TryHackMe Walkthrough: Support

A new internal Support Operations Platform has been deployed to assist IT and help desk teams. The application handles user management, internal APIs, and system-level operations. However, security was not the primary focus during development. Several features rely on user-controlled input and weak trust boundaries. Can you pentest the platform and escalate your access to achieve RCE on the server?

The main task here is API Pentesting, but we're also going to perform cookie manipulation and a brute-force attack. Notice the help@support.thm email at the bottom of the login form, which may be helpful later.

1. My first thought is to run Gobuster to find hidden directories and files, since I don't yet have a password. The directories and files Gobuster discovers may very well be entry points.

gobuster dir -u http://10.145.169.205 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,txt,bak.zip.js

gobuster dir -u http://10.145.169.205 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,txt,bak.zip.js

2. Interesting, but I still do not have a password. What if I try brute-forcing that password? Let's use ffuf.

ffuf -w /usr/share/wordlists/rockyou.txt -X POST  -d "email=help@support.thm&password=FUZZ" -H "Content-Type: application/x-www-form-urlencoded" -u http://10.145.169.205 -fs 2678

ffuf -w /usr/share/wordlists/rockyou.txt -X POST  -d "email=help@support.thm&password=FUZZ" -H "Content-Type: application/x-www-form-urlencoded" -u http://10.145.169.205 -fs 2678

Check out the output for the password.

3. Login with the brute-forced credentials.

4. Notice that I am able to change the theme color after logging in. This high key screams file inclusion. Remember, file inclusions let attackers trick a web application into exposing files that weren't meant to be accessible.

5. I right-click Inspect.

6. Go to Storage and click on Cookies.

7. isITUser has a long random number which may be an MD5 hash. Many developers make the mistake of storing hashed values (or a password) in cookies assuming that the hash makes the data tamper-resistant. However, anyone can find the original value and susbstitute that into the cookie. I test this trick by plugging in the MD5 hash at crackstation.net after wasting time on copious captchas.

8. Notice the result is "false," but I must change it to "true." I do this in CyberChef. Cyberchef returns a new hash.

9. I go back to the dashboard and change the cookie Value using the new output from CyberChef.

10.Refresh the page and voila! I now have access to the IT Admin Panel.

11. I Click on the "View API" button in hopes of seeing some interesting stuff.

12. Get /user/3, hmmm… what about users 1 and 2? I play around with this in the browser by adding /user/1 at the end of the URL and change the number until I find admin information. This could be an example of Broken Object Level Authorization (BOLA), a failure that happens when an API returns a requested object without verifying if the requester is permitted to access it. Still, no password.

13. Remember the color changer? Gobuster shows this is in the Skins directory.

14. I'm going to dig around, and keep hunting for file inclusions in this skins directory. I'm going to test http://10.145.169.205/dashboard.php?skin=../api and click "View Page Source," but I still do not see anything helpful.

15. Finally, I try http://10.145.169.205/dashboard.php?skin=../config and right-click to View Page Source. I see the password.

16. I try these credentials with the specialadmin@support.thm email, and get the first flag.

Now I must find the contents of /home/ubuntu/user.txt

17. Right-click Inspect.

18. Go to Network →Edit and Send Request.

19. Enter cat /home/ubuntu/user.txt in the request. The flag is in the response.