We covered a beginner web hacking challenge where we inspected the source code of the given page to examine the PHP code and eventually revealing a function that discloses sensitive credentials.
Initial Reconnaissance and Web Page Exploration
I started by using the AttackBox on TryHackMe. My first step was to open a terminal and run an nmap
scan on the target IP address. This helps in identifying open ports and services, which is crucial for understanding the target’s network footprint. While the nmap
scan was running, I simultaneously opened the web page associated with the challenge.
The web page greeted me with a “Welcome Heroes” message and, more importantly, a login section. I navigated directly to this login form, knowing that this was the primary target for the challenge.
Analyzing the Login Form and Discovering the JavaScript
Instead of immediately trying common methods like SQL injection or brute-forcing, I opted for a more fundamental approach: viewing the page source. I always find it beneficial to inspect the source code of login forms. It often reveals hidden parameters, client-side scripts, or other clues that can simplify the bypass process.
In this case, my intuition paid off! I found an interesting JavaScript script embedded within the page source. This was the key to understanding how the login mechanism worked.
Deconstructing the JavaScript and Extracting Credentials
I carefully examined the JavaScript. It contained an authenticate
function, which was triggered when the login button was clicked. This function took both the username and password as input.
Here’s what I discovered:
- Username: The script hardcoded the expected username as
cyberheroes
. This was the first piece of the puzzle! - Password: For the password, the script defined a constant called
reverseString
. It then compared the entered password to the reversed version of a specific string found within the script itself. This meant the string I saw in the JavaScript was not the actual password, but its reverse.
Reversing the Password and Gaining Access
To get the actual password, I needed to reverse the string I found in the JavaScript. I decided to use a Python interpreter for this task, as it’s a quick and efficient way to manipulate strings.
Here are the technical commands I used in the terminal:
python
(to open the Python interpreter)reversed_password_string = "your_reversed_string_here"
(I replaced"your_reversed_string_here"
with the actual reversed string from the JavaScript)actual_password = reversed_password_string[::-1]
(This Python string slicing technique effectively reverses the string)print(actual_password)
(to display the original, unreversed password)
With the username (cyberheroes
) and the now-discovered actual password, I successfully logged into the application. Upon successful login, the flag was displayed, completing the challenge!
Conclusion
This challenge was quite straightforward, primarily requiring basic page source analysis and a good understanding of a simple JavaScript function. It highlighted the importance of always checking the client-side code for vulnerabilities or hidden information.