Walking an Application -TryHackme

Welcome back amazing fellow hackers in this blog you are gonna see how to walk through websites manually for security issues in websites by inbuilt tools in the browser.

We are gonna see a list of inbuilt tools that we are gonna walk through on browsers which are :

  1. View Source
  2. Inspector
  3. Degguber
  4. Network

Let us explore the website, as the role of pentester is to make reviewing websites to find vulnerabilities to exploit and gain access to it.

Page source is a code used to view to our browser when request made by the server.

What is the flag from the HTML comment?

Ans : THM{HTML_COMMENTS_ARE_DANGEROUS}

I viewed some hints in the web app page source any clue then I checked the comment in the page source.

I navigated target-IP/new-home-beta through the page source I got this flag.

What is the flag from the secret link?

Ans: THM{NOT_A_SECRET_ANYMORE}

I started looking in page source whether any secret link then I got the link /secret-page . I navigated and got the flag.

What is the directory listing flag?

Ans: THM{INVALID_DIRECTORY_PERMISSIONS}

I use dirbuster to find any directory finally assets directory found out after

navigated I got this flag.

What is the framework flag?

Ans: THM{KEEP_YOUR_SOFTWARE_UPDATED}

I navigated into the framework page and downloaded and tmp.zip I arrived with a flag.

What is the flag behind the paywall?

Ans: THM{NOT_SO_HIDDEN}

In the news section, third news is meant for premium users to unlock this bypass method used here is entered into the inspect element premium-customer-blocker display in the block we have to change into none then the content gets visible for free users.

What is the flag in the red box?

Ans: THM{CATCH_ME_IF_YOU_CAN}

What is the flag shown on the contact-msg network request?

Ans: THM{GOT_AJAX_FLAG}

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Mukilan Baskaran

Mukilan Baskaran

CTF player | Cyber Security Enthusiast