Walking An Application

I confirm that I have deployed the virtual machine and opened the website.

No answer needed

Exploring The Website

Read the above.

No answer needed

Viewing The Page Source

What is the flag from the HTML comment?

Check the source-code of the main page and look for the comment at the top of the page. There you will find a link ("/new-home-beta"). Following the link you will get the flag.

THM{HTML_COMMENTS_ARE_DANGEROUS}

What is the flag from the secret link?

Look up the source-code of the main page and look for an href to "/secret-page" and click on the link to get the flag.

THM{NOT_A_SECRET_ANYMORE}

What is the directory listing flag?

Run dirbuster and you will see that an "asset"-directory exists. Visit the directory and you can see that there is a "flag.txt"-file. Access the file and you get the flag.

THM{INVALID_DIRECTORY_PERMISSIONS}

What is the framework flag?

Check the source-code of the main-page and check for again for comments. The second at the bottom of the page you will find another link ("https://static-labs.tryhackme.cloud/sites/thm-web-framework"). Follow the link and you get a page for the page-framework. There you can access the change-log. In the log for version 1.3 there is another link (/tmp.zip). Follow the link and you can download a .zip-file. Download the file and extract it to get a flag.txt-file. In this file you get the flag.

THM{KEEP_YOUR_SOFTWARE_UPDATED}

Developer Tools - Inspector

What is the flag behind the paywall?

Navigate to "/news/article?id=3" you will get a notification that you have to be a premium customer to get the access. Inspect the site and search for "premium" and you find "premium-customer-blocker". Click on the class and you can edit the content of the "style.css" regarding the premium-customer-blocker. Change the "display"-value from "block" to "none". Go back to the article and the notification is gone.

THM{NOT_SO_HIDDEN}

Developer Tools - Debugger

What is the flag in the red box?

Navigate to the /contact-site and open the Developer Tools. If you are using Firefox you can open the Debugger and inspect the "flash.min.js". At the end of the script you find the code-piece flash['remove']();. Setting a breakpoint at this line or at the previous line and reloading the page shows you the flag.

THM{Catch_me_if_you_can}

Developer Tools - Network

What is the flag shown on the contact-msg network request?

On the contact-site you can send a message. Make sure that the Developer-Tools are open and that you are currently on the "Network"-tab. After the message is sent. You should get a new entry called "contact-msg". Double-click on the file and you get the flag.

"THM{GOT_AJAX_FLAG}"