Open in app

Sign in

Write

Sign in

Introduction to Web Hacking Part 1— TryHackMe Walkthrough

WiktorDerda
6 min readJun 9, 2022

--

Hi! Today I am going to give you a full walkthrough of the Introduction to Web Hacking Module.

Room 1: Walking An Application

Walking An Application

In this room you will learn how to manually review a web application for security issues using only the in-built tools in your browser. More often than not, automated security tools and scripts will miss many potential vulnerabilities and useful information.

Here is a short breakdown of the in-built browser tools you will use throughout this room:

  • View Source — Use your browser to view the human-readable source code of a website.
  • Inspector — Learn how to inspect page elements and make changes to view usually blocked content.
  • Debugger — Inspect and control the flow of a page’s JavaScript
  • Network — See all the network requests a page makes.

No answer needed

Exploring the Website

No answer needed

Viewing the Page Source

What is the flag from the HTML comment?
To obtain that information look in the source code and see the comment, when you open the /new-home-beta, the flag will be displayed
Answer : THM{HTML_COMMENTS_ARE_DANGEROUS}

What is the flag from the secret link?
Look into the details of the source code. You will see the /secret-page. Go there and the flag will be displayed
Answer: THM{NOT_A_SECRET_ANYMORE}

What is the directory listing flag?
Go to the /assets and check the source code, you will get access to the whole directory with file flag.txt as well. Open the file and you will get your answer.
Answer: THM{INVALID_DIRECTORY_PERMISSIONS}

What is the framework flag?
Check the last comment in the main page source code. When visiting the site, look there is a Change Log entry with information that /tmp.zip should be the file we are looking for. Open the page <ip_addres>/tmp.zip and you can download and extract the file. Within that file there is flag.txt
Answer: THM{KEEP_YOUR_SOFTWARE_UPDATED}

Developer Tools — Inspector

What is the flag behind the paywall?
Go to the /news section and open the article behind the paywall. Click on inspect the element and you will see the Inspector menu, look for “premium-customer-blocker” and click on that. On the right side you will see the settings of that blocker, try to change the display to “none” instead of blocked. Boom! It is done, now you can see the flag.
Answer: THM{NOT_SO_HIDDEN}

Developer Tools — Debugger

What is the flag in the red box?
To check it go to /contact page and open Debugger (click on the Inspect Element and then move to Debugger). In the Debugger menu look for the flash.mini.js in the assets. There select the Preety Print view and scroll down to line 108. Click on the line number, this will create a breakpoint and stop executing the flash. Refresh the page and you will see the red banner being displayed.
Answer: THM{CATCH_ME_IF_YOU_CAN}

Developer Tools — Network

What is the flag shown on the contact-msg network request?
With the network tab open, try filling in the contact form and pressing the Send Message button. You’ll notice an event in the network tab, and this is the form being submitted in the background using a method called AJAX. AJAX is a method for sending and receiving network data in a web application background without interfering by changing the current web page.

When you have sent the message, refresh the page once again and check the contact-msg element. Go to Response to get the Response flag.
Answer: THM{GOT_AJAX_FLAG}

Room 2: Content Discovery

What is content discovery ?

Firstly, we should ask, in the context of web application security, what is content? Content can be many things, a file, video, picture, backup, a website feature. When we talk about content discovery, we’re not talking about the obvious things we can see on a website; it’s the things that aren’t immediately presented to us and that weren’t always intended for public access.

This content could be, for example, pages or portals intended for staff usage, older versions of the website, backup files, configuration files, administration panels, etc.

There are three main ways of discovering content on a website which we’ll cover. Manually, Automated and OSINT (Open-Source Intelligence).

What is the Content Discovery method that begins with M? Answer: Manually

What is the Content Discovery method that begins with A? Answer: Automated

What is the Content Discovery method that begins with O? Answer: OSINT

Manual Discovery — Robots.txt

What is the directory in the robots.txt that isn’t allowed to be viewed by web crawlers? Answer: /staff-portal

Manual Discovery —Favicon

What framework did the favicon belong to? Answer: cgiirc

Manual Discovery —Sitemap.xml

What is the path of the secret area that can be found in the sitemap.xml file? Answer: /s3cr3t-area

Manual Discovery — HTTP Headers

What is the flag value from the X-FLAG header? Answer: THM{HEADER_FLAG}

Manual Discovery — Framework Stack

  1. Go to the website http://<ip_address> and check the source code, at the bottom you will have the link

2. Check the documentation page

3. Log with admin credentials to http://<ip_adress>/thm-framework-login

What is the flag from the framework’s administration portal? Answer: THM{CHANGE_DEFAULT_CREDENTIALS}

OSINT — Google Hacking / Dorking

What Google dork operator can be used to only show results from a particular site? Answer: site:

OSINT — Wappalyzer

What online tool can be used to identify what technologies a website is running? Answer: Wappalyzer

OSINT — Wayback Machine

What is the website address for the Wayback Machine? Answer: https://archive.org/web/

OSINT — GitHub

What is Git? Answer: version control system

OSINT — S3 Buckets

What URL format do Amazon S3 buckets end in? Answer: s3.amazonaws.com

Automated Discovery

To get the answers for the questions you just need to run this command. The common.txt wordlist is set by default by dirt so you dont have to select it or type it.

What is the name of the directory beginning “/mo….” that was discovered? Answer: /monthly

What is the name of the log file that was discovered? Answer: /development.log

Room 3 : Subdomain Enumeration

OSINT — SSL/TLS Certificates

What domain was logged on crt.sh at 2020–12–26? Answer: store.tryhackme.com

OSINT — Search Engines

What is the TryHackMe subdomain beginning with B discovered using the above Google search? Answer: blog.tryhackme.com

DNS Bruteforce

What is the first subdomain found with the dnsrecon tool? Answer: api.acmeitsupport.thm

OSINT — Sublist3r

What is the first subdomain discovered by sublist3r? Answer: web55.acmeitsupport.thm

Virtual Hosts

What is the first subdomain discovered? Answer: delta

What is the second subdomain discovered? Answer: yellow

Tryhackme
Tryhackme Walkthrough
Web Hacking
Pentesting
Penetration Testing

--

--

WiktorDerda

Written by WiktorDerda

147 Followers

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams