Hello World! Welcome to the blog…
You guys can also try amazing room by purchasing a premium subscription of TryHackMe.
- Before starting, Make sure to connect to the TryHackMe server using the VPN configurations file provided.
[If you don’t have OpenVPN installed then: sudo apt install openvpn]
Alright! Let's begin.
Go to Authenticate Room inside Your Hacktivities:
Task 1 — Deploy the VM:
- Copy IP address of the VM:
- Then perform NMAP Scan:
- So port 80 is not open! Let’s get the service’s information by applying -sV options with NMAP Scan. After the scan, you can see that port 5000, 7777, 8888 are running httpd service.
Now let’s browse the ports running httpd service:
Task 2 — Dictionary Attack:
- After going through the description, it is pretty clear that we have to perform a brute-force attack, so lets fire-up Burp-Suite.
- Capture the login request and send it to the intruder tab to perform the attack, add the position as given, and add the required payloads for the attack.
- We got the password by performing the attack, And after logging in with the password we get the flag:
- Perform the same attack for Mike’s credentials, You will get the rest of the answers as well:
Task 3 — Re-registration:
- Register Darren as given in the description.
- Then login with the registered credentials, You will get the flag:
- Perform the steps for Arthur's account, You will get rest of the answers:
Task 4 — JSON Web Token:
- Navigate to port number 5000.
Perform login as given in the description, and make sure to capture the request:
- Captured Request for Authentication:
- Captured Request for Login:
- Success Alert for Guest User:
- Now again login to the system and modify the JWT Token, decode (using CyberChef) the first two part of the token as given in the task description:
- After logging in, You will get the admin flag:
Task 5 — No Auth:
- Navigate to the port number 7777, This form will appear:
- Navigate to /users/1:
- When navigated to /users/2, we got the admin password & some sort of secret data:
- Now for this task, let’s try to fuzz the user-id, when passing user-id as 0, we get the superadmin’s data:
- Now we got the answers:
And CONGRATULATIONS, You have successfully completed the room!
For any queries, drop me an email firstname.lastname@example.org