Traverse TryHackMe CTF: Exploit Weak API Security for Privileged Access

Traverse TryHackMe CTF: Exploit Weak API Security for Privileged Access

This walkthrough will go over the Traverse room found on TryHackMe. This box aims to test your knowledge of secure software principles while introducing you to API endpoints and ways to manipulate parameters to obtain critical information. Additionally, you're presented with an opportunity to tailor HTTP requests in order to POST commands to further enumerate the backend server.

What type of encoding is used by the hackers to obfuscate the JavaScript file?

Looking at the source code reveals a custom JavaScript file on line 14.

At first glance, this looks like HEX. Let's confirm it and decrypt it using CyberChef.

Decrypted:

What is the flag value after deobfuscating the file?

Decrypting further with JavaScript Minify reveals the flag.

Logging is an important aspect. What is the name of the file containing email dumps?

Going back to the source code on lines 25 and 26 reveals a directory. Let's check it out.

Sure enough, there's our email_dump.txt file. Let's see what it contains.

The logs folder contains email logs and has a message for the software team lead. What is the name of the directory that Bob has created?

Hmmm... So the directory is named after the first phase of the SDLC, planning.

What is the key file for opening the directory that Bob has created for Mark?

Going back to the content found in the email_dump.txt file reveals the key for opening the directory. Putting the key we obtained into the form brings us to our API content.

What is the email address for ID 5 using the leaked API endpoint?

Taking API endpoint syntax and plugging it into our base URL displays raw data in JSON format.

What is the ID for the user with admin privileges?

Playing around with the id numbers reveals our admin user.

What is the endpoint for logging in as the admin? Mention the last endpoint instead of the URL. For example, if the answer is URL is tryhackme.com/admin - Just write /admin.

The attacker uploaded a web shell and renamed a file used for managing the server. Can you find the name of the web shell that the attacker has uploaded?

First, we need to log in to track down this web shell. We can use the credentials obtained through the API endpoint.

Logging in brings us to this Admin Page.

Intercepting the POST request through Burp Suite allows us to manipulate the command beyond what was intended.

We can accomplish this in 4 simple steps:

  1. Launch Burp Suite.

  2. Route traffic from our browser via FoxyProxy (my preferred way).

  3. Right-Click Intercepted request and send to Repeater.

  4. Change commands variable from whoami to ls to view content in the current working directory and gain more information.

What is the name of the file renamed by the attacker for managing the web server?

This can be retrieved from the response to our tailored Burp Suite request.

Can you use the file manager to restore the original website by removing the "FINALLY HACKED" message? What is the flag value after restoring the main website?

We can do this by going to /realadmin/REDACTED_****_*****er.php and typing in our discovered password.

File Manager:

Clicking into index.php and selecting the Advanced Editor gives us the ability to remove the "Finally Hacked" message as well as retrieve our final flag.

Did you find this article valuable?

Support Jake Garrison by becoming a sponsor. Any amount is appreciated!