As a penetration tester or defender, we must have an ability to look at the missing or something hidden. And today we will be learning about discovering the content from the system.

Let’s discover the vulnerabilities..

1.Using a common wordlist for discovering content, enumerate http://MACHINE_IP to find the location of the administrator dashboard. What is the name of the folder?

admin

I ran gobuster for bruteforce the directory.

and I got it.

2. In your web browser, try some default credentials on the newly discovered login form for the “administrator” user. What is the password?

administrator

I am looking at the page source, and I found the javascript file. That is very interesting.

admin page source

And then, the programmer’s mistake is put the password and username in the code.

3. Access the admin panel. What is the value of the flag?

THM{ADM1N_AC3SS}

Just login with the username and password, who I got before.

Conclusion

in day 3rd, we learn about gobuster to discover the web directories and look at the vulnerable code. If you interested in this challenge, here the link > https://tryhackme.com/room/adventofcyber3

Do you learning some thing today?
Keep moving forward, thanks.

[Day 3] Web Exploitation Christmas Blackout | Advent of Cyber 3 (2021) was originally published in InfoSec Write-ups on Medium, where people are continuing the conversation by highlighting and responding to this story.