Offensive Security Intro
Hack your first website (legally in a safe environment) and experience an ethical hacker's job.
easy
15 min
To access material, start machines and answer questions login.
"To outsmart a hacker, you need to think like one."
This is the core of "Offensive Security." It involves breaking into computer systems, exploiting software bugs, and finding loopholes in applications to gain unauthorized access. The goal is to understand hacker tactics and enhance our system defences.
Beginning Your Learning Journey
In this TryHackMe room, you will be guided through hacking your first website in a legal and safe environment. The goal is to show you how an ethical hacker operates.
Our labs can also be reverted to their initial state, so don't be afraid to break the machine. Experiment as much as you like, we got you covered!
Which of the following options better represents the process where you simulate a hacker's actions to find vulnerabilities in a system?
- Offensive Security
- Defensive Security
Here at TryHackMe, we use Virtual Machines to create simulated environments that serve as practical complements to rooms.
In this room, we have prepared a fake bank application called FakeBank that you can safely hack. The virtual machine with the application should start automatically for you. If it doesn't, click on the Start Machine button below.
 |
Your screen should be split in half, showing this content on the left and the newly launched machine on the right. If you hide it later, you can always click on the Show Split View button at the top to display it again. You should see a browser window showing the website below:
Can't see the virtual machine? Click here for help!
If you don't see the one shown above, use the "Show Split View" button at the top of this page.
What is your bank account number in the FakeBank web application?
Briefing
Our goal is to find a way to hack the FakeBank application to steal money. For that purpose, they have provided us with an account in the bank, just as if we were a regular user.
One of the easiest ways we can try to hack the application is by finding hidden features in the application. Sometimes, applications will expose sensitive functionality to users via secret URLs. If we can find such URLs, we might be able to perform actions that a regular user is not supposed to do.
To find hidden URLs, we will use a tool called dirb. This tool uses a brute-force approach, by taking a list of potential page names and testing one by one if they exist in your website. This approach works because people use predictable names a lot of times.
Opening A Terminal
A terminal, also known as the command line, is a program that allows us to send text-based commands to the computer. A lot of hacking tools, including dirb, need to be executed from a terminal.
On the machine, open the terminal by clicking on the Terminal icon on the right of the screen.
Using dirb To Find Hidden Website Pages
Using dirb is quite simple. Using the terminal, write the dirb command followed by the URL of the website you want to brute-force. Be sure to press ENTER in your keyboard to execute the command:
dirb http://fakebank.thmThe command will take a minute to run and show you an output similar to this:
ubuntu@tryhackme:~/Desktop$ dirb http://fakebank.thm
-----------------
DIRB v2.22
By The Dark Raver
-----------------
START_TIME: Thu Apr 17 16:29:52 2025
URL_BASE: http://fakebank.thm/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
-----------------
GENERATED WORDS: 4610
---- Scanning URL: http://fakebank.thm/ ----
+ http://fakebank.thm/bank-deposit (CODE:200|SIZE:4663)
+ http://fakebank.thm/images (CODE:301|SIZE:179)
-----------------
END_TIME: Thu Apr 17 16:29:59 2025
DOWNLOADED: 4610 - FOUND: 2
The output of the command might look a bit intimidating, but here's a simple breakdown of what is reported:
- The first section of the output tells us the URL_BASE we scanned, which is just the URL we gave the tool. It also shows the location of the wordlist file used by the tool, which contains common page names that will be tested during the brute-force attack. In this case, the tool uses the default wordlist included with the tool, located at
/usr/share/dirb/wordlists/common.txt. There's a copy of thecommon.txtfile in your desktop as well, if you want to explore it. - The lines starting with a
+sign are the results of the scan. In this case, dirb was able to find two URLs for you. Try opening them in the machine's browser! You might find something interesting.
Dirb should have found 2 hidden URLs. One of them is http://fakebank.thm/images. What is the other one?
You should have found a secret page that allows you to add funds to a bank account (http://fakebank.thm/bank-deposit). Type the hidden page into the FakeBank website using the browser's address bar.
From this page, you should be able to add funds to your bank account (remember your bank account number is 8881). Let's add $2000 to it:
If you managed to add $2000 or more to your account, you should be able to see your new balance reflected on your account page. Press the Return to Your Account button at the end of the deposit receipt to go there now and confirm you got the money!
If your balance is now positive, a pop-up should appear with some green words in it. Input the green words as the answer to this question (all in uppercase).
(You may need to hit Refresh if you closed the pop-up already)
Created by
Room Type
Free Room. Anyone can deploy virtual machines in the room (without being subscribed)!
Users in Room
227,622
Created
113 days ago
Ready to learn Cyber Security? Create your free account today!
TryHackMe provides free online cyber security training to secure jobs & upskill through a fun, interactive learning environment.
Already have an account? Log in