June 6, 2026
Recruit Walkthrough | TryHackMe
Infiltrate Recruit’s new portal. Map the site, hunt for flaws, and gain unauthorised access
Gowrishankar
3 min read
Recruit has just launched its new recruitment portal, allowing HR staff to manage candidate applications and administrators to oversee hiring decisions. While the platform appears functional, management suspects that security may have been overlooked during development. Your task is to assess the application like a real attacker, mapping its structure, abusing exposed functionality, and exploiting vulnerabilities.
We need to gain an initial foothold, escalate our access, and ultimately log in as the administrator.
In the Reconnaissance phase, we can use Nmap to know what services are, their versions, the OS version, and open ports in the target machine.
Now, we know that the target has 3 open ports and their respective service names and versions. The most attractive open right now is HTTP, so this confirms HTTP portal is hosted in the target machine.
The image below shows what the recruit portal looks like.
There is a link access api on the portal. After exploring the portal content, the target left a clue to read the files using a /file.php path on the portal.
To enumerate further about the target, we can use the Nikto tool, which helps us to dig out further hidden files, directories, any server misconfigurations, and lucky default credentials.
command: nikto -h http://machine_ip
We found many things from Nikto results, but the most interesting part was that we found out some of the hidden paths, such as /sitemap.xml, /mail, /config.php, /phpmyadmin. After exploring the paths, we got some useful information in the /mail path, where we retrieved a mail log file.
The log file confirms that hr login credentials (username: hr ) are currently stored in the config.php file, and administrator credentials are in the backend database. But the/config.php path shows a blank page. After multiple attempts to solve why it's blank, I remembered that we can read the files from the /file.php path. thereafter, some trial and error methods. I was able to read the config.php by following the endpoint http://YOUR_IP/file.php?cv=file://config.php
From here, we are able to find out the hr password for the recruit portal. Now, with the username and password, we have completed an initial foothold on the target machine, and we found our first flag after logging in.
What is the flag value after logging in as a normal user?
THM{LOGGED_IN_USER}
The target has a backend database where we have to retrieve the admin credentials. To do so, let's check whether there is a SQL vulnerability or not.
Yes, the backend has SQL vulnerabilities. After testing multiple times with a union query, we get to know that it has 4 columns.
Then we used group concat to gather more information about the schema, tables, and columns.
And finally, we got admin credentials.
We escalated our initial access to admin and found our final flag for this room
What is the flag value after logging in as admin?
THM{LOGGED_IN_ADM1N1}