May 25, 2026
Support Writeup for Jr.Pentester Path — TryHackMe/THM
Hi Everyone, this is my first write up for the TryHackMe platform. Without further ado, let’s get into it.

By NHAsec
4 min read
Admin Flag
The first step is an nmap scan.
Let's check out the site on port 80.
So, we know the format for email addresses are in the format of xxx@support.thm and we are given an email: help@support.thm
I checked the page source to see if there are any juicy comments or anything else useful but found nothing.
Let's run gobuster to automate the interesting dirs/file hunting process.
Note: You don't need to add as many extension types. Just php is good enough for this room.
Can't access the interesting files without logging in. We need to brute force the login. I used ffuf to do so but hydra is another option.
Note: You're gonna have to run the commands yourself to get the passwords, hashes, etc. No cheating allowed!
Ok, we can now login to the dashboard.
Nothing special, lets check cookies. There's a new one.
The first cookie looks promising. At first I thought it was base64 but then I realized it was an md5 hash. You can use a site such as crackstation.net to crack it.
Hint: The result is one of two Boolean values. You need to change the current cookie value to the opposite Boolean value of the cracked hash.
I used an md5 hash generator to generate the new cookie. When you enter the new cookie value and refresh the page, the dashboard will change.
Follow the link to api.php
Now we can use either curl or the browser itself to view other users data which technically speaking we shouldn't be able to do so.
We enumerate two more users as below.
The email in the first screenshot is the user of interest as they have admin privileges.
Go back to dashboard.php and change the theme from the footer. Notice the new parameter in the url after doing so.
There is a folder called skins where the php files for each color are saved and which the skin parameter is referencing.
Basically, the skin parameter on dashboard.php is adding the page name ( e.g. blue.php) and then removes the .php extension.
What if we change the parameter to view the current pages source code?
Now check the page source.
We can see php source code in the clear. Remember config.php from our gobuster scan. That is our next target.
Note: There is a typo in this password if you try it on the logon page with the specialadmin@support.thm email. You MUST remove the @ symbol in the password.
Use the found password to login as specialadmin.
Got flag 1.
User Flag
Ok, the footer now shows something new.
The Dropdown on the right is our target for Command Injection. I used Burp Suite on the attack box to perform the attack but I am going to show you how to do it in the browser.
First, choose Time from the dropdown. This will reload the page and display the time at the bottom.
You have to open dev tools. In Firefox you can do ctrl+shift+i or right click on the page and choose inspect. We need to locate the tag for the Date dropdown which is the first of the two option tags under the tag. If using firefox, you can click on the element picker from firefox dev tools next to the inspector tab (the icon on the left in the image directly below) and click on the Time dropdown on the page. It will jump to the relevant tags in Inspector. Ok first we will test for command injection by adding ";id" after "date" like so. Close dev tools and change "Time" to "Date" from the dropdown selector. It will reload the page automatically and show the following: We have confirmed command injection. Now repeat the process but instead of "id" use "cat + /home/ubuntu/user.txt" and get the flag. Got the flag. Hopefully you did too! Thank you so much for reading. Proud to be the first write up for this room. More to come.