En-pass — TryHackMe

0xsanz
5 min readFeb 10, 2021

This is the write-up for TryHackMe’s room named En-pass: Get what you can’t.This room can be found at this URL:

https://tryhackme.com/room/enpass

Enumeration

NMAP

# Identify the list of services running on the target machine
⇒ sudo nmap -sS -Pn -T4 -p- 10.10.248.167

# Perform further information gathering on the open ports identified above
⇒ sudo nmap -O -A -Pn -T4 -p22,8001 10.10.248.167

So we have SSH at port 22 and a Website at port 8001. First let’s explore the website.Open it up in your favorite browser and we see some images and some text printed on them.We can view all these text by doing view source on the web page:

Ehvw ri Oxfn!! is Caesar Cipher for Best of Luck with shift value of 3

U2FkCg== base64 for Sad

Well looked like we were trolled.

Gobuster

Time to do directory Brute Forcing. Let’s use gobuster:

gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .php,.html,.txt -u http://10.10.240.162:8001 -t 40

Explore /reg.php found above:

If we input something e.g. 1234 we see in the response back from the server contains the following php code:

--

--

0xsanz

Software Developer having keen interest in Security, Privacy and Pen-testing. Certs:- Security+,PenTest+,AZ900,AZ204