Open in app

Sign in

Write

Sign in

TryHackMe: Traverse — Walkthrough

Sam Witham
11 min readAug 5, 2023

--

Welcome! It’s time to look at the Traverse CTF room on TryHackMe. Making these walkthroughs is both my way of retaining knowledge and giving back to the cybersecurity community.

Lets get going on this journey of continuing to develop our abilities. I will explain what is happening as we go but as always feel free to put your own twist. When learning there is no way to over develop a solution.

Room URL: https://tryhackme.com/room/traverse

Room Intro

Bob is a security engineer at a firm and works closely with the software/DevOps team to develop a tourism web application. Once the website was moved from QA to Production, the team noticed that the website was getting hacked daily and wanted to know the exact reason. Bob consulted the blue team as well but has yet to be successful. Therefore, he finally enrolled in the Software Security pathway at THM to learn if he was doing something wrong.

Deploy the machine by clicking the Start Machine button on the top right. You can access the website by visiting the URL http://MACHINE_IP via your VPN connection or the AttackBox.

Can you help Bob find the vulnerabilities and restore the website?

Task 1(Traverse)

This room consists of 11 questions that help guide you through the room. With it being a semi guided room there is less enumeration than a normal CTF.

Start by navigating as the intro says to http://<target ip>/ and you will be greeted with the following page.

Let’s see if we can figure out how the hacker got in to better secure Bob’s code. Opening the source code we have three notable scripts to inspect. I will review each one as needed based on the next step. First lets take a look at the first question we are asked.

1. What type of encoding is used by the hackers to obfuscate the JavaScript file?

Out of the three known scripts only one of them looks obfuscated that being custom.min.js. Note obfuscated code is to put simply intentionally altered code in an effort to hide. Here is the obfuscated code from the script take a look and see if you can determine what encoding they used to hide it.

28 66 75 6E 63 74 69 6F 6E 28 29 7B 66 75 6E 63 74 69 6F 6E 20 64 6F 4E 6F 74 68 69 6E 67 28 29 7B 7D 76 61 72 20 6E 3D 22 44 49 52 45 43 54 4F 52 59 22 3B 76 61 72 20 65 3D 22 4C 49 53 54 49 4E 47 22 3B 76 61 72 20 6F 3D 22 49 53 20 54 48 45 22 3B 76 61 72 20 69 3D 22 4F 4E 4C 59 20 57 41 59 22 3B 76 61 72 20 66 3D 6E 75 6C 6C 3B 76 61 72 20 6C 3D 66 61 6C 73 65 3B 76 61 72 20 64 3B 69 66 28 66 3D 3D 3D 6E 75 6C 6C 29 7B 63 6F 6E 73 6F 6C 65 2E 6C 6F 67 28 22 46 6C 61 67 3A 22 2B 6E 2B 22 20 22 2B 65 2B 22 20 22 2B 6F 2B 22 20 22 2B 69 29 3B 64 3D 75 6E 64 65 66 69 6E 65 64 7D 65 6C 73 65 20 69 66 28 74 79 70 65 6F 66 20 66 3D 3D 3D 22 75 6E 64 65 66 69 6E 65 64 22 29 7B 64 3D 75 6E 64 65 66 69 6E 65 64 7D 65 6C 73 65 7B 69 66 28 6C 29 7B 64 3D 75 6E 64 65 66 69 6E 65 64 7D 65 6C 73 65 7B 28 66 75 6E 63 74 69 6F 6E 28 29 7B 69 66 28 64 29 7B 66 6F 72 28 76 61 72 20 6E 3D 30 3B 6E 3C 31 30 3B 6E 2B 2B 29 7B 63 6F 6E 73 6F 6C 65 2E 6C 6F 67 28 22 54 68 69 73 20 63 6F 64 65 20 64 6F 65 73 20 6E 6F 74 68 69 6E 67 2E 22 29 7D 64 6F 4E 6F 74 68 69 6E 67 28 29 7D 65 6C 73 65 7B 64 6F 4E 6F 74 68 69 6E 67 28 29 7D 7D 29 28 29 7D 7D 7D 29 28 29 3B

Are you able to tell what the encoding is? Hint it starts with h**.

2. What is the flag value after deobfuscating the file?

Lets take what we figured out about this codes encoding and use CyberChef to make it readable.

Here we can see that by adding From Hex & JavaScript Minify we are able to clearly see the Flag for the question. Note this question just wants the contents of the flag.

Now that we have deobfuscated give your self a pat on the back. Also note for yourself that often there will be multiple steps required in order to deobfuscate an object.

3. Logging is an important aspect. What is the name of the file containing email dumps?

This question tells us that logging is important. So if its so important I wonder if Bob the sites creator setup any? Lets take a look back at the remaining two scripts we located on the homepage of the website.

The notable script here is (index) something you want to look for in any code are comments. These are a way developers might make notes for themselves and if they forget to remove them it can pose a major security concern. Note comments are written differently depending on the coding language.

Looking through (index) we see multiple comments. Some of these seem harmless such as:

<!-- THIS IS OFFCIAL FILE - DO NOT CHANGE IT -->

Now that you have seen an example of a comment from this HTML code take a look at the others. Do any of them seem like they might indicate a common place for any logs to be placed?

Once you have found the directory that contains the logs navigate to it ignoring the “.” portion of it. We can ignore that because “./” just means current directory. This is what your URL should look like http://<target ip>/l***.

4. The logs folder contains email logs and has a message for the software team lead. What is the name of the directory that Bob has created?

Since we only have one file of note in this directory lets just dive right into that and see what we have.

This email dump talks about a two key things. Firstly we are told about a newly created directory with required information about an API. This directory is named after the first phase of SSDLC(Secure Software Development Life Cycle). The second key note is we need a password to access the directory and we are given said password.

Now that we know we need to find a directory lets look at the hint we are given about its name. We know its named after the first phase of SSDLC. The problem with this is that the phases are often referred to with different names. If you aren’t sure I suggest giving ChatGPT a shot asking it to “list out different terms used for the first phase of SSDLC”.

Hint for this one: p****ing.

5. What is the key file for opening the directory that Bob has created for Mark?

We found this while exploring the email above it does want the format of THM{*********}.

6. What is the email address for ID 5 using the leaked API endpoint?

Now that we have found the directory for the API instructions located during question 4. Lets navigate to them and see what we have http:<target ip>/p****ing.

We are show both an example of a request and the response it will give. Based on the request we can see that we are querying the API for information about specific customer IDs. This can be done any number of ways even simply taking the request format and navigating to it. I decided to go the route of writing a python script that will ask us for the target ip and number of customer IDs we want to check.

import requests

def call_api(target_ip, customer_id):
    endpoint = f"http://{target_ip}/api/?customer_id={customer_id}"
    
    try:
        response = requests.get(endpoint)
        response.raise_for_status()
        data = response.json()
        print(f"\nResponse for customer_id={customer_id}:\n\n{data}\n\n")
    except requests.exceptions.RequestException as e:
        print(f"Error occurred for customer_id={customer_id}: {e}")

def main():
    target_ip = input("Enter the target IP address: ")
    
    try:
        num_ids = int(input("Enter the number of IDs: "))
        for i in range(1, num_ids + 1):
            call_api(target_ip, i)
    except ValueError:
        print("Invalid input. Please enter a valid number of IDs.")

if __name__ == "__main__":
    main()

To use this script simply save it to a file and then call said file using python. You will be asked for the rest no manual editing of the script needed.

As you can see the script made a query for five IDs since that is what I asked for. Most of them seem to contain fake information since all of the users are marked as isadmin. The two we should pay attention to are IDs 3 & 5.

Customer_id 5 we are able to clearly see their email listed so we are able to complete this question.

Customer_id 3 we see what seems to be an actual admin account we will need this info for moving forward.

7. What is the ID for the user with admin privileges?

We located this in question 6 using the script. If you opted to try your hand at another route then check the first 5 IDs and I am sure you will see the different one.

8. What is the endpoint for logging in as the admin? Mention the last endpoint instead of the URL. For example, if the answer is URL is tryhackme.com/admin — Just write /admin.

Again located in question 6 check what the users loginURL is.

9. The attacker uploaded a web shell and renamed a file used for managing the server. Can you find the name of the web shell that the attacker has uploaded?

Since we located what should be an admin login page. In the previous questions lets go ahead and navigate to that page http://<target ip>/rea******.

Greeted with a Admin Login lets use the credentials from customer_id 3.

Success we have access to an Admin Page. The page says we can execute commands using the dropdown. It contains two options:

  • System Owner: Which executes a whoami command on the server
  • Current Directory: Which executes pwd on the server

Neither of these give us much useful information. So lets try and see how exactly it is running these commands whenever we hit execute. We can figure this out by intercepting one of these requests. I am going to use Burp Suite because I wanted more practice with it.

I started by opening Burp Suite and intercepted what happens when I hit the Execute button on the Admin Page.

Interesting we see here that its just sending the commands in a Request body parameter. Lets send this over to the Repeater tab on Burp Suite. We can do this by either right clicking the intercept and hitting send to repeater or by hitting Ctrl-r.

Now that we have it setup in Repeater we have RCE(Remote Code Execution) over the server!!

Lets take advantage of that by running ls -lsa and seeing what we have access too.

Now we are shown a ton of useful information about our current directory. Including the shell the attacker uploaded which is the answer to our current question: thm_****.***

10. What is the name of the file renamed by the attacker for managing the web server?

We located this during question 9 when we ran the ls -lsa command. Hint: rena***_****_*******.***

11. Can you use the file manager to restore the original website by removing the “FINALLY HACKED” message? What is the flag value after restoring the main website?

We have done it we found how the attacker exploited the system and located massive security flaws in Bob’s code. Its time to finish things up and help him restore the website back to its original state.

During question 9 we ran ls -lsa at the top of the response to the command we can see a password for accessing original file manager: THM{*****}. Along with this we found a file renamed by the attacker: rena***_****_*******.***

Taking both of these bits of information we can navigate to the renamed directory http://<target ip>/realadmin/rena***_****_*******.*** and use the password to sign into it. Once we do that we will find the following page.

Now that we are in we see that we have access to a file manager for the server. Since we are trying to restore the server and remove the hackers message lets explore the index.php file.

If you want then the flag is shown in this code highlighted here but I will continue just a bit further to get the flag onto the homepage of the site.

To do this we can work backwards. I highlighted a bit of the code:

if($message !="FINALLY HACKED")

This code shows that as long as the variable message is set to “FINALLY HACKED” then it won’t run its contents. Note the "!=" means not equal to.

We can hit Edit on this page to go into a built in editor.

I decided to make one small edit to the hackers message. See the page is “FINALLY NOT HACKED” as apposed to it being “FINALLY HACKED”.

All solved I fixed all the issues as the message says!!

Save these changes and lets see if we have resolved the sites issues. We can check them by simply navigating back to the sites homepage at: http://<target ip>/ I suggest doing this in another tab just in case what you changed wasn’t enough.

There we have it we have solved the final question!! This room is a really simple one for those that want to learn a bit about a variety of secure coding practices. Hopefully you enjoyed the walkthrough this room. If you feel like I should add more or less detail please leave a comment to let me know for future writeups.

Tryhackme
Ctf
Cybersecurity
Ctf Writeup
Ctf Walkthrough

--

--

Sam Witham

Written by Sam Witham

9 Followers

Enthusiastic CTF player, eager for new challenges! 🚀 https://tryhackme.com/p/Typewritah

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams