No, I didn’t, please calm down LOL

I solved my first TryHackMe machine — and I’m super excited to share what I learned! This challenge introduced me to the tool Gobuster, which I used to find hidden pages on a web server.

🛠 Tool Used:

Gobuster

Gobuster is a directory brute-forcing tool. It discovers hidden files, folders, and paths on a target website by trying out a list of possible names from a wordlist.

🔍 What Was the Goal?

The goal was to discover hidden pages on the FakeBank site.

These pages might include: Admin panels User-specific pages Other sensitive or hidden endpoints

📜 How Gobuster Works

It uses a wordlist (wordlist.txt) to try out different paths.

It sends requests like:

http://fakebank.thm/admin

http://fakebank.thm/secret

If the page exists, it returns an HTTP status code that tells us if: ✅ The page is accessible (200 OK), 🚫 It’s forbidden (403), 🔁 It redirects (301/302), ❌ It doesn’t exist (404)

💥 My Key Discovery

Gobuster found the hidden path: /bank-transfer → [Status: 200 OK] That means the page exists and is accessible.

When I opened it in the browser, I found a functionality to transfer money!

📸 Screenshot

🧠 What I Learned

How directory brute-forcing works.

Why wordlists are important in web recon.

The real-life importance of HTTP status codes as indicators.

How hidden endpoints can be big security risks

💬 Final Thoughts

💡 Creating a wordlist to guess paths is genius — it felt like digital treasure hunting. 💡 I used to ignore status codes... now I know they’re essential clues for attackers and defenders alike!

🚀 What’s Next?

This is just the beginning. I’m documenting every machine I solve here in my blog and GitHub repo — join me as I explore deeper into Red Teaming and web security!

See ya in the next machine! 🔓💻

I Hacked a Bank?!!