好的,我现在需要帮用户总结一篇文章的内容,控制在100字以内,并且不需要特定的开头。首先,我得仔细阅读文章内容,理解主要情节和关键点。 文章讲的是一个渗透测试的过程。作者首先用Nmap扫描目标主机,发现开放了SSH和HTTP服务。接着访问HTTP服务,看到登录界面。通过查看页面源代码,找到了guest用户的凭据。登录后发现URL中有一个user参数,可以修改这个参数来获取其他用户的资料,最终找到了flag。 接下来,我需要将这些关键点浓缩到100字以内。要确保涵盖扫描、登录、参数修改和结果这几个部分。同时,语言要简洁明了,避免使用复杂的术语。 可能会遇到的问题是如何在有限的字数内准确传达所有重要信息。比如,“guest:guest”凭据和参数注入攻击是关键点,必须包含进去。另外,“flag{...}”说明成功获取到了目标数据。 最后,检查一下是否符合用户的要求:中文总结、100字以内、没有特定开头。确保内容准确且简洁。 </think> 通过对目标主机进行Nmap扫描发现开放的SSH和HTTP服务。访问HTTP服务后发现登录界面,并通过查看页面源代码获取到guest用户的凭据(guest:guest)。登录后发现URL中存在可修改的user参数,通过修改该参数成功获取到其他用户的资料并获得flag{66be95c478473d91a5358f2440c7af1f}。 2026-1-6 05:22:36 Author: infosecwriteups.com(查看原文) 阅读量:2 收藏
Initial Reconnaissance
Even though this is an IDOR-focused room, I started with a quick Nmap scan to check exposed services.
~$ nmap -sV 10.49.151.21The scan completed cleanly and confirmed that the host was reachable. Only two TCP ports were open.
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.5
80/tcp open http Apache httpd 2.4.53SSH was open, but the web service on port 80 was clearly the main attack surface.
Web Exploitation
I navigated to the web application running on port 80 and was presented with a simple login interface.
At first glance, the page looked intentionally minimal. One detail stood out immediately: a message below the login form referencing a guest account, along with a hint to inspect the page source (Ctrl+U).
Get Death Esther’s stories in your inbox
Join Medium for free to get updates from this writer.
Opening the source code revealed a commented line that hadn’t been removed during development:
Press enter or click to view image in full size
<!-- use guest:guest credentials until registration is fixed. "admin" user account is off limits!!!!! -->That single comment explained the next step without needing any guesswork. I logged in using the provided guest credentials.
Press enter or click to view image in full size
Once authenticated, I was redirected to a profile page associated with the guest user.
Capturing the Flag
While reviewing the page, I noticed the structure of the URL in the address bar:
http://10.49.151.21/profile.php?user=guestThe application was directly referencing the username as a request parameter. I modified the value of the user parameter in the URL and loaded the page again.
Press enter or click to view image in full size
The response changed immediately, and the protected content became visible. The flag was displayed directly on the page.
flag{66be95c478473d91a5358f2440c7af1f}Press enter or click to view image in full size
Conclusion
This room was short and straightforward, but it highlights a real-world issue that often gets overlooked. A simple lack of proper authorization checks was enough to expose another user’s data. Challenges like this reinforce why access control matters just as much as authentication in web applications.
Thanks for taking the time to read this walkthrough.
For more TryHackMe labs and writeups, check out my GitHub repository:
🔗 THM Walkthroughs
More walkthroughs will be added as I continue solving new rooms.
如有侵权请联系:admin#unsafe.sh