To access material, start machines and answer questions login.
NahamStore has been created to test what you've learnt with NahamSec's "Intro to Bug Bounty Hunting and Web Application Hacking" Udemy Course. Deploy the machine and once you've got an IP address move onto the next step!

I have deployed the machine
To start the challenge you'll need to add an entry into your /etc/hosts or c:\windows\system32\drivers\etc\hosts file pointing to your deployed TryHackMe box.
For Example:
MACHINE_IP nahamstore.thm
When enumerating subdomains you should perform it against the nahamstore.com domain. When you find a subdomain you'll need to add an entry into your /etc/hosts or c:\windows\system32\drivers\etc\hosts file pointing towards your deployed TryHackMe box IP address and substitute .com for .thm . For example if you discover the subdomain whatever.nahamstore.com you would add the following entry:
MACHINE_IP something.nahamstore.thm
You'll now be able to view http://something.nahamstore.thm in your browser.
The tasks can be performed in any order but we suggest starting with subdomain enumeration.What HTTP header can be used to create a Stored XXS
What HTML tag needs to be escaped on the product page to get the XSS to work?
What JavaScript variable needs to be escaped to get the XSS to work?
What hidden parameter can be found on the shop home page that introduces an XSS vulnerability.
What HTML tag needs to be escaped on the returns page to get the XSS to work?
What is the value of the H1 tag of the page that uses the requested URL to create an XSS
What other hidden parameter can be found on the shop which can introduce an XSS vulnerability
Open Redirect Two
What field can be removed to defeat the CSRF protection
What simple encoding is used to try and CSRF protect a form
In the web application, you'll find two IDOR vulnerabilities that allow you to read other users information.
1) An existing user has an address in New York, find the first line of the address.
2) The date and time of order ID 3
Order ID 3 date and time
Blind XXE Flag
Second RCE flag
Flag 2 ( blind )
Ready to learn Cyber Security? Create your free account today!
TryHackMe provides free online cyber security training to secure jobs & upskill through a fun, interactive learning environment.
Already have an account? Log in