# ZTH: Web 2 ![](/files/-MeljExudDWcg9n-WSTX) ## Introduction ![](/files/-MeljQpQbFx4_nnwUuD7) ## Section 1: IDOR ### Introduction ![](/files/-MeljdptYkGkjMCLB5Pq) ### Exploitation ![](/files/-MeljmqdKBGwXBiW2Psd) ![](/files/-MeljsOluS3N6PlLDCLo) ### Challenge ![](/files/-MelkI83SbSMgiEEFXcB) Lets check the webpage ![](/files/-MelkCQpM201kU2QvTRO) Lets login with the given credentials ![](/files/-MelkNttsVbeBTrEPqRW) Lets change the note parameter value to 0 ![](/files/-MelkUP9vlBUd4PwZ0n4) ## Section 2: Forced Browsing ### Introduction ![](/files/-MelkknsaJGNVd0XuuC-) ### Manual Exploitation ![](/files/-MelkwZE-k6xkTlz1ROv) ### Automatic Exploitation ![](/files/-MellBtIDiR_t6hobZBH) ![](/files/-MellER8kwAb7QfodVvw) ![](/files/-Mell_Uk1ao2VZE_MEBo) ### Challenge Lets go to the web page ![](/files/-MellkIOcNKGqz30w6jD) Lets login with the given credentials ![](/files/-MelmI_3fomXUe80Kga7) Lets fuzz the name place so that we can find the right username ![](/files/-MelqAW_tmnTsv-I7XwO) After some time we get a hit which is password ![](/files/-MelqGWe8phAt7F55FoX) ## Section 3: API Bypassing ### Introduction ![](/files/-MeloVwgk1MKQ_TmMVDk) ### Exploitation ![](/files/-MelofXlx61RhyWyz4E4) ### Challenge Lets check the web page ![](/files/-MelqWXF36hD702wXb0c) Lets login ![](/files/-MelqmBoOmBlS6op-0wP) We have an admin.php page and we can run commands, lets test a command ![](/files/-MelqwZUqWk7GrVcK_Gf) Looks like we are taken to a api.php page. admin.php might be a file on the machine, so we are directly accessing the directories of the machine in the URL, lets look for the flag which might be in a while called flag.txt (Most capture of the flag machines) ![](/files/-MelrFl-7lo-rUGMCk1K) --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://writeups.adityadindi.com/tryhackme/walkthroughs-easy/zth-web-2.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.