#2.TryHackMe Series writeups: Traverse

Hello guys 👋 I’m back with another walkthrough, this time tackling on Traverse Lab from TryHackMe .

This room is aimed for beginners as to challenge your secure coding skills to restore a compromised website.

So, let’s start solving this lab 🤝.

As always we will start enumerating the box. So, we’ll start off with a nmap scan.

Commands: nmap -sV -sC <IP>

After executing the command, we can see the open ports and services running. Here, 2 ports are open i.e. SSH and HTTP.

Let’s check what’s there in HTTP port. After accessing, there is a message “FINALLY HACKED !!! I HATE MINIFIED JAVASCRIPT”.

Unfortunately, this was not useful , so let’s check for the source page “view page source”. After checking the .js files, one of the custom.min.js conatins the data which is obfuscated.

Note: Code Obfuscation: It means to make the code difficult to understand.

Now, let’s De-obfuscate the data using CyberChef. As we can see it is converted in Hex format.

This appears to be a function that can be minified (the hint is given on the main page, which we initially believed to be pointless 😢). We can run this piece of code in the console.

Hurray 👏!! We got the flag🤩. Let’s check for the question asked to get the hint , it asks for the file which has email dump. We can check the “/logs”.

Yes, the email dump is visible. Let’s see what information we can gather from the email.😇

As we can see in the email, Bob has left a hint: “I named the API folder under the name of the first phase of SSDLC” which is “planning.”

After accessing the folder we were asked for the password to enter. Also, there is key which is present THM{*******}.

After accessing the page, we can see the API request and response for “http://<IP>/api/customer_id=1"

Let’s try changing the id from 1, 2, 3, 4, etc. Here, “/customer_id=3” displays the admin’s info after randomly trying a few numbers.

If we observe it, the loginURL directory is there. Try to access it now.

Once we enter the login information, we are presented with an interface that allows us to execute commands in the role of “System Owner”.

But here’s a trick: if we click on the execute button, we can see the current user, i.e. “whoami” has been executed.
Let’s fire up the burp-suite to check out what’s happening in the backend.

Now that the instructions have been run, we can search for any hidden files or information on target.

After executing the “ls -la” command, we can see that the password for the file manager (/renamed_file_manager.php) is hardcoded.

We got the access to admin panel where it includes all the files and folders.

The final question says to remove the “Finally Hacked” message. So, taking this as a hint we can check in all the files. After checking here we got the this in “index.php”.

Let’s remove the code and save it. We got the final flag here🤩.

Hurray ✌️, we have successfully solved the Traverse . Thank you for sticking around.

I appreciate you taking the time to read. For other such writeups do visit the TryHackMe Series writeups.

If you found it useful, please click the button 👏and share it with others who have similar interests! + Feedback is always appreciated!!😊