Authenticate: TryHackMe Room

Hello World! Welcome to the blog…

You guys can also try amazing room by purchasing a premium subscription of TryHackMe.

  • Before starting, Make sure to connect to the TryHackMe server using the VPN configurations file provided.
    [If you don’t have OpenVPN installed then: sudo apt install openvpn]

Alright! Let's begin.

Go to Authenticate Room inside Your Hacktivities:

Task 1 — Deploy the VM:

  • Copy IP address of the VM:
  • Then perform NMAP Scan:
  • So port 80 is not open! Let’s get the service’s information by applying -sV options with NMAP Scan. After the scan, you can see that port 5000, 7777, 8888 are running httpd service.
    Now let’s browse the ports running httpd service:

Task 2 — Dictionary Attack:

  • After going through the description, it is pretty clear that we have to perform a brute-force attack, so lets fire-up Burp-Suite.
  • Capture the login request and send it to the intruder tab to perform the attack, add the position as given, and add the required payloads for the attack.
  • We got the password by performing the attack, And after logging in with the password we get the flag:
  • Perform the same attack for Mike’s credentials, You will get the rest of the answers as well:

Task 3 — Re-registration:

  • Register Darren as given in the description.
  • Then login with the registered credentials, You will get the flag:
  • Perform the steps for Arthur's account, You will get rest of the answers:

Task 4 — JSON Web Token:

  • Navigate to port number 5000.
    Perform login as given in the description, and make sure to capture the request:
  • Captured Request for Authentication:
  • Captured Request for Login:
  • Success Alert for Guest User:
  • Now again login to the system and modify the JWT Token, decode (using CyberChef) the first two part of the token as given in the task description:
  • After logging in, You will get the admin flag:

Task 5 — No Auth:

  • Navigate to the port number 7777, This form will appear:
  • Navigate to /users/1:
  • When navigated to /users/2, we got the admin password & some sort of secret data:
  • Now for this task, let’s try to fuzz the user-id, when passing user-id as 0, we get the superadmin’s data:
  • Now we got the answers:

And CONGRATULATIONS, You have successfully completed the room!

For any queries, drop me an email

Cyber Security Student | CTF Player | Not Really An Author