Member-only story
THM - Include
A writeup for the room Include on TryHackMe
Use your server exploitation skills to take control of a web app.
https://tryhackme.com/room/include
Footprinting
We can start by doing a scan with nmap
nmap -sS TARGET_IP
The services on port 4000 and 50000 could be interesting:
nmap -A -p 4000,50000 TARGET_IPThey are both web servers.
The one on port 4000 is a login page.
The service on port 50000 is an admin panel.
What is the flag value after logging in to the SysMon app?
We can try to login to the website on port 4000 with guest:guest as credentials.
Once inside we can see a user profile page.
There are many properties and a form to add a new one.
By looking to the URL we can easily see that there is an IDOR vulnerability.
There are two other users (2 and 3) but there is nothing to do with them.
Because there is a property called isAdmin set to false, we can try to change its value.
Once done new pages become available: API and Settings.
The API page contains the details about two endpoints available for the user.
