r/tryhackme

I am currently only doing basics Like Windows Fundamentals.

I find myself being stuck on simple tasks as a beginner, because there are no clear instructions and steps being given.

During Active Directories Task 4 I suddenly get the prompt:

Now let's use Phillip's account to try and reset Sophie's password. Here are Phillip's credentials for you to log in via RDP.

It gives me the credentials but in no way tells me how RDP works, nor that I need to now switch to an attack box. I only found that out by watching a 40 minute youtube vide.

Is it just me feeling this is not ok. This is supposed to be a beginner course but it lack the neccessary information for me to complete it.

Having to watch tutorials for an tutorial I paid for is kind of weird to me. So far I did all the prerequisite moduls only. I am sure for more advaced users it would be easy but I assumed this was a platform for total Beginners like many websites stated. Feeling kinda dumb right now.

Since my box got flooded the last time I made a post about a free resource I made for THM enthusiasts like me : https://www.reddit.com/r/tryhackme/comments/1siyqyl/free_resource_webapp_for_training_certs_pt1_exam/

(this is not an ad, this is not a product. it's free. always will be.)

I'm making another post with the clear app link and a lot of new features (PT1 Hard mode, SEC1 Exam, etc.) bugs corriged thanks to people's feedback.

Don't hesitate to give feedback so I can improve it even more for the community :)

All features : (PT1 Exam mockup isn't 60 minutes at all, you can choose between 3 and 6 hours, some features just don't work like "Failure Learning" so ignore that. Box Mode, Wireless Mode, SEC1 Exam are new features that weren't there before so that's also why I'm doing a second post). You can find the link to the app in the comments or in the previous post. Thank you :)

Feedback appreciated

I just passed witch a score of 838. Got all but 1 flag. The exam is split into 3 separate pentests. Web Pentest, Network Pentest and AD pentest.

I started with the Web Pentest and got 3 flags within 5 hours, hunted for 3 more hours for the fourth but no luck. Then decided to hit the hay and go again in the morning. This was my first offensive cert so the excitement kept me up haha.

Morning came and I decided to move onto the Network pentest, had to pwn a linux machine and a windows machine. Started with linux and got the user and root flag within an hour. Moved to Windows and got the user flag within like 30 mins but the root flag took like 2 hours extra. Altogether was completed within 4 hours.

The AD test only had 2 flags, the first was faily easy to grab and took like 30 mins, to get the DC flag was a pain, was at it for a few hours and thought I got the flag so took a lunch break but when I went to submit I noticed they were identical, then ran hostname and realised I was still on the workstation haha, took a few more hours but managed to pwn it.

Revisited the Web app to try find the fourth flag but every single attack vector I tried was useless, I tried everything I could think of but clearly I missed something. After going at it for about 8 more hours I gave in and just submitted the exam with a guess of the vuln issue to try get partial credits (I was wrong so was given 0).

Good luck to anyone who takes this next and feel free to ask any questions.

https://preview.redd.it/zman43six5wg1.png?width=1855&format=png&auto=webp&s=a218806204b3f8f9038f0c171f44655b5549404a

BTW - software engineer with 4 years of experience but man this module/section is making me crazy 🤣😭

is it that hard ? or I am dumb ?

Hi, I'm getting into Android pentesting and need some guidance on the best setup for intercepting app traffic.

Specifically I'm struggling with:

• Best tools/setup for intercepting HTTPS traffic from Android apps using Burp Suite
• How to bypass SSL pinning on apps that implement it (especially heavily protected apps like games)
• Whether to use a physical device or emulator, and pros/cons of each
• No-root methods vs rooted device — what's actually practical in 2026?

My current setup is Kali Linux on laptop and a physical Android phone. I can intercept basic browser traffic fine but struggle with apps that have SSL pinning or ignore the system proxy.

What would you recommend as the most practical and complete setup for Android app traffic interception and pentesting?

Hi everyone,

I’m currently working through the JWT Security room on TryHackMe, specifically the Signature Validation Mistakes section, and I’ve run into something confusing.

When I modify the JWT and send different requests (changing the signature as expected), I still keep getting the same flag every time, regardless of what I change.

I was expecting different behavior depending on whether the signature is valid or not, so I’m wondering if:

- the room might be broken, or

- I’m misunderstanding how this part is supposed to work

Has anyone else experienced this? Any hints on what I might be missing would be really helpful.

Thanks!

Which CTF rooms do you guys recommend to complete after finishing Introduction to Web Hacking module? I've tried some and I've noticed rooms like Pickle Rick and Hidden Deep Into my Heart to be beginner friendly and fun, but rooms like Mustacchio, even though they're rated as easy require more advanced exploits and are out of scope for Introduction to Web Hacking.

I just want someone German because I have enough English speaking people to learn but not a single German person.

I started with TryHackMe and Jack the box a Year ago but I had problems with motivation so I learned on some days 1-2 hours and on good days 5-10 hours. But I never learned longer than 18 Days in a Row.

I want to make some Friends with who I can do some CTF's and I want to visit some Hacking Events with them in Reallife.

It would love to make money with them together! I'm thinking about starting a Business!

I have completed 4 alerts so far and it says a 5th one came in but it is a firewall alert of high pri. I can see it on the dashboard, but when I go to alert queue or anywhere else I'm having I cam't see it.

is this a bug? or am I the bug? I'm still vwry new to everything(obviously)

Just wondering if I am adding this to the list of reasons I am not renewing in December.

Edit: I love people on reddit. It reminds me why I don't communicate with people in any "nerd" community even if its is tangentially nerdy. May the odds forever be in your favour.

Is THM ranking linked in worthy?

It was a huge leap forward after the SEC0 exam that I passed on Friday.

I can suspect that I got lower results due to wording from some sections like Network Traffic Fundamentals, for which I was more confident than the final result I saw.

The hardest part was the Web Pentesting section with some SQL Injection concepts that I felt were rather from the paths that follow SEC1 and not really from SEC1. I for sure recommend spending more time in preparation of for the Web Pentesting section.

What I didn't like is that I would have gotten 100% on the Bruteforcing module but even though I have already tried more than 40000 password combinations, I ran out of time and thus were unable to find the password on time.

Other than that, I understand the areas for improvement on which I have to work, and definitely there is still things to revise / cover to improve myself on the exam.

Nevertheless, I can now proudly call myself SEC1 certified, and now will pursue the PT1 exam which I plan to take later this year.

https://preview.redd.it/izhwe8uil0vg1.png?width=1267&format=png&auto=webp&s=f930110f6918a252c20d80a401ebe452208c91b1

Hey all,

I am studying for my CySA+ that I plan to take next month or in June. I have no IT/Cyber background, BUT i do have Sec+ and Ive been recently approved to be an intern to be a SOC Analyst in July. I am trying to find the right rooms on tryhackme that’ll cover some of the domains.

Have you guys used tryhackme as a resource for CySA?