Some versions of this room have a cron job that runs backup.sh as root. If that script is world-writable, you can replace it with a reverse shell.
This room teaches the importance of Information Gathering. The exploit wasn't a complex software vulnerability (like a buffer overflow), but rather a vulnerability in the information management of the system administrator (leaving notes and sensitive directories accessible on the web server).
Note: In the specific CCT2019 challenge, there is often a specific hint regarding "Cigarette" or "Smoke" malware.
Investigation Steps:
CCT2019 is a high-difficulty, "Insane" rated room on TryHackMe that features legacy challenges originally created for the U.S. Navy Cyber Competition Team (CCT) 2019 Assessment. Unlike standard "grab-the-flag" rooms, this challenge focuses on analytical depth, traffic reconstruction, and reverse engineering. Room Structure & Challenges
The room is divided into four distinct tasks, each focusing on a specific domain of cybersecurity:
Task 1: pcap1 (Network Forensics) – This task requires deep analysis of packet captures. It includes "red herrings" to mislead investigators and emphasizes recovering files in their entirety to progress.
Task 2: re3 (Reverse Engineering) – A complex reverse engineering challenge involving a .NET executable. Users must analyze the binary's logic (often using tools like dnSpy) to find specific combinations of values.
Task 3: for1 (Forensics) – A forensic challenge that often involves digging through disk images or specific artifacts to uncover hidden evidence. cct2019 tryhackme
Task 4: crypto1 (Cryptography) – A layered crypto challenge. Some sub-tasks (like crypto1c) may require custom scripting to solve, as standard online tools may not support the specific variants used. Key Skills and Tools Required
To successfully navigate the CCT2019 room, participants generally need proficiency in several advanced areas:
Packet Analysis: Mastery of Wireshark is essential for reconstructing traffic and identifying misleading paths.
Reverse Engineering: Knowledge of assembly or .NET decompilation is necessary for Task 2.
Data Extraction: Tools like binwalk are used to find and extract compressed files or hidden data embedded within other files (e.g., extracting a .pcapng from within another capture).
Scripting: Tasks like the crypto challenges often require Python scripts to automate brute-force attempts or custom decoding. Strategic Tips
Validate Everything: The room is designed with a "Zero Trust" mindset; don't assume an artifact is valid just because it looks correct at first glance.
Avoid Rabbit Holes: Pay close attention to hints. For the pcap challenge, if you find yourself doing steganography or extensive reverse engineering, you have likely strayed into a "rabbit hole". Some versions of this room have a cron job that runs backup
Sequence Matters: Especially in the network forensics task, failing to recover the initial file completely can prevent you from solving subsequent steps.
The CCT2019 room on TryHackMe is a unique set of legacy challenges originally built for the U.S. Navy Cyber Competition Team. Unlike typical "speed-run" CTFs, this room is a structured assessment that prioritizes analytical depth, verification, and reasoning under pressure. ⚓ New Challenge Complete: CCT2019 on TryHackMe
I just wrapped up CCT2019, and it was a refreshing change of pace from the standard "capture the flag" format. These challenges were originally designed for the U.S. Navy Cyber Competition Team, and the shift in focus from speed to methodology was clear.
This room doesn't just ask "can you find the flag?"—it asks "can you prove your findings?" Key Takeaways & Skills Tested:
Deep PCAP Analysis: Navigating complex traffic captures with intentional "rabbit holes" designed to mislead.
Traffic Reconstruction: Moving beyond automated tools to manually recover payloads from raw captures.
Reverse Engineering: Analyzing binary execution logic to understand how a program works, rather than just extracting strings.
Forensics & Layered Crypto: Solving multi-stage puzzles where the output of one step is the vital key for the next. Note: In the specific CCT2019 challenge, there is
The "Zero Trust" MindsetThe most valuable part of this room was the requirement to question every artifact. Nothing was taken at face value; every piece of evidence had to be validated and tied back to a logical chain of reasoning—exactly how real-world digital forensics and incident response (DFIR) investigations operate.
Huge thanks to TryHackMe for hosting these legacy Navy challenges. If you're looking to test your analytical patience, I highly recommend giving this one a go.
#CyberSecurity #TryHackMe #CCT2019 #BlueTeam #DigitalForensics #USNavy #Pentesting
The CCT2019 TryHackMe room features legacy challenges from the 2019 US Navy Cyber Competition Team, focusing on forensics, cryptography, and reverse engineering, with key tasks involving Rail Fence ciphers and Run-Length Encoding. Detailed write-ups are available for specific challenges like the re3 reverse engineering task. Detailed walkthroughs can be found in the Medium articles by Emanuele Ciccolunghi, Mitun, and Nier0x00.
tshark -r CCT2019.pcap -Y "dns.qry.type == 1" -T fields -e dns.qry.name | sort -ufind / -perm -4000 2>/dev/null
Look for uncommon ones like /usr/bin/xxd or /usr/bin/base64.
With root access, navigate to the /root directory:
cd /root
cat root.txt
Content of root.txt: A second 32-character hash.
Congratulations—you have successfully completed the CCT2019 room.
On port 8080, there’s often a file upload feature (e.g., profile picture upload).
nc -lvnp 4444
Trigger the shell and get a low-privilege shell (e.g., www-data).