Jr Penetration Testing - Walking An Application - Viewing The Page Source

a.infosecflavour - Aug 2 - - Dev Community

I bet you want to dive into Web Hacking. We'll be Walking An Application. The road has a few flags, let's collect them all, together.

The first question of task 3 sounds like this: What is the flag from the HTML comment?🧐

What do we do?

Regardless you use the THM Machine or you're connected via VPN, open a browser and introduce the URL provided after starting the machine.
After you connected to the webpage, have a look on the source of the page by either right-click-> View source or keyboard combination CTRL+U. The first clue for collecting a flag is written in the stars . Or in the comments. Will /new-home-beta lead us anywhere?

comment

Knocking at the door of machine-ip.p.thmlabs/new-home-beta will reveal the first flag! (don't forget that machine-ip= the IP you get after starting the machine in THM)

flag

The second question is asking us: What is the flag from the secret link?

The next flag is hidden in a secret place page. How do we arrive there? Have a look on the source page and try to find the secret page.

It seems...the secret has been unmasked.

flagz

The third question wants to know: What is the directory listing flag?

This time, someone placed the flag in a box (directory) full of stuff (assets).

Visiting machine-ip.p.thmlabs/assets, we'll be looking for the answer. There are so many assets here, site.js, style.css...Is there any clue?

assets

Accessing flag.txt, we'll happily find the answer.

flag.txt

One more flag and we beautify our collection. The fourth question: What is the framework flag? puts us in the situation to take some secondary streets.

Do you see the last line? Someone left a precious mark. The URL must be the fortress where the flag waits to be freed captured.

frame

Eeny, meeny, miny, moe which way should we go? Let's choose Change Log. 🌟

changr log

Archives can hide valuable information. So does /tmp.zip. Access machine-ip/tmp.zip and take the gem . Or the advice.

flagg

Are you curious what is the Documentation about? Let's have a look.

doc

Navigating to machine-ip/thm-framework-login, we'll arrive to a super-secret area, where admin is both username and password. ⚠️

web

Oh, no! There is another flag!

creds

However, given that the question is stating framework flag, the flag found in Change Log is the correct one.

Image
De développeur à luthier, histoire d'une reconversion

reconversion, luthier, lutherie, guitare
Image
How Does American Express Offer Concierge Services?
Image
Improving on Migration: Picking the Right Packers and Movers from Gurgaon to Ahmedabad
Image
Key Factors Behind Target’s Customer Loyalty
Image
Assalomu Aleykum bugun 20 . 08. 24 da c++ codlash tilida 8 darsimizni otdik va bu meni yasuryotlarim.
Image
Benefits of the American Express Gold Card
Image
How to Choose the Best Skin Specialist in Secunderabad

skinspecialistinsecunderabad, dermatologistinsecunderabad
Image
What Are the Benefits of AT&T Business Internet Plans?
Image
Best Essential On-Page SEO Factors You Need to Know
Image
How APIs Work Under the Hood

api, javascript, webdev, http
Image
Building a LinkedIn Post Generator using Lyzr Agent-API
Image
Building a Financial Literacy Assistant using Lyzr SDK

ai, programming, tutorial, learning
Image
What Are the Best American Express Cards for Earning Points on Groceries?

usa, usaamericanexpress, usabusiness, usabusinesscategory
Image
Highly Recommended: 'Quick Start with Jenkins' Course

labex, programming, course, jenkins
Image
Optimizing CSS time-based animations with new CSS functions

css, webdev
Image
How do you approach testing and debugging in a microservices architecture during software development?

discuss
Image
i am new and i am also 16 years old frum Turkey.
Image
How Has Apple’s Role in Education Evolved with Its Technology?
Image
Understanding Your Data: The Essentials of Exploratory Data Analysis

machinelearning, datascience, python
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .