wrdumpLogTHM

I am getting stuck with the last two flags for this challenge The page source is the human-readable code returned to our browser/client from the web server each time we make a request.

The returned code is made up of HTML ( HyperText Markup Language), CSS ( Cascading Style Sheets ) and JavaScript, and it's what tells our browser what content to display, how to show it and adds an element of interactivity with JavaScript.

For our purposes, viewing the page source can help us discover more information about the web application.

How do I view the Page Source? While viewing a website, you can right-click on the page, and you'll see an option on the menu that says View Page Source. Most browsers support putting view-source: in front of the URL for example, view-source:https://www.google.com/ In your browser menu, you'll find an option to view the page source. This option can sometimes be in submenus such as developer tools or more tools.

Let's view some Page Source! Try viewing the page source of the home page of the Acme IT Support website. Unfortunately, explaining everything you can see here is well out of the scope of this room, and you'll need to look into website design/development courses to understand it fully. What we can do, is pick out bits of information that are of importance to us.

At the top of the page, you'll notice some code starting with <!-- and ending with --> these are comments. Comments are messages left by the website developer, usually to explain something in the code to other programmers or even notes/reminders for themselves. These comments don't get displayed on the actual webpage. This comment describes how the homepage is temporary while a new one is in development. View the webpage in the comment to get your first flag.

Links to different pages in HTML are written in anchor tags ( these are HTML elements that start with <a ), and the link that you'll be directed to is stored in the href attribute.

For example, you'll see the contact page link on line 31:

If you view further down the page source, there is a hidden link to a page starting with "secr", view this link to get another flag. You obviously wouldn't get a flag in a real-world situation, but you may discover some private area used by the business for storing company/staff/customer information.

External files such as CSS, JavaScript and Images can be included using the HTML code. In this example, you'll notice that these files are all stored in the same directory. If you view this directory in your web browser, there is a configuration error. What should be displayed is either a blank page or a 403 Forbidden page with an error stating you don't have access to the directory. Instead, the directory listing feature has been enabled, which in fact, lists every file in the directory. Sometimes this isn't an issue, and all the files in the directory are safe to be viewed by the public, but in some instances, backup files, source code or other confidential information could be stored here. In this instance, we get a flag in the flag.txt file.

Many websites these days aren't made from scratch and use what's called a framework. A framework is a collection of premade code that easily allows a developer to include common features that a website would require, such as blogs, user management, form processing, and much more, saving the developers hours or days of development.

Viewing the page source can often give us clues into whether a framework is in use and, if so, which framework and even what version. Knowing the framework and version can be a powerful find as there may be public vulnerabilities in the framework, and the website might not be using the most up to date version. At the bottom of the page, you'll find a comment about the framework and version in use and a link to the framework's website. Viewing the framework's website, you'll see that our website is, in fact, out of date. Read the update notice and use the information that you find to discover another flag. Answer the questions below What is the flag from the HTML comment? THM{HTML_COMMENTS_ARE_DANGEROUS} Correct Answer Hint What is the flag from the secret link?

THM{NOT_A_SECRET_ANYMORE} Correct Answer What is the directory listing flag?

Answer format: {**************************} Submit What is the framework flag?

Answer format: {***********************}

The page source is the human-readable code returned to our browser/client from the web server each time we make a request.

The returned code is made up of HTML ( HyperText Markup Language), CSS ( Cascading Style Sheets ) and JavaScript, and it's what tells our browser what content to display, how to show it and adds an element of interactivity with JavaScript.

For our purposes, viewing the page source can help us discover more information about the web application.

How do I view the Page Source? While viewing a website, you can right-click on the page, and you'll see an option on the menu that says View Page Source. Most browsers support putting view-source: in front of the URL for example, view-source:https://www.google.com/ In your browser menu, you'll find an option to view the page source. This option can sometimes be in submenus such as developer tools or more tools.

Let's view some Page Source! Try viewing the page source of the home page of the Acme IT Support website. Unfortunately, explaining everything you can see here is well out of the scope of this room, and you'll need to look into website design/development courses to understand it fully. What we can do, is pick out bits of information that are of importance to us.

At the top of the page, you'll notice some code starting with <!-- and ending with --> these are comments. Comments are messages left by the website developer, usually to explain something in the code to other programmers or even notes/reminders for themselves. These comments don't get displayed on the actual webpage. This comment describes how the homepage is temporary while a new one is in development. View the webpage in the comment to get your first flag.

Links to different pages in HTML are written in anchor tags ( these are HTML elements that start with <a ), and the link that you'll be directed to is stored in the href attribute.

For example, you'll see the contact page link on line 31:

If you view further down the page source, there is a hidden link to a page starting with "secr", view this link to get another flag. You obviously wouldn't get a flag in a real-world situation, but you may discover some private area used by the business for storing company/staff/customer information.

External files such as CSS, JavaScript and Images can be included using the HTML code. In this example, you'll notice that these files are all stored in the same directory. If you view this directory in your web browser, there is a configuration error. What should be displayed is either a blank page or a 403 Forbidden page with an error stating you don't have access to the directory. Instead, the directory listing feature has been enabled, which in fact, lists every file in the directory. Sometimes this isn't an issue, and all the files in the directory are safe to be viewed by the public, but in some instances, backup files, source code or other confidential information could be stored here. In this instance, we get a flag in the flag.txt file.

Many websites these days aren't made from scratch and use what's called a framework. A framework is a collection of premade code that easily allows a developer to include common features that a website would require, such as blogs, user management, form processing, and much more, saving the developers hours or days of development.

Viewing the page source can often give us clues into whether a framework is in use and, if so, which framework and even what version. Knowing the framework and version can be a powerful find as there may be public vulnerabilities in the framework, and the website might not be using the most up to date version. At the bottom of the page, you'll find a comment about the framework and version in use and a link to the framework's website. Viewing the framework's website, you'll see that our website is, in fact, out of date. Read the update notice and use the information that you find to discover another flag.

source:

<!-- This page is temporary while we work on the new homepage @ /new-home-beta --> <!DOCTYPE html> <html lang="en"> <head> <title>Acme IT Support - Home</title> <meta charset="utf-8"> <meta http-equiv="X-UA-Compatible" content="IE=edge"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="stylesheet" href="https://pro.fontawesome.com/releases/v5.12.0/css/all.css" integrity="sha384-ekOryaXPbeCpWQNxMwSWVvQ0+1VrStoPJq54shlYhR8HzQgig1v5fas6YgOqLoKz" crossorigin="anonymous"> <link rel="stylesheet" href="/assets/bootstrap.min.css"> <link rel="stylesheet" href="/assets/style.css"> </head> <body> <nav class="navbar navbar-inverse navbar-fixed-top"> <div class="container"> <div class="navbar-header"> <button type="button" class="navbar-toggle collapsed" data-toggle="collapse" data-target="#navbar" aria-expanded="false" aria-controls="navbar"> <span class="sr-only">Toggle navigation</span> <span class="icon-bar"></span> <span class="icon-bar"></span> <span class="icon-bar"></span> </button> <a class="navbar-brand" href="#">Acme IT Support</a> </div> <div id="navbar" class="collapse navbar-collapse"> <ul class="nav navbar-nav"> <li class="active"><a href="/">Home</a></li> <li><a href="/news">News</a></li> <li><a href="/contact">Contact</a></li> <li><a href="/customers">Customers</a></li> </ul> </div><!--/.nav-collapse --> </div> </nav><div class="container" style="padding-top:60px"> <h1 class="text-center">Acme IT Support</h1> <div class="row"> <div class="col-md-8 col-md-offset-2 text-center"> <img src="/assets/staff.png"> <p class="welcome-msg">Our dedicated staff are ready <a href="/secret-page">to</a> assist you with your IT problems.</p> </div> </div> </div> <script src="/assets/jquery.min.js"></script> <script src="/assets/bootstrap.min.js"></script> <script src="/assets/site.js"></script> </body> </html> <!-- Page Generated in 0.03115 Seconds using the THM Framework v1.2 ( https://static-labs.tryhackme.cloud/sites/thm-web-framework ) -->
Copy message
The page source is the human-readable code returned to our browser/client from the web server each time we make a request.

The returned code is made up of HTML ( HyperText Markup Language), CSS ( Cascading Style Sheets ) and JavaScript, and it's what tells our browser what content to display, how to show it and adds an element of interactivity with JavaScript.

For our purposes, viewing the page source can help us discover more information about the web application.

How do I view the Page Source? While viewing a website, you can right-click on the page, and you'll see an option on the menu that says View Page Source. Most browsers support putting view-source: in front of the URL for example, view-source:https://www.google.com/ In your browser menu, you'll find an option to view the page source. This option can sometimes be in submenus such as developer tools or more tools.

Let's view some Page Source! Try viewing the page source of the home page of the Acme IT Support website. Unfortunately, explaining everything you can see here is well out of the scope of this room, and you'll need to look into website design/development courses to understand it fully. What we can do, is pick out bits of information that are of importance to us.

At the top of the page, you'll notice some code starting with <!-- and ending with --> these are comments. Comments are messages left by the website developer, usually to explain something in the code to other programmers or even notes/reminders for themselves. These comments don't get displayed on the actual webpage. This comment describes how the homepage is temporary while a new one is in development. View the webpage in the comment to get your first flag.

Links to different pages in HTML are written in anchor tags ( these are HTML elements that start with <a ), and the link that you'll be directed to is stored in the href attribute.

For example, you'll see the contact page link on line 31:

If you view further down the page source, there is a hidden link to a page starting with "secr", view this link to get another flag. You obviously wouldn't get a flag in a real-world situation, but you may discover some private area used by the business for storing company/staff/customer information.

External files such as CSS, JavaScript and Images can be included using the HTML code. In this example, you'll notice that these files are all stored in the same directory. If you view this directory in your web browser, there is a configuration error. What should be displayed is either a blank page or a 403 Forbidden page with an error stating you don't have access to the directory. Instead, the directory listing feature has been enabled, which in fact, lists every file in the directory. Sometimes this isn't an issue, and all the files in the directory are safe to be viewed by the public, but in some instances, backup files, source code or other confidential information could be stored here. In this instance, we get a flag in the flag.txt file.

Many websites these days aren't made from scratch and use what's called a framework. A framework is a collection of premade code that easily allows a developer to include common features that a website would require, such as blogs, user management, form processing, and much more, saving the developers hours or days of development.

Viewing the page source can often give us clues into whether a framework is in use and, if so, which framework and even what version. Knowing the framework and version can be a powerful find as there may be public vulnerabilities in the framework, and the website might not be using the most up to date version. At the bottom of the page, you'll find a comment about the framework and version in use and a link to the framework's website. Viewing the framework's website, you'll see that our website is, in fact, out of date. Read the update notice and use the information that you find to discover another flag.

source:

<!-- This page is temporary while we work on the new homepage @ /new-home-beta --> <!DOCTYPE html> <html lang="en"> <head> <title>Acme IT Support - Home</title> <meta charset="utf-8"> <meta http-equiv="X-UA-Compatible" content="IE=edge"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="stylesheet" href="https://pro.fontawesome.com/releases/v5.12.0/css/all.css" integrity="sha384-ekOryaXPbeCpWQNxMwSWVvQ0+1VrStoPJq54shlYhR8HzQgig1v5fas6YgOqLoKz" crossorigin="anonymous"> <link rel="stylesheet" href="/assets/bootstrap.min.css"> <link rel="stylesheet" href="/assets/style.css"> </head> <body> <nav class="navbar navbar-inverse navbar-fixed-top"> <div class="container"> <div class="navbar-header"> <button type="button" class="navbar-toggle collapsed" data-toggle="collapse" data-target="#navbar" aria-expanded="false" aria-controls="navbar"> <span class="sr-only">Toggle navigation</span> <span class="icon-bar"></span> <span class="icon-bar"></span> <span class="icon-bar"></span> </button> <a class="navbar-brand" href="#">Acme IT Support</a> </div> <div id="navbar" class="collapse navbar-collapse"> <ul class="nav navbar-nav"> <li class="active"><a href="/">Home</a></li> <li><a href="/news">News</a></li> <li><a href="/contact">Contact</a></li> <li><a href="/customers">Customers</a></li> </ul> </div><!--/.nav-collapse --> </div> </nav><div class="container" style="padding-top:60px"> <h1 class="text-center">Acme IT Support</h1> <div class="row"> <div class="col-md-8 col-md-offset-2 text-center"> <img src="/assets/staff.png"> <p class="welcome-msg">Our dedicated staff are ready <a href="/secret-page">to</a> assist you with your IT problems.</p> </div> </div> </div> <script src="/assets/jquery.min.js"></script> <script src="/assets/bootstrap.min.js"></script> <script src="/assets/site.js"></script> </body> </html> <!-- Page Generated in 0.03115 Seconds using the THM Framework v1.2 ( https://static-labs.tryhackme.cloud/sites/thm-web-framework ) -->
The HTML comment at the top of the page says:

<!-- This page is temporary while we work on the new homepage @ /new-home-beta -->
The comment indicates that the homepage is temporary. The comment is not displayed on the page, but it can help us understand the current state of the website and give us a hint about where to look next.

The link to the secret page is hidden in the paragraph element with the class "welcome-msg":

<p class="welcome-msg">Our dedicated staff are ready <a href="/secret-page">to</a> assist you with your IT problems.</p>
The secret page is not linked directly, but it can be accessed by clicking on the link in the paragraph.

The directory listing feature is enabled for the "/assets" directory. This means that when we visit the "/assets" directory in the browser, we see a list of all the files in that directory. This can be a security issue because it reveals the structure of the website and potentially sensitive files.

The page source includes a comment at the bottom that mentions the framework and version being used:

<!-- Page Generated in 0.03115 Seconds using
Copy message
after reviewing please tell me What is the directory listing flag?

Answer format: {**************************} Submit

and

What is the framework flag? Answer format: {***********************} Question Hint

https://LAB_WEB_URL.p.thmlabs.com/<file.zip> - Find the file on the framework changelog page.

Copy message
The HTML comment at the top of the page says:

<!-- This page is temporary while we work on the new homepage @ /new-home-beta -->
The comment indicates that the homepage is temporary. The comment is not displayed on the page, but it can help us understand the current state of the website and give us a hint about where to look next.

The link to the secret page is hidden in the paragraph element with the class "welcome-msg":

<p class="welcome-msg">Our dedicated staff are ready <a href="/secret-page">to</a> assist you with your IT problems.</p>
The secret page is not linked directly, but it can be accessed by clicking on the link in the paragraph.

The directory listing feature is enabled for the "/assets" directory. This means that when we visit the "/assets" directory in the browser, we see a list of all the files in that directory. This can be a security issue because it reveals the structure of the website and potentially sensitive files.

The page source includes a comment at the bottom that mentions the framework and version being used:

<!-- Page Generated in 0.03115 Seconds using The directory listing flag can be found by visiting the "/assets" directory and viewing the "flag.txt" file. The flag is the content of the "flag.txt" file. The framework flag can be found by viewing the changelog for the THM Framework v1.2. The changelog can be found at https://static-labs.tryhackme.cloud/sites/thm-web-framework/changelog.html. The flag is in the last update notice. In summary, the first flag is the content of the "flag.txt" file found in the "/assets" directory. The second flag is in the last update notice of the THM Framework v1.2 changelog.
Copy message
THM Web Framework Change Log Home • Change Log • Documentation Version 1.3 We've had an issue where our backup process was creating a file in the web directory called /tmp.zip which potentially could of been read by website visitors. This file is now stored in an area that is unreadable by the public. Version 1.2 We've added a backup facility in the administration portal. Version 1.1 We've now added contact forms to our page templates so you can receive messages from your visitors.

Copy message
Version 1.3 We've had an issue where our backup process was creating a file in the web directory called /tmp.zip which potentially could of been read by website visitors. This file is now stored in an area that is unreadable by the public.

Version 1.2 We've added a backup facility in the administration portal.

Version 1.1 We've now added contact forms to our page templates so you can receive messages from your visitors.

The first flag is the content of the "flag.txt" file found in the "/assets" directory. The second flag is in the last update notice of the THM Framework v1.2 changelog.

To find the second flag, go to the changelog page at https://static-labs.tryhackme.cloud/sites/thm-web-framework/changelog.html and read the last update notice, which should contain the flag.

The flag format is:

THM{***************************}

Keep in mind that the flag is not in the changelog page's source code, but in the browser's rendered HTML. You can use the "View Page Source" option or the "Inspect Element" tool to view the page source and find the flag.

Copy message
Scroll to bottom
Regenerate response
New Chat
Send a message.
Send message
By using this service you agree to our Terms of Use and Privacy Policy.