Table of contents
- What type of encoding is used by the hackers to obfuscate the JavaScript file?
- What is the flag value after deobfuscating the file?
- Logging is an important aspect. What is the name of the file containing email dumps?
- The logs folder contains email logs and has a message for the software team lead. What is the name of the directory that Bob has created?
- What is the key file for opening the directory that Bob has created for Mark?
- What is the email address for ID 5 using the leaked API endpoint?
- What is the ID for the user with admin privileges?
- What is the endpoint for logging in as the admin? Mention the last endpoint instead of the URL. For example, if the answer is URL is tryhackme.com/admin - Just write /admin.
- The attacker uploaded a web shell and renamed a file used for managing the server. Can you find the name of the web shell that the attacker has uploaded?
- What is the name of the file renamed by the attacker for managing the web server?
- Can you use the file manager to restore the original website by removing the "FINALLY HACKED" message? What is the flag value after restoring the main website?
This walkthrough will go over the Traverse room found on TryHackMe. This box aims to test your knowledge of secure software principles while introducing you to API endpoints and ways to manipulate parameters to obtain critical information. Additionally, you're presented with an opportunity to tailor HTTP requests in order to POST commands to further enumerate the backend server.
What type of encoding is used by the hackers to obfuscate the JavaScript file?
Looking at the source code reveals a custom JavaScript file on line 14
.
At first glance, this looks like HEX
. Let's confirm it and decrypt it using CyberChef.
Decrypted:
What is the flag value after deobfuscating the file?
Decrypting further with JavaScript Minify
reveals the flag.
Logging is an important aspect. What is the name of the file containing email dumps?
Going back to the source code on lines 25
and 26
reveals a directory. Let's check it out.
Sure enough, there's our email_dump.txt
file. Let's see what it contains.
The logs folder contains email logs and has a message for the software team lead. What is the name of the directory that Bob has created?
Hmmm... So the directory is named after the first phase of the SDLC, planning
.
What is the key file for opening the directory that Bob has created for Mark?
Going back to the content found in the email_dump.txt
file reveals the key for opening the directory. Putting the key we obtained into the form brings us to our API content.
What is the email address for ID 5 using the leaked API endpoint?
Taking API endpoint syntax and plugging it into our base URL displays raw data in JSON format.
What is the ID for the user with admin privileges?
Playing around with the id
numbers reveals our admin user.
What is the endpoint for logging in as the admin? Mention the last endpoint instead of the URL. For example, if the answer is URL is tryhackme.com/admin - Just write /admin.
The attacker uploaded a web shell and renamed a file used for managing the server. Can you find the name of the web shell that the attacker has uploaded?
First, we need to log in to track down this web shell. We can use the credentials obtained through the API endpoint.
Logging in brings us to this Admin Page.
Intercepting the POST
request through Burp Suite
allows us to manipulate the command beyond what was intended.
We can accomplish this in 4 simple steps:
Launch
Burp Suite
.Route traffic from our browser via
FoxyProxy
(my preferred way).Right-Click
Intercepted request and send toRepeater
.Change
commands
variable fromwhoami
tols
to view content in the current working directory and gain more information.
What is the name of the file renamed by the attacker for managing the web server?
This can be retrieved from the response to our tailored Burp Suite
request.
Can you use the file manager to restore the original website by removing the "FINALLY HACKED" message? What is the flag value after restoring the main website?
We can do this by going to /realadmin/REDACTED_****_*****er.php
and typing in our discovered password.
File Manager:
Clicking into index.php
and selecting the Advanced Editor gives us the ability to remove the "Finally Hacked" message as well as retrieve our final flag.