TryHackMe Write-Up (1): Walking an Application
Hi Fellas! I’m back to Medium and intended to write something completely different from my daily work.
This month, I decided to sign up for a hands-on self-learning services. My interest in security arose because I did a lot of research for the fiction novels I wrote. Since then, I’ve been doing research as well as trying to learn (while playing) about the principles of security.
In this medium, I’ll post a write-up of the course I’m working on at TryHackMe.
Jr. Penetration Tester Path Overview
Jr. Penetration Tester learning-path contains a 56-hour course. This learning-path requires a basic understanding of fundamental computing principles. People who don’t work in IT are encouraged to take “Pre-Security Pathway” first.
This path covers the core technical skills that will allow us to succeed as a junior penetration tester. Upon completing this course, you will have the practical skills necessary to perform security assessments against web applications and enterprise infrastructure as a junior pentester.
The following is an outline of the Jr. Penetration Tester learning-path:
- Introduction to Pentesting: contains security framework, testing techniques, and methodologies every pentester should know.
- Introduction to Web Hacking: get hands on, learn and exploit some of the most popular web application vulnerabilities seen in the IT industry today.
- Burp Suite: hands on in this industry standard tool for web application hacking, and is essential in any web penetration test.
- Network Security: learn the basic of passive and active network reconnaissance, understand how common network protocols work, and understand their attack vectors.
- Vulnerability Research: familiarize yourself with methods, skills and resources to exploit application and system vulnerabilities.
- Metasploit: be familiar and learn the most widely used exploitation framework to its full potential.
- Privilege Escalation: learn fundamental techniques that will allow us to elevate our account privileges.
Introduction to Web Hacking (1): Walking an Application
Since the first two courses are just introduction, I’ll jump to the first hands-on practice in section 1, “Introduction to Web Hacking”.
This course begins with some starter techniques in reviewing security issues of a web application. We will maximize the use of web developer mode, such as inspect elements and view page source.
Note: Every browsers have their own feature name, so please search it by yourself.
We will jump to “Task 3” since the first two tasks is just an explanation.
Task 3 is a series of starter capture the flag for newbie (like me). We will dive into page source feature and try to read some flag while following the instruction. By viewing the page source, THM tries to give us insight about what elements make up a website. We will be able to use the things behind this page source to explore web vulnerabilities.
To answer every tasks, after you start the virtual machine provided by TryHackMe, don’t forget to connect into the VPN. Because the VM is using private IP address, you won’t be able to open it via your browser if your network is not inside THM lab network. Other option, you may want to consider using AttackBox provided by THM, but in my opinion, the machine is too laggy since it’s opened via browser too.
Then, let’s capture the flag!
Task 3 — 1: What is the flag from HTML comments?
To answer this, open the URL from your browser. Mine is: http://10.10.4.107/
Right click on your browser and choose “inspect element”. The source code will be shown along with other tabs such as: console, debugger, network, style editor, etc.
HTML comment usually starts with <! — Blablablabla. You can easily find this in the beginning of the source code. Then, enter the URL mentioned into browser and voila! You got the flag.
Task 3 — 2: What is the flag from the secret link?
Although the website doesn’t display anything about “secret” doesn’t mean it’s not there. That’s why we need view page source feature. Well, you could easily find the URL into “secret-page” from the source code. Enter the URL into your browser and submit the flag into THM.
Task 3 — 3: What is the directory listing flag?
A website is simply a collection of files and directories in one root directory. Then, the web server will serve it’s directory. One of the biggest problems with websites is when sensitive data is served in a directory and is accessed via directory listings. Usually, this happens because there is no index file in the accessed directory.
Directory listing is dangerous because it could leads to data breach and information disclosure. In this task, we will try to access a directory. For example, from the page source there is an asset/staff.png. Staff.png is a file and assets is a directory. What happens if we remove staff.png and access the assets directory instead?
Because index file is not exist in the assets directory, the web server returns the directory contents into web browser. You can easily find flag.txt containing the flag.
Task 3 — 4: What is the framework flag?
Next exercise is to check the framework. Sometimes, a website is built by framework and not from scratch. We can use this to look for vulnerabilities in the framework, for example when the framework is not updated.
In the bottom of the source code, the framework used by the website is enclosed.
Visits the URL and check the changelog. In the latest changelog, you could find tmp.zip being served from the root of the website. You could check it by typing http://MACHINE_IP/tmp.zip and let your browser download the zip file.
File flag.txt will be shown after the zip file is extracted. You got the flag then.
Task 4: What is the flag behind the paywall?
The main purpose of this exercise is to bypass paid content. This lab shows one way to block paid content, by adding another html element on top of the content. Therefore, this kind of thing can be manipulated through the developer tools in our browser.
Visits http://MACHINE_IP/news/article?id=3 and inspect its element.
Inspect which html div that blocks the content. And then move to CSS and try to edit the display: block to display: none. The flag will appear.
Task 5: What is the flag in the red box?
This exercise requires web browser’s debugger tools. Visits the contact page and reload it for several times. We will notice that there was a ‘red box’ that keeps disappearing. To pause it, we will use debugger tools.
Inside the red box, you’ll find the flag.
Task 6: What is the flag shown on the contact-msg network request?
We will try to investigate the request when we input something into contact message and send it. Click Inspect > Network and try filling out the contact form then click submit.
The network tab will show you the request made by “submit button”. It will send your data via /contact-msg page. Visits those page and reveals the flag.
That’s for today. I finished this lab since two weeks ago, but only got the time to post the write-up today. I’ll be writing another write-up soon, because the lab is getting more difficult and more fun. Thanks for reading and see you in the next write-up!