Hello, and welcome to this post detailing how to solve the TryHackMe room “Neighbour“, a beginner room marked as Easy, with an estimated time of 30 minutes to complete.
In this room, you are testing a new cloud service called Authentication Anywhere. It allows you to login from anywhere, after entering your username and password, supposedly making the process completely secure. Or is it?
Start by firing up both the Attackbox (using the button at the upper menu):
And the target machine (which can be done from inside Task 1, by using the “Start Machine” button):
Wait until both machines are up and running. The AttackBox will open up in a side panel of the window, while you can verify the target is up by checking the status bar under “Target Machine Information“:
Checking a bit further down in the task, you can see the question we need to answer to pass the room is:
Find the flag on your neighbour’s logged in page!
Once both machines are started, from the AttackBox (which runs Kali Linux), start FireFox and navigate to the URL presented in Task 1 (which will reflect the IP address from the “Target Machine Information” above. In my case, the URL is http://10.10.202.243; yours will likely be different).
As you can see, we’re presented with a login screen, prompting for a username and password.
We don’t have actual credentials, but luckily the screen presents a hint to use the Guest Account, and to use CTRL + U, which on FireFox will show you the source HTML of the page. Alternatively, you can right-click the screen and select “View Page Source” from the pop-up menu:
In the source code, you will notice a commented line:
“<!-- use guest:guest credentials until registration is fixed -->“
The guest:guest notation is a commonly used format to indicate a username:password combination. So for username enter: “Guest”, and the same for the password. Tadaah, we’re in:
If you inspect the URL bar in the browser, you will see that the username has been appended to the URLhttp://10.10.202.243/profile.php?user=guest
Let’s check what happens when we try and change the username directly in the url. Change the url to:
http://10.10.202.243/profile.php?user=packetpwn
Apparently there are no additional checks in place, and we can change our username to whatever we feel like it. Let’s try using “admin“:
And there we are. We are presented with the flag.
Question: Find the flag on your neighbor’s logged in page!
flag{66be95c478473d91a5358f2440c7af1f}
That concludes this tutorial. I hope you enjoyed it!
Leave a Reply