Hammer

Check out the Medium blog post here:

TryHackMe Hammer Walkthrough: Bypassing Rate Limit & Exploiting JWTMedium

Overview

This challenge room presents an interesting mix of issues such as information exposed within the source code, and vulnerabilities with authentication mechanisms.

SPOILERT ALERT: the list below displays an overview of the vulnerabilities.

The following is an outline of the vulnerabilities presented in this CTF:

Information exposure in source code
Vulnerable rate limiting logic
Vulnerable JWT implementation

Trying to access port 80

failed, port 80 not open

Using nmap to discover web application port

$ nmap <target> -p- -v
...
port 1137
...

found port 1337 (labelled as waste, but is actually running a HTTP web server)

Initial view

Upon visiting the base URL (/), I was presented with a login page. Below the form, there is a link to a reset password page that accepts an email address. It appears that we have to find an email address that is used in the application.

PreviousPickle Rick NextEnumeration (active recon)

Last updated 7 months ago

Overview

Trying to access port 80

Using nmap to discover web application port

Initial view

Login page