TRAVERSE

https://tryhackme.com/room/traverse

Walkthrough for "Traverse"

Tourism web application

Recon

nmap-auto $IP basic

PORT   STATE SERVICE
22/tcp open  ssh
53/tcp open  domain
80/tcp open  http

Enumeration

Navigating to the website shows the following:

The site has been defaced, it's our job to figure out how. The first thing I noticed is that the site is referenced as "tourism.mht" and since port 53 (dns) is up, then it is likely that utilizing that domain name will fetch additional resources. So by editing the hosts file with the line: $TARGET_IP_HERE tourism.mht, the browser will then be able to render http://tourism.mht/. This ends up being an important step because it reveals an additional js file in the sources of the page: "custom.min.js"

The next thing to do is inspect the elements and sources using the browser inspector. In the sources is a file called "custom.min.js" with obfuscated text in it (made available by utilizing the domain name rather than the IP). Since the text is in pairs of 2 characters with only values [1-9a-f], this is easily recognizable as hex.

Decoding and beautifying the code produces the following:

(function() {
	function doNothing() {}
	var n = "DIRECTORY";
	var e = "LISTING";
	var o = "IS THE";
	var i = "ONLY WAY";
	var f = null;
	var l = false;
	var d;
	if (f === null) {
		console.log("Flag:" + n + " " + e + " " + o + " " + i);
		d = undefined
	} else if (typeof f === "undefined") {
		d = undefined
	} else {
		if (l) {
			d = undefined
		} else {
			(function() {
				if (d) {
					for (var n = 0; n < 10; n++) {
						console.log("This code does nothing.")
					}
					doNothing()
				} else {
					doNothing()
				}
			})()
		}
	}
})();

JS Flag: DIRECTORY LISTING IS THE ONLY WAY

The next part of the assignment involves doing some guess work or directory busting. Although the paths are easily guessable, the following command can be used to do directory fuzzing given a directory list:

gobuster dir -u "http://tourism.mht/" -w directories.txt

Navigating to http://tourism.mht/logs/ shows a single file "email_dump.txt":

From: Bob <bob@tourism.mht>
To: Mark <mark@tourism.mht>
Subject: API Credentials

Hey Mark,

Sorry I had to rush earlier for the holidays, but I have created the directory for you with all the required information for the API.
You loved SSDLC so much, I named the API folder under the name of the first phase of SSDLC.
This page is password protected and can only be opened through the key. THM{100100111}

See ya after the holidays

Bob.

There is a good amount of information here that can be utilized in the future:

• Emails: bob@tourism.mht & mark@tourism.mht

• Folder Name: "/planning"

• Key: THM{100100111}

• Existing API

Key for "planning" API folder: THM{100100111}

Navigating to the planning folder and unlocking it with the key gives a page with instructions for utilizing the API which can be very important to getting sensitive information:

Enumerating the API gives information on 8 users including 1 admin which can be reached at http://tourism.mht/api/?customer_id=3:

{
  "data": {
    "id": "3",
    "name": "admin",
    "email": "realadmin@traverse.com",
    "password": "admin_key!!!",
    "timestamp": "2023-05-23 04:47:25",
    "role": "admin",
    "loginURL": "/realadmin",
    "isadmin": "1"
  },
  "response_code": 200,
  "response_desc": "Success"
}

username: realadmin@traverse.com

password: admin_key!!!

path: http://tourism.mht/realadmin/

Logging in to the page presents us with a nice ui:

Cool! So the page has a "main.php" script that sends a POST request with a parameter "commands". Using firefox or burpsuite, it's possible to modify the POST request to execute any command and get RCE. I tested it with cat /etc/passwd and it returned all the users. Testing the ls command also returned some interesting files along with a password for the file manager:

File Manager: THM{10101}

Credentials > admin ::: THM{10101}

Going to the file manager and logging in gives us access to all the files under 'www-data's directory. From here, a whole variety of shells and backdoors can be uploaded. But for the sake of this walkthrough, the answer lies in the php of the file "index.php".

Final Flag: THM{WEBSITE_RESTORED}