πŸ“ TryHackMe: Getting Started – Writeup

Cyber Sheriff HariCyber Sheriff Hari
3 min read

Table of contents

πŸ“Œ Room Overview

The Getting Started room on TryHackMe is designed to introduce beginners to the platform.
It teaches the basics of:

  • Launching and interacting with machines (VMs).

  • Accessing a target website via the AttackBox.

  • Inspecting web applications for common issues (comments, hidden pages).

  • Understanding how to complete tasks and submit flags.

🎯 Learning Objectives

  • Learn how to start and connect to a TryHackMe machine.

  • Practice accessing a website hosted on a VM.

  • Identify hidden information in a website’s source code.

  • Familiarize with answering questions to complete a room.

πŸš€ Task 1 – Introduction & Starting the Machine

  • Click Start Machine β†’ A target VM is launched.

  • Note the IP Address from the β€œActive Machine Information” section.

  • Launch the AttackBox VM β†’ contains pre-installed hacking tools.

  • Open Firefox in AttackBox and navigate to the target IP β†’ this loads the BFFs social media website.

πŸ”Ž Inspecting the Site

A common first step in web enumeration is to view the page source:

  1. Right-click on the webpage β†’ View Page Source.

  2. Look for HTML comments (they begin with <!-- ... -->).

  3. Developers sometimes leave behind:

    • Debug information

    • Usernames/passwords

    • Hidden admin/test pages

Source Code

Questions and Answers

Q1: What is the name of the hidden admin page?

  • After inspecting the page source, we find a hidden path mentioned in the comments.

  • The answer is a directory path that looks like:

Answer: /test-admin

πŸ” Task 2 – Hidden Admin Page & Default Credentials

After finding the hidden admin page (/test-admin) in the page source, the next step is to check the login form and see if the application uses any default or easily guessable credentials.

βœ… Why check for default creds?

Developers sometimes leave default accounts (or forget to change default passwords) when deploying an app. These accounts are easy to guess and are frequently targeted during initial web-app enumeration.

πŸ”Ž Steps I took

  1. Navigated to the hidden admin URL:
    http://<TARGET-IP>/test-admin
    (replace <TARGET-IP> with the IP shown in the Active Machine Information)

  2. Observed a login form (username + password fields).

  1. Tried common default credentials (examples):

    • admin:admin

    • admin:password

    • administrator:password123

  2. One of the default credentials worked:

  • Found credential: admin:admin

Answer: admin:admin

  1. After logging in, I navigated the admin interface to inspect user data and listings.

  • The application showed the registered users list / user count.

  • Number of users signed up: 3

πŸ› οΈ Example: quick test with curl

You can test a login POST with curl (replace IP & endpoint as needed):

curl -i -X POST "http://<TARGET-IP>/test-admin/login" \
  -d "username=admin&password=admin"
0
Subscribe to my newsletter

Read articles from Cyber Sheriff Hari directly inside your inbox. Subscribe to the newsletter, and don't miss out.

Write Uptryhackme

Written by

Cyber Sheriff Hari
Cyber Sheriff Hari