This series of walkthroughs aims to help out complete beginners with finishing the Web Fundamentals path on the TryHackMe (thm)1 website.

It is based on the learning content provided in the Walking An Application room.

Task 1 - Walking An Application

Read the intro and the short breakdown about the room. Make sure to start the machine.

Question 1: I confirm that I have deployed the virtual machine and opened the website.

No answer needed

Task 2 - Exploring The Website

Check out the website, and it’s various directories. To get a better picture, run gobuster to find the most common ones.

gobuster dir -u https://10-10-205-27.p.thmlabs.com/ -w /usr/share/dirb/wordlists/common.txt 
command namedescription
gobusterGobuster is a tool used to brute-force URIs including directories and files as well as DNS subdomains.
optionsdescription
dir : <command>Uses directory/file enumeration mode
-u / –url stringThe target URL
-w / –wordlist stringPath to the wordlist

Here is the complete terminal interaction in kali:

──(bluewalle@kali)-[~]
└─$ gobuster dir -u https://10-10-205-27.p.thmlabs.com/ -w /usr/share/dirb/wordlists/common.txt 
===============================================================
Gobuster v3.2.0-dev
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     https://10-10-205-27.p.thmlabs.com/
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/dirb/wordlists/common.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.2.0-dev
[+] Timeout:                 10s
===============================================================
2022/10/17 21:43:32 Starting gobuster in directory enumeration mode
===============================================================
/assets               (Status: 301) [Size: 178] [--> http://10-10-205-27.p.thmlabs.com/assets/]
/contact              (Status: 200) [Size: 3108]
/customers            (Status: 302) [Size: 0] [--> /customers/login]
/development.log      (Status: 200) [Size: 27]
/monthly              (Status: 200) [Size: 28]
/news                 (Status: 200) [Size: 2538]
/private              (Status: 301) [Size: 178] [--> http://10-10-205-27.p.thmlabs.com/private/]
/robots.txt           (Status: 200) [Size: 46]
/sitemap.xml          (Status: 200) [Size: 1495]
Progress: 4607 / 4615 (99.83%)===============================================================
2022/10/17 21:44:03 Finished
===============================================================

┌──(bluewalle@kali)-[~]
└─$ 

Notice, that just by running a simple directory enumeration, we already found three other folders that were not listed in the task.

  • /assets
  • /monthly
  • /private

Besides the directories, some interesting file paths were also discovered:

  • /development.log
  • /sitemap.xml
  • /robots.txt

In a pentest scenario, these files could potentially hold important information, but as that is not the aim for this room, we will skip them.

But first, check out the main page in the browser.

The main page

Question 1: Read the above.

No answer needed

Task 3 - Viewing The Page Source

Check out the page source, and follow the instructions in the task to get the flags.

Question 1: What is the flag from the HTML comment?

flag

To get the first flag, check out the webpage that is hidden in the developers comment. On firefox, press CTRL+U to view the page source.

Main page - page source

Head over to the hidden website mentioned by the developer, and grab the flag

New homepage

Question 2: What is the flag from the secret link?

flag

There is an other hidden page mentioned in the page source further down.

Hidden page

The same as before, follow the page to get the flag.

Secret site

Question 3: What is the directory listing flag?

flag

As mentioned, there is a configuration error (directory listing feature remains enabled) in the web application. That is why, we can simply traverse the /assets directory and get the flag that is stored in the flag.txt file.

Assets directory listing

Flag in /assets

Question 4: What is the framework flag?

flag

For the last flag in this task, follow the link to the framework’s website. It is listed at the bottom of the page source.

Framework&rsquo;s website

We will notice, that our version is one patch behind.

Framework&rsquo;s website

Let’s check out the changes since the last version. The change log mentions a file by the name of /tmp.zip. Check it out.

Suspicious file

By entering the file path, our browser will automatically try and download it. Let’s allow it.

Download

On our system, go to the directory where the file was saved and check it’s contents.

cd Downloads/ ; ls -hlag

Unzip the compressed file, and get the flag.

unzip tmp.zip
cat flag.txt

Do not forget to clean up after yourself.

rm tmp.zip flag.txt

The commands used above are listed here. For more information about them, check out their man pages.

command namedescription
cdchange directory
lslist directory contents
unziplist, test and extract compressed files in a ZIP archive
catconcatenate files and print on the standard output
rmremove files or directories

Here is the complete terminal interaction on kali:

┌──(bluewalle@kali)-[~]
└─$ cd Downloads/ ; ls -hlag
total 12K
drwxr-xr-x  2 bluewalle 4.0K Oct 17 22:49 .
drwxr-xr-x 32 bluewalle 4.0K Oct 17 21:52 ..
-rw-r--r--  1 bluewalle  198 Oct 17 22:47 tmp.zip

┌──(bluewalle@kali)-[~/Downloads]
└─$ unzip tmp.zip 
Archive:  tmp.zip
 extracting: flag.txt                

┌──(bluewalle@kali)-[~/Downloads]
└─$ cat flag.txt 
THM{*flag*}

┌──(bluewalle@kali)-[~/Downloads]
└─$ rm tmp.zip flag.txt

Task 4 - Developer Tools - Inspector

Read about the development tools and head over to the news directory to follow along.

Question 1: What is the flag behind the paywall?

flag

Open up the 3rd article, and inspect the blocked out part as described. As an alternative, you can open up the inspector from developer tools in firefox by pressing [CTRL+SHIFT+I].

Click on the premium-customer-blocker class in the inspector module, and change the style from display: block to display: none. This will then remove the blocker displayed on the article.

Do not forget to grab the flag while you are at it.

Task 5 - Developer Tools - Debugger

Question 1: What is the flag in the red box?

flag

For the next flag, move to the /contract directory and open up the debugger module in developer tools. Then check out the flash.min.js javascript file that is stored in the /assets directory. Beautify it with the built-in “Pretty Print” function to get a better readability.

Set the breakpoint as instructed and refresh tha page.

Get the flag.

Task 6 - Developer Tools - Network

Question 1: What is the flag shown on the contact-msg network request?

flag

For the last flag; first, open up the network module in developer tools. Then, fill out the contact form with dummy data. Finally, send the request.

We are notified by a pop-up window that our request was successfully sent and received. Check out the our request for more detail.

You will find the last flag under our response headers, with a header named X-FLAG. As an alternative, we could simply head over to /contact-msg to grab the same flag.

Make sure to terminate the machine that was started before moving on to the next room.


  1. thm - shorthand for TryHackMe from now on ↩︎