Today we will work through the room, Walking An Application. This is a room designed to teach you how to find useful information using only your web browser. There can be all sorts of things hidden in the HTML of the code or in other files that can be useful to an attacker. Start off by simply opening a web browser and going to the machines IP address.
Looks like we have a company that provides IT support. We can view the source code by right clicking the page and selecting Inspect Element. You can also hit the F12 key which will open the Developer Tools.
You can see comments in green. These usually aren’t in production websites, but it’s possible someone leaves it in there by mistake. This could be a good place to find secret web pages, information on the technology running the website, passwords, or sadly in a recent case PHI. You should always check the source code to ensure there isn’t something loading that you don’t want others to see.
By visiting the new home page at http://<TargetIP>/new-home-beta we can get our first flag.
Analyzing the html code more, we can find a link to a secret page, which will give us our next flag.
Now we need to search for a directory that will list out all the files. At the bottom of the html code there are some JavaScript tags (<script>) that identify various sources for JavaScript files. By visiting /assets we find a file called flag.txt. Upon opening that we get the next flag. Finding hidden directories can open up a web application to many vulnerabilities, especially if you can upload files somewhere on the site and execute them later.
Looking at the very bottom of the main page’s source code, we see a comment telling us the page was generated using the THM Framework, specifically v1.2. This is great information for the attacker, because now we know how the page was developed. Upon visiting https://static-labs.tryhackme.cloud/sites/thm-web-framework there are 3 pages you can view: Home, Change Log, and Documentation If you look under Documentation there’s a note saying the path is /thm-framekwork-login and the default credentials are admin:admin.
Finally if we visit http://<TargetIP>/thm-framework-login we can login using the username admin and the password admin.
Here we find a flag, but not the one we need. Maybe this was supposed to be a flag but the room creator didn’t end up using it. If we go back and take a look at changelog located at https://static-labs.tryhackme.cloud/sites/thm-web-framework/changelog.html, it talks about the backup process creating a backup of the website in /tmp.zip. If you visit http://<TargetIP>/tmp.zip and unzip the download, there is a flag.txt file. This contains the contents of our next flag.
Now we are going to move into the section where we use Inspector. If we go explore the website, we discover the News tab. Let’s see what articles we can read. It looks like there are 3 articles, one of them has a star next to it. Click on the 3 articles and the 3rd one gets blocked, it only for Premium Customers. You can see how the articles are displayed by looking at the URL.
http://<TargetIP>/news/article?id=
If we wanted to check for other articles besides these 3 that are displayed, we could fuzz the id= parameter, trying all the numbers from 0 to 100 or more.
Let’s see if we can bypass this paywall. Right click inside the Sorry box and click inspect element. If you expand some of the <p> elements in Inspector you can see all the text contained in the article.
This would be much easier to read if we just remove the paywall though. In here there is a class called “premium-customer-blocker“. I wonder what would happen if we just deleted that. Remember that by deleting this you are only modifying the page how it displays on your web browser and not the actual site itself.
This reveals the article for us, as well as displays the flag! The flag is actually a picture, so we couldn’t simply find the flag in the text.
Now we will move into using the Debugger tab. This tab let’s you view the source code of the JavaScript files that are used by the website. This allows you to understand how an app is handling different features coded in JavaScript and potentially find more information about the web app. You notice when you get to the page there’s a red box that flashes then disappears. We can use the Debugger to pause the code execution and see what is going on.
The flash.min.js file, is probably handling the box that keeps flashing. While you could figure out the characters being presented in the box, by going through the flashinner function, it’s much easier to set a breakpoint. In the code there’s a section showing flash[‘remote’](); . This is probably what is removing the box. We can click on the line number on the left side to set a breakpoint. This means the JavaScript will stop executing and wait for you to continue the code.
When we refresh the page it pauses and we get the flag.
The last section we are going to cover is the Network section. This can be especially useful in enumerating the version of web server you are dealing with. Many times there are headers, such as X-Powered-By, that will disclose the version of the server. This is not always accurate, because developers can set these headers to be whatever they want or even blank. It’s always worth checking out the networking tab to see what you may be able to find.
Visit the Contact page, and fill out the information. Next open your developer tools, go to the Network tab and then click Send Message. This triggers a POST request to the file contact-msg. When viewing the headers on this response you can find the final flag.
It turns out this isn’t actually the final flag and we need to dig a little more. If you click on the Response tab you can see a JSON request with the actual flag.
I hope you enjoyed the walkthrough of Walking An Application.