Introduction to Web Hacking Part 1— TryHackMe Walkthrough
Hi! Today I am going to give you a full walkthrough of the Introduction to Web Hacking Module.
Room 1: Walking An Application
Walking An Application
In this room you will learn how to manually review a web application for security issues using only the in-built tools in your browser. More often than not, automated security tools and scripts will miss many potential vulnerabilities and useful information.
Here is a short breakdown of the in-built browser tools you will use throughout this room:
- View Source — Use your browser to view the human-readable source code of a website.
- Inspector — Learn how to inspect page elements and make changes to view usually blocked content.
- Debugger — Inspect and control the flow of a page’s JavaScript
- Network — See all the network requests a page makes.
No answer needed
Exploring the Website
No answer needed
Viewing the Page Source
What is the flag from the HTML comment?
To obtain that information look in the source code and see the comment, when you open the /new-home-beta, the flag will be displayed
Answer : THM{HTML_COMMENTS_ARE_DANGEROUS}
What is the flag from the secret link?
Look into the details of the source code. You will see the /secret-page. Go there and the flag will be displayed
Answer: THM{NOT_A_SECRET_ANYMORE}
What is the directory listing flag?
Go to the /assets and check the source code, you will get access to the whole directory with file flag.txt as well. Open the file and you will get your answer.
Answer: THM{INVALID_DIRECTORY_PERMISSIONS}
What is the framework flag?
Check the last comment in the main page source code. When visiting the site, look there is a Change Log entry with information that /tmp.zip should be the file we are looking for. Open the page <ip_addres>/tmp.zip and you can download and extract the file. Within that file there is flag.txt
Answer: THM{KEEP_YOUR_SOFTWARE_UPDATED}
Developer Tools — Inspector
What is the flag behind the paywall?
Go to the /news section and open the article behind the paywall. Click on inspect the element and you will see the Inspector menu, look for “premium-customer-blocker” and click on that. On the right side you will see the settings of that blocker, try to change the display to “none” instead of blocked. Boom! It is done, now you can see the flag.
Answer: THM{NOT_SO_HIDDEN}
Developer Tools — Debugger
What is the flag in the red box?
To check it go to /contact page and open Debugger (click on the Inspect Element and then move to Debugger). In the Debugger menu look for the flash.mini.js in the assets. There select the Preety Print view and scroll down to line 108. Click on the line number, this will create a breakpoint and stop executing the flash. Refresh the page and you will see the red banner being displayed.
Answer: THM{CATCH_ME_IF_YOU_CAN}
Developer Tools — Network
What is the flag shown on the contact-msg network request?
With the network tab open, try filling in the contact form and pressing the Send Message button. You’ll notice an event in the network tab, and this is the form being submitted in the background using a method called AJAX. AJAX is a method for sending and receiving network data in a web application background without interfering by changing the current web page.
When you have sent the message, refresh the page once again and check the contact-msg element. Go to Response to get the Response flag.
Answer: THM{GOT_AJAX_FLAG}
Room 2: Content Discovery
What is content discovery ?
Firstly, we should ask, in the context of web application security, what is content? Content can be many things, a file, video, picture, backup, a website feature. When we talk about content discovery, we’re not talking about the obvious things we can see on a website; it’s the things that aren’t immediately presented to us and that weren’t always intended for public access.
This content could be, for example, pages or portals intended for staff usage, older versions of the website, backup files, configuration files, administration panels, etc.
There are three main ways of discovering content on a website which we’ll cover. Manually, Automated and OSINT (Open-Source Intelligence).
What is the Content Discovery method that begins with M? Answer: Manually
What is the Content Discovery method that begins with A? Answer: Automated
What is the Content Discovery method that begins with O? Answer: OSINT
Manual Discovery — Robots.txt
What is the directory in the robots.txt that isn’t allowed to be viewed by web crawlers? Answer: /staff-portal
Manual Discovery —Favicon
What framework did the favicon belong to? Answer: cgiirc
Manual Discovery —Sitemap.xml
What is the path of the secret area that can be found in the sitemap.xml file? Answer: /s3cr3t-area
Manual Discovery — HTTP Headers
What is the flag value from the X-FLAG header? Answer: THM{HEADER_FLAG}
Manual Discovery — Framework Stack
- Go to the website http://<ip_address> and check the source code, at the bottom you will have the link
2. Check the documentation page
3. Log with admin credentials to http://<ip_adress>/thm-framework-login
What is the flag from the framework’s administration portal? Answer: THM{CHANGE_DEFAULT_CREDENTIALS}
OSINT — Google Hacking / Dorking
What Google dork operator can be used to only show results from a particular site? Answer: site:
OSINT — Wappalyzer
What online tool can be used to identify what technologies a website is running? Answer: Wappalyzer
OSINT — Wayback Machine
What is the website address for the Wayback Machine? Answer: https://archive.org/web/
OSINT — GitHub
What is Git? Answer: version control system
OSINT — S3 Buckets
What URL format do Amazon S3 buckets end in? Answer: s3.amazonaws.com
Automated Discovery
To get the answers for the questions you just need to run this command. The common.txt wordlist is set by default by dirt so you dont have to select it or type it.
What is the name of the directory beginning “/mo….” that was discovered? Answer: /monthly
What is the name of the log file that was discovered? Answer: /development.log
Room 3 : Subdomain Enumeration
OSINT — SSL/TLS Certificates
What domain was logged on crt.sh at 2020–12–26? Answer: store.tryhackme.com
OSINT — Search Engines
What is the TryHackMe subdomain beginning with B discovered using the above Google search? Answer: blog.tryhackme.com
DNS Bruteforce
What is the first subdomain found with the dnsrecon tool? Answer: api.acmeitsupport.thm
OSINT — Sublist3r
What is the first subdomain discovered by sublist3r? Answer: web55.acmeitsupport.thm
Virtual Hosts
What is the first subdomain discovered? Answer: delta
What is the second subdomain discovered? Answer: yellow