Room Banner

NahamStore

In this room you will learn the basics of bug bounty hunting and web application hacking

medium

75 min

Room progress ( 0% )

To access material, start machines and answer questions login.

Task 1NahamStore

NahamStore has been created to test what you've learnt with NahamSec's "Intro to Bug Bounty Hunting and Web Application Hacking" Udemy CourseDeploy the machine and once you've got an IP address move onto the next step!

Udemy Course created by @NahamSec | Labs created By @adamtlangley



Answer the questions below

I have deployed the machine

To start the challenge you'll need to add an entry into your  /etc/hosts or c:\windows\system32\drivers\etc\hosts file pointing to your deployed TryHackMe box.

For Example:

MACHINE_IP                  nahamstore.thm

When enumerating subdomains you should perform it against the nahamstore.com domain. When you find a subdomain you'll need to add an entry into your /etc/hosts or c:\windows\system32\drivers\etc\hosts file pointing towards your deployed TryHackMe box IP address and substitute .com for .thm . For example if you discover the subdomain whatever.nahamstore.com you would add the following entry:

MACHINE_IP          something.nahamstore.thm

You'll now be able to view http://something.nahamstore.thm in your browser.

The tasks can be performed in any order but we suggest starting with subdomain enumeration.
Answer the questions below
I understand!
Using a combination of subdomain enumeration, brute force, content discovery and fuzzing find all the subdomains you can and answer the below questions.
Answer the questions below
Jimmy Jones SSN
We've put quite a few XSS vulnerabilities into the web application. See if you can find them all and answer the questions below.
Answer the questions below
Enter an URL ( including parameters ) of an endpoint that is vulnerable to XSS

What HTTP header can be used to create a Stored XXS

What HTML tag needs to be escaped on the product page to get the XSS to work?

What JavaScript variable needs to be escaped to get the XSS to work?

What hidden parameter can be found on the shop home page that introduces an XSS vulnerability.

What HTML tag needs to be escaped on the returns page to get the XSS to work?

What is the value of the H1 tag of the page that uses the requested URL to create an XSS

What other hidden parameter can be found on the shop which can introduce an XSS vulnerability

Find two URL parameters that produce an Open Redirect
Answer the questions below
Open Redirect One

Open Redirect Two

It's possible to change other users data just by getting them to visit a website you've crafted. Explore the web apps forms to find what could be vulnerable to a CSRF attack.
Answer the questions below
What URL has no CSRF protection

What field can be removed to defeat the CSRF protection

What simple encoding is used to try and CSRF protect a form

In the web application, you'll find two IDOR vulnerabilities that allow you to read other users information.

1) An existing user has an address in New York, find the first line of the address.

2) The date and time of order ID 3

Answer the questions below
First Line of Address

Order ID 3 date and time

Somewhere in the application is an endpoint which allows you to read local files. We've placed a document at /lfi/flag.txt for you to find the contents.
Answer the questions below
LFI Flag
The application has an SSRF vulnerability, see how you can exploit it to view an API that shouldn't be available.
Answer the questions below
Credit Card Number For Jimmy Jones
Somewhere in the application. there is an endpoint that is vulnerable to an XXE attack. You can use this vulnerability to retrieve files on the server. We've hidden a flag in /flag.txt to find.
Answer the questions below
XXE Flag

Blind XXE Flag

Find ways to run commands on the webserver. You'll find the flags in /flag.txt
Answer the questions below
First RCE flag

Second RCE flag

There are 2 SQL Injection vulnerabilities somewhere in the NahamStore domain. One will return data to the page and the other is blind. The flags can be found in the database tables called sqli_one & sql_two in the column name flag.
Answer the questions below
Flag 1

Flag 2 ( blind )

Created by

Room Type

Free Room. Anyone can deploy virtual machines in the room (without being subscribed)!

Users in Room

16,284

Created

1647 days ago

Ready to learn Cyber Security? Create your free account today!

TryHackMe provides free online cyber security training to secure jobs & upskill through a fun, interactive learning environment.

Already have an account? Log in

We use cookies to ensure you get the best user experience. For more information contact us.

Read more