Authenticate: TryHackMe Room

Hello World! Welcome to the blog…

You guys can also try amazing room by purchasing a premium subscription of TryHackMe.

• Before starting, Make sure to connect to the TryHackMe server using the VPN configurations file provided.
  [If you don’t have OpenVPN installed then: sudo apt install openvpn]

Alright! Let's begin.

Go to Authenticate Room inside Your Hacktivities:

Room Overview

Task 1 — Deploy the VM:

Task 1

• Copy IP address of the VM:

Active Machine Information

• Then perform NMAP Scan:

NMAP Scan

• So port 80 is not open! Let’s get the service’s information by applying -sV options with NMAP Scan. After the scan, you can see that port 5000, 7777, 8888 are running httpd service.
  Now let’s browse the ports running httpd service:

Port 5000

Port 7777

Port 8888

Task 2 — Dictionary Attack:

Task 2

• After going through the description, it is pretty clear that we have to perform a brute-force attack, so lets fire-up Burp-Suite.

Burp Suite Loading Screen

• Capture the login request and send it to the intruder tab to perform the attack, add the position as given, and add the required payloads for the attack.

Brute Force Attack

• We got the password by performing the attack, And after logging in with the password we get the flag:

Flag Page

• Perform the same attack for Mike’s credentials, You will get the rest of the answers as well:

Quiz Form

Task 3 — Re-registration:

Task 3

• Register Darren as given in the description.

Registration Form

• Then login with the registered credentials, You will get the flag:

Flag Page

• Perform the steps for Arthur's account, You will get rest of the answers:

Quiz Form

Task 4 — JSON Web Token:

Task 4

• Navigate to port number 5000.
  Perform login as given in the description, and make sure to capture the request:

Landing Page

• Captured Request for Authentication:

Captured Request

• Captured Request for Login:

Captured Request

• Success Alert for Guest User:

Welcome Alert

• Now again login to the system and modify the JWT Token, decode (using CyberChef) the first two part of the token as given in the task description:

Modified Request

• After logging in, You will get the admin flag:

Flag Page

Quiz Form

Task 5 — No Auth:

Task 5

• Navigate to the port number 7777, This form will appear:

Landing Page

• Navigate to /users/1:

User Data Page

• When navigated to /users/2, we got the admin password & some sort of secret data:

Admin Data Page

• Now for this task, let’s try to fuzz the user-id, when passing user-id as 0, we get the superadmin’s data:

Super Admin Data Page

• Now we got the answers:

Quiz Form

And CONGRATULATIONS, You have successfully completed the room!

For any queries, drop me an email akshatsoni64@protonmail.com