Become a Hacker

This is your first ethical hacking exercise. Not only will you learn about ethical hacking, where you will hack a test website, but you’ll also learn about how the TryHackMe platform works. To get started and follow along, click the “View Site” button in the upper right corner of this task to access the web application.

After months of working on his business idea, Mike was finally ready to launch the website! He had spent much time and effort creating a great product and was confident that people would love it.

However, Mike was also nervous about the potential for cyber threats. He knew that businesses of all sizes were being hacked every day, and he did not want to be a victim. You get a call asking you to assess his web application and see if you can spot any weaknesses. In particular, he is concerned that the software development team might have forgotten some private pages exposed to the public. He hopes you can find them before he goes public and the bad guys find them and wreak havoc.

Are you ready to help Mike? If you haven’t done so already, click on the “View Site” button in the upper right corner of this task to access the web application. (If you don’t see the “View Site” button, you might need to scroll up.)

In the upper right half, you can see a simulated browser window showing http://www.onlineshop.thm, as shown in the figure above. You can interact with the address bar.

           Welcome to fish, the friendly interactive shell
user@thm ~>



        

In the lower right half, you can access a simulated terminal, similar to the one above, to use the available security tools.

We can run many security tests, but first, let’s see if we can discover any hidden pages. Here are some pages we can try:

• sitemap (In other words, we use the embedded browser to check if http://www.onlineshop.thm/sitemap exists.)
• mail (As you guessed, we check if http://www.onlineshop.thm/mail exists.)
• login
• register
• admin

Let’s try to discover the hidden page by using one of the words in the list above. In the simulated browser in the upper right corner, try changing the address by adding a word (listed above) to the existing URL until you discover the correct word that leads to a hidden page.

(Optional) Using an Automated Tool: Gobuster

Changing the browser’s address bar is helpful if the list of pages you want to try is limited. What should we do if we have hundreds or thousands of words to try? We need to use an automated tool. A solid tool to automatically search for hidden pages is Gobuster, which runs in the terminal. In the terminal, in the lower right, we need to issue the following command:

           user@thm ~> gobuster dir --url http://www.onlineshop.thm/ -w /usr/share/wordlists/dirbuster/directory-list.txt

[output redacted]

        

The command above is made up of the following parts:

• gobuster is the terminal command to start Gobuster
• dir uses directory and file enumeration mod
• --url http://www.onlineshop.thm/ sets the target website
• -w /usr/share/wordlists/dirbuster/directory-list.txt specifies the word list to use

In the terminal on the lower right, run the command shown above. This command should let you discover the hidden page(s) in an automated manner.

If you made it this far, congratulations, you have just discovered the hidden page using two different approaches!

In Task 1, we discovered a hidden page that allows registered users to sign in. If we can figure out the username and password, we may gain access to some private sections of the web application!

One of the most common usernames is admin. We will start our attack using admin as the username and try to guess the password. Try to log in using the username admin and one of the common passwords listed below:

• abc123
• 123456
• qwerty
• password
• 654321

Were you able to find the password and log in successfully? One of the above passwords should work with the username admin and give you access to a secret page.

(Optional) Using an Automated Tool: Hydra

We could do this task manually, as we only had to go through five passwords. But what if we have to go through thousands or tens of thousands of passwords? In that case, we can use a software tool such as Hydra. In the terminal, on the lower right, let’s run the following command:

           user@thm ~> hydra -l admin -P passlist.txt www.onlineshop.thm http-post-form "/login:username=^USER^&password=^PASS^:F=incorrect" -V

[output redacted]

        

The command above is made up of the following parts:

• hydra is the terminal command to start Hydra
• -l admin attempts to log in using the username admin
• -P passlist.txt specifies the password list to try
• www.onlineshop.thm sets the target website
• http-post-form indicates that this is an HTTP POST request form
• "/login:username=^USER^&password=^PASS^:F=incorrect" specifies the shape of the HTTP POST request and how to check if the login credentials are incorrect
• -V is used for verbose output

You do not have to worry about all the command arguments above; it is more straightforward than it appears. For now, we need to copy and paste the command above in the terminal in the lower right and watch Hydra find a valid password for us.

Log in using the password you discovered if you have not done that already.

If you have made it this far, congratulations, you have just hacked an insecure web application!

How can I start learning?

People often wonder how others become hackers (security consultants) or defenders (security analysts fighting cybercrime), and the answer is simple. Break it down, learn an area of cyber security you're interested in, and regularly practice using hands-on exercises. Build a habit of learning a little bit each day on TryHackMe, and you'll acquire the knowledge to get your first job in the industry.

Trust us; you can do it! Just take a look at some people who have used TryHackMe to get their first security job:

• Paul went from a construction worker to a security engineer. Read more.
  
• Kassandra went from a music teacher to a security professional. Read more.
• Brandon used TryHackMe while at school to get his first job in cyber. Read more.

What careers are there?

The cyber careers room goes into more depth about the different careers in cyber. However, here is a short description of a few offensive security roles:

• Penetration Tester - Responsible for testing technology products for finding exploitable security vulnerabilities.
• Red Teamer - Plays the role of an adversary, attacking an organization and providing feedback from an enemy's perspective.
• Security Engineer - Design, monitor, and maintain security controls, networks, and systems to help prevent cyberattacks.