity and compliance with TryHackMe rules.
The emphasis is on repeatable methodology, clear reasoning and controlled exploitation. Finding the bug is useful; proving the impact safely is where the learning lands properly.
These notes may contain spoilers, command output, vulnerability details and complete attack or investigation paths. Anyone actively completing a room should attempt it independently before reading the associated writeup.
This repository will not intentionally publish:
- TryHackMe flags or answer strings;
- passwords or cracked credentials;
- reusable session tokens;
- private keys or sensitive certificates;
- certification examination content;
- copied room instructions or substantial portions of TryHackMe material;
- exploit material aimed at real-world unauthorised targets; or
- material that TryHackMe or a room author has asked learners not to share.
Where a value is necessary to explain the methodology, it will be represented using a placeholder such as <TARGET_IP>, <USERNAME>, <EMAIL_ADDRESS>, <SESSION_VALUE_REDACTED> or <REDACTED>.
If restricted or sensitive information is included accidentally, please report it through the repository's GitHub Discussions or Issues area so it can be reviewed and removed.
These writeups are for educational purposes only and are based on authorised TryHackMe lab environments.
All tools, commands, techniques, and methodologies referenced in these writeups were used within controlled training environments where permission was provided by the owner and/or operator of the lab platform. The systems discussed are intentionally vulnerable machines designed for cybersecurity learning, practice, and assessment.
Do not use these techniques, tools, or methods against systems, networks, applications, or services that you do not own or do not have explicit written permission to test. Unauthorised access, scanning, exploitation, or disruption of systems is illegal and unethical.
The tools and methods listed in this repository are examples of approaches used during specific rooms or learning exercises. They are not the only possible solutions, and other tools, techniques, or workflows may be used depending on the target environment, room design, and individual methodology.
TryHackMe periodically updates, replaces or retires rooms and learning paths. Links, room sequences and path content may therefore change after a writeup is published.
Each writeup should be treated as a record of the room as it appeared on the date documented. Where a material change is identified, the relevant page may be updated or marked as archived.
If you notice a broken link, outdated instruction, formatting problem, technical error or any other noticeable issue within a writeup, please report it through the repository's Issues tab. When raising an issue, include the name of the affected writeup, a brief description of the problem and, where possible, the relevant section or line.
Constructive corrections are welcome and help keep the repository accurate, useful and maintainable.
Thanks for checking out my TryHackMe writeups. These notes form part of my ongoing cybersecurity learning journey, where I document rooms, techniques, tools, mistakes and lessons learned while working through different challenges.
You can view my TryHackMe profile here:
I am also active within cybersecurity learning communities, including Discord, where I discuss labs, tools, methodologies and general security topics with other learners and practitioners.
Feel free to follow my progress, compare approaches or get in touch if you are working through similar rooms.
Walkthrough requests are always welcome, although publication will depend on my availability and whether sharing the content complies with the platform's rules.
Created by V4L1K4HN as part of my cybersecurity learning journey through TryHackMe.
Unless otherwise stated, the original written content in this repository is licensed under the Creative Commons Attribution 4.0 International License.
Copyright © 2026 V4L1K4HN.
You may share and adapt the licensed material for any purpose, including commercially, provided that:
- appropriate credit is given to V4L1K4HN;
- a link to the license is provided; and
- any changes made to the original material are clearly indicated.
This license applies only to original material created by the repository author. TryHackMe content, branding, room materials, third-party software, trademarks, externally sourced material, and any other third-party intellectual property remain subject to their respective owners' terms and licenses.
See the LICENSE file for the complete legal terms.
Powered on ☕ made with ❤️ by V4L1K4HN
⭐ If this project is useful, consider starring it on GitHub.

