Sustah -TryHackMe

0xsanz
7 min readFeb 9, 2021

Play a game to gain access to a vulnerable CMS. Can you beat the odds?The developers have added anti-cheat measures to their game. Are you able to defeat the restrictions to gain access to their internal CMS?

Where to find this room?

https://tryhackme.com/room/sustah

Enumeration

NMAP

# Identify the list of services running on the target machine
⇒ sudo nmap -sS -Pn -T4 -p- 10.10.59.72

# Perform further information gathering on the open ports identified above
⇒ sudo nmap -O -A -Pn -T4 -p22,80,8085 10.10.59.72

Directory Busting

⇒ ffuf -u http://10.10.112.173:8085/FUZZ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -c

Here we have port 80 and port 8085, both hosting some kind of Website. Exploring web-page at port 80 doesn't reveal anything and web-page at port 8085 gives us a spinning wheel and an input field to guess a number.

Put some arbitrary number in this input box and observe the request response in Burp Suite:

In the response we can see some headers are returned as highlighted above which points to rate limit checks being applied by the server. To check this,tried brute forcing this input field using the Burp Suite Intruder and we got hit by the rate limit set at the server. So the way forward is to bypass this rate limit set at the server end. After searching around found this Burp Suite extension code and experimented with all the headers which can be added to the request to bypass rate limits:

--

--

0xsanz

Software Developer having keen interest in Security, Privacy and Pen-testing. Certs:- Security+,PenTest+,AZ900,AZ204