Room: https://tryhackme.com/room/neighbour
Scenario
Check out our new cloud service, Authentication Anywhere — log in from anywhere you would like! Users can enter their username and password, for a totally secure login process! You definitely wouldn't be able to find any secrets that other people have in their profile, right?
Initial Access
Navigate to the Target Machine IP from the AttackBox.
On the homepage, view the page source.
There's an interesting HTML comment:
<! — use guest:guest credentials until registration is fixed. "admin" user account is off limits!!!!! →This suggests we can log in using the credentials:
Username: guest Password: guest
Exploring the Application
After logging in as the guest user, examine the page source again.
Another comment is present: <! — admin account could be vulnerable, need to update →
This implies the admin account might have a security flaw.
Profile Access via URL Manipulation
The current page URL is:
http://MACHINE_IP/profile.php?user=guestWe can try changing the user parameter from guest to admin:
http://MACHINE_IP/profile.php?user=admin🎉 Flag found!
The flag was successfully displayed in the browser.
Conclusion
This room demonstrates the risks associated with insecure comments in HTML source code and insufficient access controls. By reviewing the page source, we discovered hardcoded credentials and hints about a potentially vulnerable admin account. Simple URL manipulation allowed unauthorized access to the admin profile, indicating a lack of proper authorization checks on server-side resources. This highlights the importance of:
- Avoiding sensitive information in client-side code (e.g., HTML comments),
- Implementing robust access controls,
- And thoroughly testing user input and session validation mechanisms.
Overall, this room is a great example of how seemingly minor oversights can lead to critical vulnerabilities.