June 3, 2026
TryHackMe write-up: Mother’s Secret
Exploit flaws found in Mother’s code to reveal its secrets.
Viktor Chalyi
3 min read
Disclaimer
The content of this article is for educational purposes only. Do not use the techniques described here on any system without the explicit consent of the owner.
Ready for take off
The objective is to uncover hidden secrets by exploiting vulnerabilities in the web application running on the target server. With both the AttackBox and target machine up and running, it's time to begin our investigation.
Recon
We start with a Crew Member role, which provides read-only access to a limited set of resources. The task also includes the source code of the web service running on the target machine, giving us an opportunity to review the application before interacting with it. There are three endpoints worth examining:
- POST /
- Validates that the requested file has a .yaml extension and reads it from the ./public/ directory.
- POST /nostromo
- Reads a file from the ./public/ directory. According to the challenge description, this functionality should only be available to users with the Science Officer role.
- POST /nostromo/mother
- Requires both isNostromoAuthenticate and isYamlAuthenticate to be set before allowing access to files in the ./mother/ directory.
During code review, another issue becomes apparent: none of the endpoints properly validate file paths, leaving them vulnerable to path traversal attacks. Before attempting to access protected resources, let's see what information can be gathered from the exposed /nostromo endpoint.
package.json
There is server.js file that starts the webservice. Let's see what's inside
server.js
There are two routes:
- /api
- /yaml
and 3 api endpoints:
- POST /yaml
- POST /api/nostromo
- POST /api/nostromo/mother
Mother's secret
- What is the number of the emergency command override?
The answer can be found in the operating manual:
Emergency command override is 100375. Use it when accessing Alien Loaders.
- What is the special order number?
The Alien Loader documentation references a YAML loading mechanism. Reviewing the source code reveals that only one endpoint processes YAML files: /yaml.
We also know the emergency override code from the previous step. By combining the override code with the required .yaml extension, we can craft a request that passes the application's validation checks and reveals the special order number.
- What is the hidden flag in the Nostromo route?
With the special order filename identified, retrieving its contents through the vulnerable endpoint reveals the hidden flag.
- What is the name of the Science Officer with permissions?
A closer inspection of yaml.js and nostromo.js reveals a flawed authorization mechanism. Instead of using sessions or user-specific authentication, the application relies on two global variables: isYamlAuthenticate and isNostromoAuthenticate
Successfully interacting with the corresponding endpoints sets these values to true for the entire application. Once both flags are enabled, any user can access functionality intended for the Science Officer role.
- What are the contents of the classified "Flag" box?
And finally, after obtaining access to the scientist role, we can check the flag box:
- Can you guess what is /api/nostromo/mother/secret.txt?
Although /api/nostromo/mother requires elevated privileges, the /api/nostromo endpoint itself is insufficiently protected and vulnerable to path traversal. By manipulating the file path, we can access files outside the intended directory structure, including secret.txt.
- What is Mother's secret?
The final challenge is identifying the correct number of directory traversals required to escape the application's working directory and reach /opt/m0th3r.
After a bit of experimentation, the target file becomes accessible, revealing Mother's final secret.
Conclusion
This room combines source code review with practical exploitation. By abusing path traversal vulnerabilities and weak authorization controls, we were able to move from a low-privileged user to accessing protected resources and uncovering Mother's secret.
A fun challenge that shows why proper access control and input validation matter.
Originally published at https://vchalyi.substack.com.