The Shock: A Near-Zero Performance Drop

It started with a routine check of Google Search Console (GSC). What I saw was developer’s nightmare: a performance graph that looked like a cliff. After a steady climb to over 1,000 clicks, the traffic suddenly cratered to near zero.

At first, I was confused. I hadn't changed any content, and there were no security manual actions or server errors. However, when I looked at the Indexing report, the truth came out. My indexed pages had plummeted from over 200 down to just 57.

The Context: Migrating from GitHub Pages to Cloudflare

The timing of this drop aligned with my migration from GitHub Pages to Cloudflare Pages. I made the move because I needed more advanced features, better edge performance, and higher bandwidth for my research lab, farrosfr.com.

On GitHub Pages, my setup worked well with trailingSlash: false in my Astro config. But Cloudflare Pages handles URLs differently.

The Investigation: Hunting the "Blocked" URLs

I turned to Ahrefs to get a deeper look at the site's health. The dashboard confirmed: a Health Score of 57 and nearly 500 "Blocked" or redirect-heavy URLs.

When I dug into the "What's New" section of the audit, two errors were screaming for attention:

1. Canonical points to redirect (229 instances)

2. 3XX redirect in sitemap (229 instances)

This was the "smoking gun." So many of my blog posts and category tags was stuck in a redirect loop.

The Root Cause: The "Trailing Slash Bounce"

By looking at the Ahrefs crawl details, I found the "bounce" pattern. It was a conflict between the application logic (Astro) and the hosting provider (Cloudflare).

How the conflict happened

1. Astro Config: I had trailingSlash: 'never' in my astro.config.ts.

2. Canonical Tag: Astro generated canonical links like https://farrosfr.com/p/my-post (no slash).

3. Cloudflare Hosting: Cloudflare Pages uses "Pretty URLs" by default. When it sees a directory-based build (which Astro uses for SSG), it enforces a trailing slash.

4. The Loop:

   • Googlebot visits https://farrosfr.com/p/my-post/ (with slash).

   • The HTML says: "The official (canonical) version is https://farrosfr.com/p/my-post (no slash)."

   • Googlebot tries to go to the no-slash version.

   • Cloudflare catches the request and says: "Nope, we use slashes here!" and sends a 308 Permanent Redirect back to the slash version.

Google sees this as a site that doesn't know where its own pages are, so it stops indexing them to avoid "Redirect Loops."

The Fix: Synchronizing Astro with Cloudflare

The solution was to stop fighting the server and align Astro with Cloudflare's behavior. I modified the astro.config.ts to force trailing slashes:

// astro.config.ts
export default defineConfig({
  site: 'https://farrosfr.com',
  trailingSlash: 'always', // Changed from 'never'
  // ...
})

I also updated the RSS feed configuration to ensure the rss.xml generated URLs that matched the new standard:

// src/pages/rss.xml.ts
return rss({
  trailingSlash: true,
  // ...
})

The Role of Astro Pure in the Architecture

My site is built using the Astro Pure integration, which provides a robust set of SEO and performance tools out of the box.

Why this migration was tricky

Astro Pure is designed to be a "plug-and-play" solution for technical bloggers. It handles:

• Automatic Schema.org Generation: It builds a complex JSON-LD @graph for search engines.

• Dynamic Metadata: It manages OpenGraph and Twitter cards automatically.

However, because Astro Pure dynamically generates canonical URLs based on your astro.config.ts, the trailingSlash: 'never' setting was being "baked into" every single piece of metadata on the site. Astro Pure was well doing its job—it was just being told the wrong information by the framework configuration.

The Insight: When using an advanced theme like Astro Pure, your framework settings are more critical. The theme's automation will amplify your configuration choices (good or bad) across every page of your site.

The Result: A Near-Perfect 98 Health Score

After applying the trailing slash fixes across the configuration and internal links, I triggered a next crawl. The results were immediate as well. My Ahrefs Health Score jumped from a "Weak" 57 to an "Excellent" 98. Alhamdulillah

What changed?

• Canonical Errors: Reduced to zero.

• Orphan Pages: Resolved by updating internal links.

• Redirects: Internal links now point directly to 200 OK pages, eliminating the 308 "bounce."

Lessons Learned

Moving from one host to another isn't just about moving files; it's about understanding how the new environment handles path normalization.

• GitHub Pages is flexible and doesn't usually force redirects, making trailingSlash: 'never' safe.

• Cloudflare Pages is stricter with its "Pretty URLs" feature, making trailingSlash: 'always' the best practice for SEO consistency.

References

• Astro: Trailing Slash Configuration

• Cloudflare Pages: Pretty URLs Documentation

• Google Search Central: Canonicalization Guide

This case study proves that even small architectural conflicts between your framework and your host can have massive consequences for your search presence. Try to verify your trailing slash behavior when migrating platforms!

When hardening a system against such content, a single layer is never enough. This guide uses a Red Teaming "Defense in Depth" approach to ensure filtering remains active even if the user tries to bypass it.

Why OpenDNS FamilyShield?

Before settling on this setup, I researched several major DNS providers focused on family safety:

• Cloudflare Family (1.1.1.3): Fast and reliable, but sometimes lacks the granular strictness needed for deep content filtering.

• CleanBrowsing: Highly effective, but some advanced features are locked behind a subscription.

• NextDNS: Excellent customization and analytics. However, their free tier is limited to 300,000 queries per month, which is often insufficient for a busy home or office environment, leading to filtered traffic being allowed once the limit is hit.

I chose OpenDNS FamilyShield because it is completely free, requires zero configuration to start blocking adult content (no custom IDs or links needed), and is incredibly strict by default. It provides a robust "set and forget" foundation for our hardening layers.

Layer 1: The Network Perimeter (Router)

The first line of defense is your gateway. By setting DNS at the router level, every device on the network is protected by default.

How to do it: Log into your router's admin panel (usually 192.168.1.1). Find the DHCP or Internet settings and set the DNS servers to OpenDNS FamilyShield:

• IPv4: 208.67.222.123 and 208.67.220.123

• IPv6: 2620:119:35::123 and 2620:119:53::123

Layer 2: The OS Adapter Layer

Even if the router is bypassed, the Windows network adapter acts as a secondary filter.

Run this in PowerShell as Admin to force system-wide DNS. You have two options:

Option A: Active Adapters Only (Standard)

Use this if you only want to affect the connection you are currently using.

$dnsIpv4 = @("208.67.222.123", "208.67.220.123")
$dnsIpv6 = @("2620:119:35::123", "2620:119:53::123")

$adapters = Get-NetAdapter | Where-Object { $_.Status -eq "Up" }
foreach ($adapter in $adapters) {
    Set-DnsClientServerAddress -InterfaceAlias $adapter.Name -ServerAddresses $dnsIpv4
    Set-DnsClientServerAddress -InterfaceAlias $adapter.Name -ServerAddresses $dnsIpv6 -ErrorAction SilentlyContinue
}
Clear-DnsClientCache

Option B: Full Hardening (All Adapters)

Recommended for laptops. This ensures that even if you switch from Wi-Fi to Ethernet later, the protection remains active.

$dnsIpv4 = @("208.67.222.123", "208.67.220.123")
$dnsIpv6 = @("2620:119:35::123", "2620:119:53::123")

Get-NetAdapter | Set-DnsClientServerAddress -ServerAddresses $dnsIpv4
Get-NetAdapter | Set-DnsClientServerAddress -ServerAddresses $dnsIpv6 -ErrorAction SilentlyContinue
Clear-DnsClientCache

Layer 3: The Browser Layer (Policy Hardening)

Modern browsers often use DNS over HTTPS (DoH), which can bypass both Router and Adapter settings. We use Windows Registry Policies to lock the browser into a secure DoH provider and prevent the user from disabling it.

Firefox

Stop-Process -Name firefox -Force -ErrorAction SilentlyContinue
$path = "HKLM:\SOFTWARE\Policies\Mozilla\Firefox\DNSOverHTTPS"
if (!(Test-Path $path)) { New-Item -Path $path -Force | Out-Null }

Set-ItemProperty -Path $path -Name "Enabled" -Value 1 -Type DWord
Set-ItemProperty -Path $path -Name "Locked" -Value 1 -Type DWord
Set-ItemProperty -Path $path -Name "ProviderURL" -Value "https://doh.familyshield.opendns.com/dns-query" -Type String
Write-Host "Firefox DNS is now locked to OpenDNS." -ForegroundColor Green

Chrome, Edge, Brave, & Opera (Chromium-based)

Most modern browsers are Chromium-based and share similar policy structures, but they use different Registry paths. Run these to lock DoH for your preferred browser:

# Define the DNS settings
$dohMode = "secure"
$dohTemplate = "https://doh.familyshield.opendns.com/dns-query"

# Registry Paths for different browsers
$paths = @(
    "HKLM:\SOFTWARE\Policies\Google\Chrome",        # Chrome
    "HKLM:\SOFTWARE\Policies\Microsoft\Edge",      # Edge
    "HKLM:\SOFTWARE\Policies\BraveSoftware\Brave", # Brave
    "HKLM:\SOFTWARE\Policies\Vivaldi",             # Vivaldi
    "HKLM:\SOFTWARE\Policies\Opera"                # Opera
)

foreach ($path in $paths) {
    if (!(Test-Path $path)) { New-Item -Path $path -Force | Out-Null }
    Set-ItemProperty -Path $path -Name "DnsOverHttpsMode" -Value $dohMode -Type String
    Set-ItemProperty -Path $path -Name "DnsOverHttpsTemplates" -Value $dohTemplate -Type String
}

Write-Host "Chromium-based browsers are now locked to OpenDNS." -ForegroundColor Green

Layer 4: Content & Search Enforcement (Hosts)

We can force "SafeSearch" at the IP level by modifying the hosts file. This prevents users from seeing explicit results even on "clean" search engines. We also block "Proxy Search Engines" like Startpage, which can be used to bypass DNS filters via their "Anonymous View" feature.

# Google & YouTube SafeSearch
216.239.38.120 www.google.com
216.239.38.120 google.com
216.239.38.120 www.youtube.com
216.239.38.120 m.youtube.com

# Bing SafeSearch
204.79.197.220 www.bing.com

# DuckDuckGo SafeSearch
52.149.246.39 safe.duckduckgo.com

# Brave SafeSearch
# (Note: Brave uses its own indexing, but blocking specific domains can help)
0.0.0.0 search.brave.com # Optional: Block if you want to force Google/Bing SafeSearch

# Startpage (Proxy Bypass)
# Startpage's "Anonymous View" acts as a web proxy, bypassing DNS filters.
0.0.0.0 startpage.com
0.0.0.0 www.startpage.com
0.0.0.0 s7.startpage.com

Layer 5: Privilege Management (The Lock)

The most critical layer. All the settings above can be reversed if the user has Administrative privileges. By switching to a Standard User account, the user cannot modify the Registry, the Hosts file, or Network Adapter settings.

Security Note: For this "Lock" to be effective, your primary Administrative account must have a strong password that the Standard User does not know. This prevents the user from using "Run as Administrator" to bypass your policies.

This final step also prevents the installation of VPNs, Proxies, or Portable Browsers that could tunnel traffic past our DNS filters. Since a Standard User cannot install new network drivers, they are effectively locked into the hardened environment.

Layer 6: The Firewall Layer (IP Blocking)

DNS filtering only blocks domain names. If a site uses a direct IP address (like many movie piracy sites), you must block the "number" itself using the Windows Firewall. Many movie piracy sites are notorious for serving adult advertisements or even hosting explicit adult content directly, making IP-level blocking essential for a clean environment.

# Block specific malicious IPs directly
New-NetFirewallRule -DisplayName "Block Malicious IPs" `
    -Direction Outbound `
    -Action Block `
    -RemoteAddress "162.244.93.0/24", "195.63.129.0/24", "139.59.72.0/24", "167.71.201.0/24", "139.59.34.0/24", "165.232.170.0/24", "146.190.87.0/24", "129.212.208.0/24","159.203.161.0/24","165.245.144.0/24","143.110.182.0/24","154.93.72.0/24","159.223.73.0/24"

Since the user is a Standard User (Layer 5), they cannot modify or delete these firewall rules.

Layer 7: Real-time Content Scanning (Keyword Blocking)

Even with DNS and IP blocks, some sites might slip through or be dynamic. We can implement real-time content scanning at the browser level to block the entire page if specific keywords or phrases are found.

Option A: uBlock Origin (Static Blocking)

Using a browser extension like uBlock Origin, you can implement real-time content scanning. The keywords below are common title markers for popular piracy websites that often serve "semi-adult" content.

Add these to your "My filters" tab in uBlock Origin:

! Hide the entire page if the title contains these piracy brands
*##html:has(title:has-text(LK21))
*##html:has(title:has-text(Dunia21))
*##html:has(title:has-text(Layarkaca21))
*##html:has(title:has-text(Rebahin))
*##html:has(title:has-text(IDLIX))
*##html:has(title:has-text(BOS21))

! Hide the entire page if the body text contains these specific phrases
*##body:has-text(Nonton Film Semi)
*##body:has-text(Download Film Semi)

Option B: Tampermonkey (Advanced Redirects)

For a more "educational" approach, you can use Tampermonkey to redirect the user to a specific video (e.g., a security awareness video) when a violation is detected. This method allows for complex logic, such as excluding trusted domains like Google or your own workspace.

Create a new script in Tampermonkey and paste the following:

// ==UserScript==
// @name         Redirect Piracy Sites by Content
// @namespace    http://tampermonkey.net/
// @version      1.1
// @description  Redirects the page to YouTube if specific piracy brands or text are found.
// @match        *://*/*
// @exclude      *://*.farrosfr.com/*
// @exclude      *://farrosfr.com/*
// @exclude      *://*.medium.com/*
// @exclude      *://medium.com/*
// @exclude      *://*.google.com/*
// @exclude      *://google.com/*
// @exclude      *://*.youtube.com/*
// @exclude      *://youtube.com/*
// @grant        none
// @run-at       document-idle
// ==/UserScript==

(function() {
    'use strict';

    // The YouTube URL you want to redirect to
    const targetURL = "https://www.youtube.com/watch?v=fbTlW1V2VuI&t=2726s";

    // Regex for titles
    const badTitles = [
        /lk21/i, /dunia21/i, /layarkaca21/i, /rebahin/i, /idlix/i, /bos21/i, /indoxx1/i
    ];

    // Regex for body text
    const badText = [
        /nonton film semi/i, /download film semi/i
    ];

    let shouldRedirect = false;

    // Check document title
    if (document.title && badTitles.some(regex => regex.test(document.title))) {
        shouldRedirect = true;
    }

    // Check body text
    if (!shouldRedirect && document.body) {
        const pageText = document.body.innerText || document.body.textContent;
        if (badText.some(regex => regex.test(pageText))) {
            shouldRedirect = true;
        }
    }

    // Redirect to YouTube if a match is found
    if (shouldRedirect) {
        // Clear the page instantly to hide the content while the redirect happens
        document.documentElement.innerHTML = '<h1 style="text-align:center; margin-top:20%; font-family:sans-serif;">Redirecting to Educational Content...</h1>';
        window.location.replace(targetURL);
    }
})();

This ensures that even if a new domain appears, if it uses the same branding or content markers, it will be instantly hidden and redirected.

Layer 8: Extension Persistence (The Force Install)

Layer 7 is only effective if the uBlock Origin extension remains active. A savvy user might try to disable or uninstall the extension to bypass your keyword filters. We can use Windows Registry policies to "force-install" the extension, making it impossible for a Standard User to remove or disable it from the browser settings.

Run this in PowerShell as Admin to lock uBlock Origin into Firefox:

# Create the Extension Settings policy path
$firefoxPolicyPath = "HKLM:\SOFTWARE\Policies\Mozilla\Firefox\ExtensionSettings"
if (!(Test-Path $firefoxPolicyPath)) { New-Item -Path $firefoxPolicyPath -Force | Out-Null }

# Force-install uBlock Origin and prevent removal
$uBlockConfig = '{"installation_mode":"force_installed","install_url":"https://addons.mozilla.org/firefox/downloads/latest/ublock-origin/latest.xpi"}'
Set-ItemProperty -Path $firefoxPolicyPath -Name "uBlock0@raymondhill.net" -Value $uBlockConfig

Once applied, the "Remove" and "Disable" buttons for uBlock Origin in Firefox will be hidden or greyed out, and the extension will be automatically re-installed if the browser profile is refreshed.

Minimal Implementation (One-Click)

For those who want to apply these hardening layers quickly, I have created a consolidated PowerShell script that automates Layers 2, 3, 4, and 6 in one go. You can find the full source code and documentation in my GitHub repository: farrosfr/noa.

To run the hardening script instantly, open PowerShell as Administrator and paste the following command:

irm https://raw.githubusercontent.com/farrosfr/noa/main/harden.ps1 | iex

Note: Always review scripts from the internet before running them. This script will modify your DNS settings, Registry policies, and Firewall rules to enforce strict content filtering.

How to Verify Your Setup

Once you've applied all layers, perform these tests to ensure your "Defense in Depth" is active:

1. OpenDNS Welcome Page: Visit welcome.opendns.com. You should see a message saying: "Welcome to OpenDNS! Your internet is safer, faster, and smarter."

2. The "Blocked" Test: Try to visit a known adult site. You should be greeted by the OpenDNS "This site is blocked" page.

3. The Browser Lock: Open your browser's DNS settings. You should see a message stating: "Your browser is managed by your organization" and the option to change DNS settings should be disabled (greyed out).

Red Team Insight: The Defense in Depth Structure

As a Red Teamer, I approach security by looking for the "weakest link." A single filter is just a hurdle; a multi-layered defense is a wall. This guide follows a Defense in Depth (DiD) structure designed to fail-safe:

1. Perimeter (Router): The first line of defense. It catches every device on the network before they even reach the OS.

2. System (Adapter): If a device leaves the network or uses a VPN that doesn't leak DNS, the OS-level adapter settings act as a secondary guard.

3. Application (Browser Policy): Many modern threats (and bypasses) happen at the application layer. By using Registry Policies, we force the browser to obey the rules, even if the user tries to toggle settings in the UI.

4. Content (Hosts): We target the specific content delivery method (Search Engines) to ensure that even "clean" sites don't serve explicit results.

5. Privilege (Standard User): The ultimate lock. In security, Identity and Access Management (IAM) is king. Without Admin rights, the user cannot tear down the other four layers.

6. Active Content Inspection (Keyword Blocking): The final safeguard. By scanning the DOM in real-time, we can block pages that bypass domain and IP filters but still contain known harmful keywords or branding.

By layering these controls, you create a system where the "cost of bypass" is higher than the user's technical ability or patience.

This guide comes from my real experience managing a B2B e-commerce platform for electrical and renewable energy products. One of the biggest challenges in this business process is the "Pricing Gap." In the industrial sector, prices are rarely static or real-time. Producers often don't update their own websites, leaving platform managers in a constant struggle to find competitive, accurate base prices for products like PV modules.

In this guide, I will demonstrate how to calculate the pricing flow using PV Modules (Solar Panels) imported from China to Indonesia as a case study.

1. Understanding Product Pricing (EXW)

Most industrial suppliers quote prices based on EXW (Ex Works), meaning the price only covers the goods at the factory door. Shipping and handling are your responsibility.

The "Price Trap": Web Listing vs. Actual Quote

In the B2B world, the price you see on Alibaba or Google Shopping is often a "teaser" price. As a platform manager, I've found that even producers often do not update their websites in real-time. This reveals a critical industry truth: B2B pricing is often a private market. Many competitive rates are never published openly; they are hidden behind direct negotiations and volume commitments.

For a 50MWp project, the gap between what is listed and what is finally quoted in a private chat can be massive:

| Type | Unit Price | Total EXW Cost (50MWp) | Gap | | :--- | :--- | :--- | :--- | | Web Listing | $0.08 / Wp | $4,000,000 | - | | Market Reality | $0.12 / Wp | $6,000,000 | +$2,000,000 |

Example Project Details (Theoretical Example):

• Project Size: 50 MWp (50,000,000 Wp)

• Module Capacity: 650 Wp per panel

• Theoretical Unit Price: $0.08 / Wp

Cost of Goods Calculation:

• Total Panels: 50,000,000 Wp ÷ 650 Wp = 76,924 panels

• Total EXW Cost: 50,000,000 Wp × $0.08 = $4,000,000.00

2. Logistics & Container Calculation

Industrial orders are shipped in containers. For PV modules, we typically use 40'HC (High Cube) containers.

• Load per Container: 31 panels per pallet × 20 pallets = 620 panels

• Total Containers Required: 76,924 panels ÷ 620 = 125 x 40'HC containers

Origin Handling (The "EXW" Burden)

Since our pricing is EXW, we must account for:

• Inland China Transport: Moving 125 containers from the factory to the port (e.g., Ningbo/Shanghai).

• Origin Port Charges: Terminal Handling Charges (THC) and export documentation.

To estimate sea freight costs, you can use platforms like Freightos. Register an account and input your details:

You can choose your preferred currency (USD, EUR, or GBP) and then fill in these four key fields:

• Origin

• Destination

• Load

• Goods

Estimated Shipping Cost: ~$448,683.58 (based on current market rates).

Disclaimer: Logistics and tax calculations in this guide are based on the $4,000,000 theoretical EXW value. In a real scenario using the $0.12/Wp market price, costs like insurance and financial fees will increase proportionally.

3. Adding Duties and Taxes (The "Hidden" Costs)

This is where many calculations fail. For Indonesia, you must consider the HS Code (8541.43.00) for PV modules and the mandatory Form E for duty exemption.

| Component | Rate | Calculation Base | Estimated Cost | | :--- | :--- | :--- | :--- | | Marine Insurance | 0.2% | EXW Value | $8,000 | | Import Duty | 0% | CIF (Goods + Ins + Freight) | $0 (ACFTA w/ Form E) | | VAT (PPN) | 11% | CIF + Duty | ~$490,235 | | Income Tax (PPh 22) | 2.5% | CIF + Duty | ~$111,417 |

Note: PPh 22 is 2.5% for owners of an API (Import Identification Number) and 7.5% without one. To achieve 0% duty, your supplier must provide a Form E (Certificate of Origin).

4. Final Landed Cost

To get your final price per unit, sum all costs including the "last mile" handling in Indonesia:

1. EXW Cost: $4,000,000

2. Sea Freight & Insurance: $456,683

3. Taxes (VAT + PPh 22): $601,652

4. Local Handling (PPJK + 125 Trucks): ~$72,500

5. Total Landed Cost: $5,130,835

Final Unit Price: $5,130,835 ÷ 50,000,000 Wp = $0.1026 / Wp

5. The Regulatory Finish Line (Indonesia)

Price is only half the battle. In Indonesia, two factors can stop your project entirely:

• SNI Certification: PV modules must have the SNI (Standar Nasional Indonesia) mark. Without it, Customs will not release the goods. This applies to both private and government projects.

• TKDN (Local Content): This is the "make or break" factor for Government-linked projects (Instansi/BUMN). These projects require a high percentage of local content. Even if importing is cheaper, you may be legally required to source from local factories to meet the regulatory threshold.

• The Private Sector (Swasta) Advantage: For purely private projects, there is typically no strict minimum TKDN requirement. This allows private developers more flexibility to import Tier 1 modules directly from global manufacturers to achieve the best price-to-performance ratio.

By following this flow, you can accurately predict whether your project is financially viable before signing any contracts. Always remember that the "Cheap" price online is just the first step in a very long journey!

But then, out of habit, you type www.example.com into your browser. Instead of your beautiful new site, you are greeted by: Error 522: Connection timed out.

If you check your DNS settings, everything looks correct. You have your root domain pointing to your .pages.dev project, and a CNAME record pointing www to your root domain. So, what gives?

Here is why this happens and how you can fix it.

The Problem: Cloudflare Pages is a Strict Bouncer

When you set up a CNAME for www pointing to example.com, Cloudflare forwards the traffic to your Cloudflare Pages origin server.

However, Cloudflare Pages relies strictly on the hostname of the incoming request to figure out which project to serve. When a request comes in for www.example.com, Pages checks its internal guest list. Because you only registered example.com as a custom domain for your project, Pages doesn't recognize the www version.

Not knowing what to do with the unrecognized hostname, the server drops the connection, resulting in the dreaded Error 522.

What is Error 522?

Before we fix it, let's briefly understand what is actually happening.

An Error 522 (Connection timed out) happens when Cloudflare (acting as the middleman) tries to connect to your web server (where your website actually lives), but the server takes too long to respond or doesn't respond at all.

Think of it like calling a friend on the phone. Cloudflare dials the number, but the phone just rings and rings until the call eventually drops. Cloudflare is telling you, "I tried to reach your server, but it ghosted me." Usually, this means a server is down or overloaded. However, in the case of Cloudflare Pages, your server isn't broken at all. It is ignoring the request on purpose because of a strict nametag policy.

The Fix: Choose Your Path

To resolve this, you have two options depending on your preference.

Option 1: Redirect WWW to your Root Domain (Recommended)

From an SEO and modern web design perspective, it is best practice to choose one version of your domain and stick to it. Redirecting www to your root domain (also known as the apex or naked domain) ensures search engines don't penalize you for duplicate content.

Here is how to set up a seamless, lightning-fast redirect at the edge:

1. Leave your current DNS records as they are (ensure www is a CNAME pointing to your root domain and is "Proxied" via the orange cloud).

2. In your Cloudflare dashboard, navigate to Rules in the left sidebar, then select Redirect Rules.

3. Click Create rule.

4. Name your rule something descriptive, like "Redirect WWW to Root".

5. Under If..., select Custom filter expression and configure it as follows:

   • Field: Hostname

   • Operator: equals

   • Value: www.example.com (replace with your actual domain)

6. Under Then..., configure the dynamic redirect:

   • Type: Dynamic

   • Expression: concat("https://example.com", http.request.uri.path) (replace example.com with your domain)

   • Status code: 301 (Permanent Redirect)

7. Click Deploy.

Now, anyone who stubbornly types www will be instantly and invisibly redirected to your clean, root domain.

Option 2: Add WWW as a Custom Domain in Pages

If you actively want users to see the www in their address bar, you need to tell Cloudflare Pages to officially recognize it.

1. Go to your Cloudflare dashboard and click on Workers & Pages in the left sidebar.

2. Select your specific Pages project.

3. Navigate to the Custom Domains tab.

4. Click Set up a custom domain.

5. Enter www.example.com and follow the prompts to add it.

Cloudflare will automatically provision the SSL certificates and adjust the backend routing. Within a few minutes, the Error 522 will vanish, and your site will happily serve traffic on the www subdomain.

Task 1: Introduction

This section introduces phishing as a powerful tool in a penetration tester's arsenal. Unlike technical vulnerabilities, phishing targets the human element, exploiting psychology to bypass robust technical defenses. A successful phishing attack can lead to initial network access, malware deployment, or credential theft.

Are you ready?

No answer needed

Task 2: Phishing 101

Phishing is a social engineering attack used to trick individuals into revealing sensitive data or executing malware by impersonating legitimate entities. There are three main types discussed: generic Phishing (a broad attack sent to many), Spear Phishing (a highly targeted attack on a specific individual), and Whaling (spear phishing targeting high-level executives like CEOs). Ethical hackers use these techniques to evaluate and strengthen an organization's security posture.

What is the primary channel used during a smishing attack?

sms

You are a CEO and have just received a phishing email sent only to you. What type of phishing is this?

Whaling

Task 3: Psychology of Phishing

Phishing relies heavily on psychological manipulation. It utilizes several core social engineering principles to bypass logical thinking: Scarcity (FOMO), Urgency (time pressure), Authority (compliance with perceived leaders), Fear (anxiety over security alerts), Curiosity (desire to know secrets), and Trust (familiarity with brands or colleagues). The material also highlights cognitive biases that make people susceptible, such as overconfidence bias, confirmation bias, and authority bias.

You receive an email stating that a special offer for the new iPhone will expire in 24 hours if you don't act now. Which principle is being used?

Urgency

An executive requests sensitive data via email, emphasising their position within the company. Which principle is being used?

Authority

You receive a message promising exclusive access to a new product no one else knows about if you click on a link. Which principle is being used?

Curiosity

You receive an email claiming that your account credentials were found in a recent data breach. Which principle is being used?

Fear

Task 4: Phishing Techniques

This task details the technical methods used to deceive victims. It covers URL manipulation (URL masking, homograph attacks, and typosquatting) to hide malicious links. It explains email spoofing, where attackers manipulate SMTP headers to fake the sender's identity, which organizations combat using SPF, DMARC, and DKIM. Additionally, it introduces credential harvesting via cloned login pages and payload delivery using malicious document macros. Popular phishing tools like GoPhish, EvilNginx, and The Social Engineering Toolkit (SET) are also highlighted.

Which technique relies on users making a typo?

Typosquatting

Which three security measures help organisations defend against email spoofing? Answer format: Alphabetical order, separated by commas

DKIM, DMARC, SPF

Task 5: Anatomy of a Phishing Campaign

A successful phishing campaign follows a structured lifecycle: Planning & Scoping (defining goals and rules of engagement), Reconnaissance (gathering OSINT), Scenario & Payload Development (crafting realistic lures and benign payloads), Exploitation & Post-Exploitation (executing the attack and monitoring metrics), and Reporting & Debriefing (analyzing data and providing actionable recommendations). The task includes a benchmarking table to map metrics (like Click Rate and Credential Entry Rate) to specific security recommendations.

Your campaign shows a credential entry rate of 6%. According to the benchmarks, what risk level does this represent?

High risk

Which metric measures the percentage of users who open an attachment?

Attachment Detonation Rate

A client has a click rate of 10%. Which single recommendation from the table would you give them?

Focused security awareness training

Task 6: The Social Engineering Toolkit

This hands-on scenario involves using the Social Engineering Toolkit (SET) to perform a spear-phishing attack against a target named Bob. The process includes starting a credential harvester listener by cloning a target webpage (typosquatting the domain). Then, using an email client (Rainloop) to spoof an internal support email address, bypassing standard email security measures. Once the target interacts with the cloned site, the terminal captures and displays the harvested credentials.

What is the password flag?

First, we need to connect to the attacker via SSH and start SET (Social Engineer Toolkit) then select this:

1. Social-Engineering Attacks

2. Website Attack Vectors

3. Credential Harvester Attack Method

4. Custom Import

Then, provide the following path for index.html /home/attacker/setoolkit/ and choose the first option, Copy just the index.html. And finally, enter the following URL: http://tryacounting.thm

Go to attacker mail inbox and fill it out like this: from: support@tryaccounting.thm to: bob@tryaccounting.thm

Fill in the subject line and the body of the email, then send the email.

Finally, we get the flag from the terminal response

Task 7: Conclusion

The room wraps up by summarizing the key concepts learned from a pentester's perspective, including the psychological principles of social engineering, technical manipulation techniques like typosquatting and spoofing, and the deployment of actual phishing tools. It provides a solid foundation for evaluating an organization's susceptibility to human-based attacks.

Well done on completing this room! If you're looking for a challenge, try out our You Got Mail room.

No answer needed

Thanks for reading. See you in the next lab.

In this guide, I will walk you through the standard Docker installation for n8n, how to spot a common failure point, and how to fix the "503 Service Unavailable" error if your container gets stuck in a crash loop.

Step 1: Preparing the Directory and Docker Compose File

First, we need to create a dedicated directory on our server to store n8n's persistent data. This ensures that if the server restarts or the container is rebuilt, you don't lose your workflows.

Connect to your server via SSH and run the following commands:

mkdir -p /opt/n8n/data
cd /opt/n8n

Next, create the configuration file:

nano docker-compose.yml

Paste the following configuration into the file. Make sure to adjust the N8N_HOST, WEBHOOK_URL, and GENERIC_TIMEZONE variables to match your specific setup.

version: '3.8'

volumes:
  n8n_data:

services:
  n8n:
    image: docker.n8n.io/n8nio/n8n
    restart: always
    ports:
      - "127.0.0.1:5678:5678"
    environment:
      - N8N_HOST=n8n.domain.com
      - N8N_PORT=5678
      - N8N_PROTOCOL=https
      - NODE_ENV=production
      - WEBHOOK_URL=https://n8n.domain.com/
      - GENERIC_TIMEZONE=GMT+7 # Change to your timezone
    volumes:
      - /opt/n8n/data:/home/node/.n8n

Save and exit the file.

Step 2: Starting the Container (And Hitting a Wall)

With the configuration ready, it is time to spin up the container in the background:

docker compose up -d

Normally, you would now set up your reverse proxy, attach an SSL certificate, and navigate to your domain. But sometimes, you are greeted with this instead:

If you see a Service Unavailable error, it usually means your web server (like Apache or Nginx) is working fine, but it cannot communicate with the internal n8n container on port 5678.

Let's find out why.

Step 3: Troubleshooting the Crash Loop

When a reverse proxy fails to connect, the first thing to check is if the Docker container is actually running.

Run the following command to check your active containers:

docker ps

If you look at the STATUS column and see Restarting, it means n8n is trying to boot up, crashing, and trying again.

To see exactly why it is crashing, we need to check the logs. Be careful here—if you just type docker logs n8n, you might get an error saying No such container: n8n. This is because Docker Compose automatically prefixes container names based on the directory.

Check the NAMES column from your docker ps output. In this case, the container is actually named n8n-n8n-1.

Let's pull the correct logs:

docker logs n8n-n8n-1

Step 4: The Fix (Folder Permissions)

Looking at the logs, the culprit reveals itself: Error: EACCES: permission denied, open '/home/node/.n8n/config'.

Because we manually created the /opt/n8n/data folder as the root user on the host machine, the n8n Docker container (which runs internally as user 1000) does not have the correct permissions to read or write files to it.

The fix is a simple, single command to change the ownership of that specific folder:

chown -R 1000:1000 /opt/n8n/data

Once the permissions are updated, navigate back to your n8n directory (if you aren't there already) and restart the container so it can try booting up again:

cd /opt/n8n
docker compose restart

Step 5: Verification

Finally, let's verify that the container is stable. Run:

docker ps

If the status now says Up and stays up for more than a few seconds, you have successfully fixed the issue!

Give n8n about 30 seconds to initialize its internal database, then refresh your web browser.

The 503 error should be completely gone, and you will be greeted by the n8n setup screen. Happy automating!

Task 1: Introduction

This room explores the advanced capabilities of the Burp Suite Repeater module, building upon the foundations of the Burp Basics room. You will learn how to manipulate and resend captured requests for manual testing. To follow along, you need to deploy the target VM and start your AttackBox or personal environment.

Let's get started!

No answer needed

Task 2: What is Repeater?

Burp Suite Repeater allows us to modify and resend intercepted requests to a target for manual exploration and endpoint testing. The interface consists of six main sections: Request List, Request Controls, Request and Response View, Layout Options, Inspector (which provides a user-friendly way to analyze/modify requests), and Target.

Which sections gives us a more intuitive control over our requests?

Inspector

Task 3: Basic Usage

To use Repeater, you first capture a request in the Proxy module and send it over (using right-click or Ctrl + R). Once sent, the request populates the Request view. Clicking "Send" will execute the request and populate the Response view on the right. You can freely edit the request text and use the history buttons to navigate back and forth through your modifications.

Which view will populate when sending a request from the Proxy module to Repeater?

Request

Task 4: Message Analysis Toolbar

Repeater offers four presentation options for analyzing responses: Pretty (the default, slightly formatted view), Raw (unmodified response), Hex (byte-level representation), and Render (visualized as a web browser page). There is also a "Show non-printable characters" button (\n) to display carriage returns and newlines, which is useful for interpreting HTTP headers.

Which option allows us to visualize the page as it would appear in a web browser?

Render

Task 5: Inspector

The Inspector is a supplementary tool on the right-hand side of the screen that breaks down requests and responses into a visually organized, tabular format. It allows you to easily view, add, edit, or remove components like Request Attributes, Query Parameters, Body Parameters (specific to POST requests), Cookies, and Headers without manually typing them in the raw editor.

Which section in Inspector is specific to POST requests?

Body Parameters

Task 6: Practical Example

Repeater shines when you need to repeatedly send similar requests with minor tweaks, such as testing for SQL injection or bypassing firewalls. In this practical example, the goal is to capture a simple request to the root directory, send it to Repeater, and manually add a custom header (FlagAuthorised: True) to manipulate the server into returning a flag.

What is the flag you receive?

Okay, set the IP target to Mozilla Firefox, but first don't forget to enable FoxyProxy for Burp and enable the intercept feature in Burp.

Then the burp will be the response and just right click then select send to repeater. After that right click, select "send to repeater", next add this parameter: FlagAuthorized: True, finally click send.

THM{Yzg2MWI2ZDhlYzdlNGFiZTUzZTIzMzVi}

Task 7: Challenge

This task requires you to test the input validation of a specific endpoint. By navigating to /products/ and clicking a link, you are taken to a numeric endpoint (e.g., /products/3). You need to intercept this request, forward it to Repeater, and test what happens when you alter the ID parameter to an extreme or invalid input to force a server error.

Enable intercept again and capture a request to one of the numeric products endpoints in the Proxy module, then forward it to Repeater.

No answer needed

See if you can get the server to error out with a "500 Internal Server Error" code by changing the number at the end of the request to extreme inputs. What is the flag you receive when you cause a 500 error in the endpoint?

In this section. First, use the numeric path like /products/1 and then send to repeater.

After that, you can try entering any number in the path. At extreme positive numbers, I only see a "page not found" error like 999999, but when I try with negative numbers, I get a 500 internal error. Allright, and we'll get to the flag.

THM{N2MzMzFhMTA1MmZiYjA2YWQ4M2ZmMzhl}

Task 8: Extra-mile Challenge

This challenge requires you to manually exploit a Union SQL Injection vulnerability on the /about/ID endpoint. By submitting an invalid ID with a single quote (/about/2'), the server leaks the SQL query structure in a 500 Error. Using this leaked information, you can craft a UNION ALL payload to extract column names from the information_schema and ultimately query the notes column for the CEO (ID 1) to retrieve the final flag.

Exploit the union SQL injection vulnerability in the site. What is the flag?

First of all we need to intercept this path first /about/2 and send to repeater (Ctrl + R).

Then, add ' after the path to display the error. After that, we can see the 500 internal server error. And we can see about the SQL request in the response.

This is an extremely useful error message that the server should absolutely not be sending us, but the fact that we have it makes our job significantly more straightforward.

run this sql payload to get the flag /about/0 UNION ALL SELECT notes,null,null,null,null FROM people WHERE id = 1

• /about/0: The 0 is likely an intentionally invalid ID meant to make the original database query return an empty result.

• UNION ALL: This SQL command combines the results of the application's original query with the attacker's new, injected query.

• SELECT notes, null, null, null, null: The attacker is attempting to steal data from a column named notes. The four null values are necessary because a UNION operation requires both combined queries to have the exact same number of columns.

• FROM people: This targets a specific table in the database named people.

• WHERE id = 1: This filters the requested data, specifically aiming to extract the notes belonging to the user with an ID of 1

Task 9: Conclusion

You have successfully completed the Burp Suite Repeater room and learned how to edit, manipulate, and resend requests manually. The next step in your learning path is the Burp Suite Intruder room, which focuses on automating these customized attacks.

I can use Burp Suite Repeater!

No answer needed

Thanks for reading. See you in the next lab.

Task 1: Introduction

This task introduces the concept of a race condition vulnerability. A race condition occurs when the timing or sequence of events influences a program's behavior, typically happening when multiple threads access and modify a variable without proper synchronization locks. This flaw can allow attackers to abuse systems, such as applying a single discount multiple times or spending beyond their account balance.

Prerequisites

• How the Web Works

• Packets and Frames

• Burp Suite: The Basics

I know all the prerequisites. Let the race begin!

No answer needed

Task 2: Multi-Threading

This section breaks down the core concepts of computer execution. A Program is a static set of instructions (like a recipe). A Process is a program in active execution, holding memory and moving through various states (New, Ready, Running, Waiting, Terminated). A Thread is a lightweight execution unit within a process. Multi-threading allows a single process (like a web server) to handle multiple user requests simultaneously by spawning threads instead of forcing users to wait in a single-file line.

You downloaded an instruction booklet on how to make an origami crane. What would this instruction booklet resemble in computer terms?

program

What is the name of the state where a process is waiting for an I/O event?

waiting

Task 3: Race Conditions

Race conditions are explained using a real-world analogy of two people trying to reserve the same restaurant table at the exact same time. In software, this is known as a Time-of-Check to Time-of-Use (TOCTOU) vulnerability. If two concurrent threads check a bank balance of $100 and both try to withdraw $50 simultaneously, the lack of proper synchronization might allow both withdrawals to process before the system updates the final balance. This occurs frequently due to parallel execution, concurrent database operations, or poorly designed third-party API integrations.

Does the presented Python script guarantee which thread will reach 100% first? (Yea/Nay)

Nay

In the second execution of the Python script, what is the name of the thread that reached 100% first?

Thread-1

Task 4: Web Application Architecture

Web applications typically use a multi-tier architecture (Presentation, Application, and Data tiers) running on a client-server model. When a system processes logic—like applying a coupon—it doesn't just instantly flip from "not applied" to "applied." It goes through multiple intermediate states (e.g., checking validity, checking constraints, recalculating total). These intermediary steps create a split-second "window of opportunity." By using tools like Burp Suite, an attacker can send simultaneous requests that hit the server within that tiny window, tricking the application into processing the same action multiple times.

How many states did the original state diagram of “validating and conducting money transfer” have?

Two-step process: either the Amount is not sent or the Amount is sent.

2

How many states did the updated state diagram of “validating and conducting money transfer” have?

The server doesn't instantly send the money. It first needs to query the database to verify if you have enough funds. This introduces a third, hidden intermediate state: Checking account balance/limits.

3

How many states did the final state diagram of “validating coupon codes and applying discounts” have?

1. Coupon not applied

2. Checking coupon validity

3. Checking coupon constraints (e.g., is it expired?)

4. Recalculating the total

5. Coupon applied.

5

Task 5: Exploiting Race Conditions

This practical task focuses on using Burp Suite Repeater to actively exploit a race condition in a mock mobile operator web app. By capturing a valid POST request (like a money transfer), duplicating it multiple times in a Repeater Tab Group, and sending them in parallel, you can force the requests to arrive at the server within a 0.5-millisecond window. To achieve this synchronization, Burp Suite uses a single TCP packet for HTTP/2 or a "last-byte synchronization" technique for HTTP/1.

You need to get either of the accounts to get more than $100 of credit to get the flag. What is the flag that you obtained?

First, we try to log in as user 07799991337

Then we try to transfer with $8 because the current balance is $8.99. Don't forget to turn on the foxyproxy and burp suite to intercept.

send to Repeater

Create tab Group

Then right click and duplicate the tab. You can fill it with the number 20 because 20 x 8 is 160.

And look at the response, here we can see whether the transaction was successful or not.

Yes, the transaction was successful, then let's validate it.

For user 07799991337, we can see that they have a negative balance due to a large number of transactions. Now, let's check the other accounts (07113371111).

Yes, the transfer was successful and we have got the flag.

THM{PHONE-Race}

Task 6: Detection and Mitigation

Detecting race conditions strictly from business logs is difficult because the malicious actions often look like standard user behavior, making penetration testing crucial. To mitigate these vulnerabilities, developers should use Synchronization Mechanisms (like thread locks), Atomic Operations (grouping instructions so they cannot be interrupted), and Database Transactions (ensuring all operations either succeed completely or fail completely as a single unit).

Make sure you have taken note of the above.

No answer needed

Task 7: Challenge Web App

This is the final unguided challenge. You are tasked with logging into a vulnerable banking application using provided credentials. Using the parallel request techniques learned in Task 5 via Burp Suite, you must exploit a race condition during a money transfer to bypass the normal balance limits and amass over $1000 in a single account.

What flag did you obtain after getting an account’s balance above $1000?

I'll try logging in as Rasser Cond first. Let's see.

Let's try transferring 100. In this scenario, the target amount would only be 100. In this scenario, the target amount would only be 95 due to the $5 transfer fee. Let's enable FoxyProxy for Burp, then enable the intercept feature in Burp Suite, don't forget.

Send to repeater like before.

Create a text group as before, then duplicate the tab as before as well and multiply it to 20 as before as well.

Then send the group in parallel and check one by one what is the status of each transaction.

Because when I checked each transaction, there were some transactions that experienced internal server errors, but this was not a problem because some of them were successful.

Then we need to check and validate the transaction. Is the balance correct?

To validate this, we need to log in to the other account that was used to send the balance previously. That account is the Zavodni Stav account. Let's get started.

We can check whether some transactions were successful and the rest failed. We just need to send this balance to another account such as Warunki Wyscigu user account. let's do it like before.

• Send to Repeater

• Create gorup tab

• Duplicate tab

• Send group (parallel)

Because some transactions are true and then we just need to check Warunki Wyscigu.

THM{BANK-RED-FLAG}

Thanks for reading. See you in the next lab.

Task 1: Introduction (What is Command Injection?)

Command injection (also known as Remote Code Execution or RCE) is a severe vulnerability where an attacker abuses an application's behavior to execute operating system commands. These commands run with the same privileges as the application, allowing the attacker to directly interact with the system, read sensitive files, and obtain permissions associated with the application's user account.

Read me!

No answer needed

Task 2: Discovering Command Injection

This vulnerability occurs when applications pass user input to system calls without proper checks. For example, if an application uses a search query to run a command like grep on the OS, an attacker can inject additional commands instead of a normal search term. This flaw can exist in any programming language (such as PHP, Python, or NodeJS) as long as user input is processed and executed by the operating system.

What variable stores the user's input in the PHP code snippet in this task?

$title

What HTTP method is used to retrieve data submitted by a user in the PHP code snippet?

GET

If I wanted to execute the id command in the Python code snippet, what route would I need to visit?

/id

Task 3: Exploiting Command Injection

Attackers exploit this vulnerability by using shell operators (like ;, &, and &&) to chain multiple commands together. Command injection is generally identified in two ways:

1. Verbose Command Injection: The application directly displays the output of the executed command (e.g., seeing the username when running whoami).

2. Blind Command Injection: The application provides no direct output. Attackers must use commands that cause a time delay (like ping or sleep) or force an interaction (like curl) to verify if the injection was successful.

What payload would I use if I wanted to determine what user the application is running as?

whoami

What popular network tool would I use to test for blind command injection on a Linux machine?

ping

What payload would I use to test a Windows machine for blind command injection?

timeout

Task 4: Remediating Command Injection

Preventing command injection involves minimizing the use of dangerous functions (such as exec, passthru, and system in PHP) and strictly filtering user input. A highly effective method is "input sanitisation," which involves cleaning the data by restricting it to expected formats (e.g., only allowing numbers) or removing special characters. However, developers must be careful, as attackers constantly find creative ways (like using hexadecimal values) to bypass basic filters.

What is the term for the process of "cleaning" user input that is provided to an application?

sanitisation

Task 5: Practical: Command Injection (Deploy)

This task requires deploying a vulnerable target machine to apply the learned theory. The goal is to experiment with various command injection payloads on the provided web application to successfully read a hidden flag file located on the server.

What user is this application running as?

try typing this payload: & whoami

www-data

What are the contents of the flag located in /home/tryhackme/flag.txt?

Since we know that the previous payload used "&" then we can continue using it again to get the flag with this payload: & cat /home/tryhackme/flag.txt

Task 6: Conclusion

This room provided a comprehensive overview of command injection, covering how to discover the vulnerability, exploit it across different operating systems (Linux and Windows), and secure applications against it. There are often multiple ways to exploit these vulnerabilities, so experimenting with different payloads is highly encouraged.

Terminate the vulnerable machine from task 5.

No answer needed

Thanks for reading. See you in the next lab.

Task 1: What Is Offensive Security?

Summary: Offensive security involves proactively testing systems to identify and fix weaknesses before malicious attackers can exploit them. Unlike regular users, ethical hackers (or penetration testers) systematically observe how systems handle unexpected inputs and attempt to chain weaknesses together. This task sets the foundation, explaining that ethical hacking is always permission-based, structured, and legal.

Prerequisites

• Inside a Computer System

• Linux CLI Basics

I understand the learning objectives and am ready to learn about Offensive Security!

No answer needed

Task 2: Finding Weaknesses

Summary: This task introduces core offensive security terminology: Red Teaming, Penetration Test, Vulnerability, Exploit, and Scope. The most important rule in ethical hacking is having explicit permission to test a system within a defined scope. In the hands-on scenario, you are tasked with finding exposed hidden pages on a target website (http://www.onlineshop.thm/). You can discover these directories manually by guessing URLs or by using automated discovery tools like Gobuster to run a dictionary-based directory brute-force attack.

Using the manual or automated methods described above, what hidden web page did you discover?

Just run this script in terminal to find informative paths

gobuster dir --url http://www.onlineshop.thm/ -w /usr/share/wordlists/dirbuster/directory-list.txt

/login

Based on your Gobuster scan results, what status code is returned when accessing the hidden page?

200

Task 3: Exploiting Weaknesses

Summary: Ethical hackers often find success by chaining multiple small weaknesses together to create a significant impact (like a domino effect). To be successful, you must think like an adversary: question assumptions, test unexpected inputs, and identify valuable targets (sensitive data, admin features, etc.). In the practical exercise, you exploit the hidden login page discovered in Task 2. You use a dictionary attack to guess the admin password, both manually and by leveraging an automated password-cracking tool called Hydra (hydra -l admin -P passlist.txt...).

Using either manual testing or an automated dictionary attack, what password did you discover for the admin user?

Just run this script in terminal to find the password:

hydra -l admin -P passlist.txt <www.onlineshop.thm> http-post-form "/login:username=^USER^&password=^PASS^:F=incorrect" -V

qwerty

After logging in using the password found, what secret message is displayed on the page?

Go to the /login directory, then log in with the username admin and password qwerty as usual.

THM{born_to_hack!}

Review the output of your Hydra dictionary attack. How many failed password attempts were made before the correct password was found?

17

Task 4: Where to Go From Here

Summary: This final task reviews the key terminology learned throughout the room, including Scope, Vulnerability, Exploit, Enumeration, Credentials, Authentication, and Dictionary Attack. It also outlines potential career paths in offensive security, such as Penetration Tester/Ethical Hacker, Vulnerability Researcher, and Red Team Operator. Finally, it recommends continuous practice and provides links to further learning paths like Cyber Security 101, Jr Penetration Tester, and SOC Level 1.

Complete the room and continue on your cyber learning journey!

No answer needed

Thanks for reading. See you in the next lab.

Task 1: Introduction

This section introduces the concept of databases by comparing them to a café's physical notebook. As a business grows, tracking orders with simple files becomes slow and confusing. Databases solve this by storing information in a structured, easily searchable, and manageable way. The learning objectives include understanding data, the purpose of databases, SQL, the structure of tables (rows and columns), and writing basic queries.

Prerequisites

• Inside a Computer System

• Client-Server Basics

• Data Representation

I am ready to dive into the database!

No answer needed

Task 2: Understanding Tables, Rows, and Columns

Databases organize information digitally so computers can search, count, and sort data in seconds. Inside a database, data is stored in tables, which resemble spreadsheets. Columns represent the type of information (e.g., drink, price), while rows represent a complete individual record (e.g., a single customer's order). SQL is the language used to ask the database questions, known as queries, to retrieve specific data without altering it.

Inside databases, what is the term for the "spreadsheets" that store the information?

Table

Task 3: Writing Your First SQL Query

This task explains the four core components of a basic SQL query:

• SELECT: Chooses which columns to display (using * selects all columns).

• FROM: Specifies which table the data comes from.

• WHERE: Filters the results to only show rows that match a specific condition.

• ORDER BY: Sorts the output by a specific column (defaults to lowest-to-highest; adding DESC reverses it to highest-to-lowest). These keywords can be combined to run highly specific searches, like filtering for a specific drink and sorting the results by price.

When you showed all orders, how many rows were returned?

This is the script for the solution: SELECT * FROM Orders;

50

When you sorted orders by price from cheapest to most expensive, which drink appeared first?

This is the script for the solution: SELECT * FROM Orders ORDER BY price;

Tea

When you sorted the menu by price from most expensive to cheapest, which drink appeared first?

This is the script for the solution: SELECT * FROM Orders ORDER BY price DESC;

latte

Task 4: Conclusion

The room concludes with a review of how databases store information using tables, rows, and columns. It recaps the four foundational SQL commands learned (SELECT, FROM, WHERE, ORDER BY) and how they are used to show, filter, sort, and retrieve data. Finally, it leaves you with a conceptual question about the security implications of allowing unauthorized users to modify or delete data.

I have successfully completed this room and can write basic SQL queries.

No answer needed

Thanks for reading. See you in the next lab.

Task 1: Introduction

This section introduces the foundational concept of how computers use the binary system (0s and 1s) to represent data, in contrast to the decimal system (0-9) used by humans. The learning objectives cover how computers represent colors (from 8 basic colors to over 16 million) and understand various numerical systems, including binary, hexadecimal, and octal numbers.

It is time to dive into computer colors!

No answer needed

Task 2: Representing Colors

This section explains how computer screens generate colors using Red, Green, and Blue (RGB) light. It starts with a simple 3-bit system (yielding 8 basic colors) and scales up to a 24-bit system where each color gets a full byte (8 bits), creating over 16.7 million possible color combinations. To make these long 24-bit binary strings easier to read and write, the hexadecimal system is used, where every 4 bits are grouped into a single hex digit (e.g., #A3EA2A).

Preview the color #3BC81E. In one word, what does this color appear to be?

Green

What is the binary representation of the color #EB0037?

11101011 00000000 00110111

What is the decimal representation of the color #D4D8DF?

212 216 223

Task 3: Numbers: From Decimal to Hexadecimal

This task breaks down the mathematics behind different number bases. It explains that the decimal system (base-10) uses powers of 10, while digital systems rely on binary (base-2) using powers of 2. It demonstrates how to mathematically convert binary strings into decimal numbers. Furthermore, it details the hexadecimal (base-16, digits 0-F) and octal (base-8, digits 0-7) systems, providing formulas and examples for converting them back to our standard decimal format.

What is the hexadecimal FF in binary?

In this section, we only need to fill in the values ​​of the questions in the hexadecimal representation column. And next too.

1111 1111

What is the hexadecimal AB in decimal?

171

Convert the hexadecimal FF FF FF to decimal. After you round up the decimal value to the nearest million, how many millions is that?

17

Task 4: Conclusion

The final section summarizes the core concepts covered in the room, recapping the four main number systems: Decimal (Base-10), Binary (Base-2), Hexadecimal (Base-16), and Octal (Base-8). It also reviews the basic units of digital data—bits and bytes (octets)—and how they combine to represent millions of hex colors. Finally, it sets the stage for the next topic on how text and emojis are encoded.

It is time to join the Data Encoding room and dive deeper into bits.

No answer needed

Thanks for reading. See you in the next lab.

Task 1: Introduction

In the past, computers operated completely independently, but networks like ARPANET and CYCLADES paved the way for the modern internet by interconnecting systems to share resources. Just like people specializing in society, computer systems specialize to offer services. This section sets the foundation for understanding the Client-Server model and core networking concepts like DNS, clients, servers, ports, protocols, and networks.

Let's go!

No answer needed

Task 2: Pizza Delivery

The Client-Server model is much like ordering takeaway pizza. The client (like a customer's browser) initiates a request. The server (like the pizza shop) processes it and sends a response. A protocol dictates the rules of this communication, ensuring both sides speak the same language and understand the commands. A port is used to identify a specific service running on that server (similar to separate doors for delivery vs. dining in). Finally, DNS (Domain Name Service) translates a human-readable name into an IP (Internet Protocol) address, acting like a GPS to locate the exact destination of the server.

What do we use to identify a specific service on a server?

port

What do we call the address of a server?

Internet Protocol address

Task 3: Web Communication in Practice

HTTP (Hypertext Transfer Protocol) is a stateless client-server protocol used for web communication, meaning each request is processed independently without memory of previous ones (though cookies/tokens add statefulness for logins). Out of the 9 core HTTP methods, GET is the most common and is used to retrieve resources from a web server. When a client makes a GET request, the server returns a response containing a status code (like "200 OK") and a response body (like an HTML page). You can use a browser's Developer Tools (Network tab) to inspect the details of these requests, including the Scheme, Host, Filename, Address, and Status.

What would be the host in the following URL? https://www.iamlearning.thm/contact

<www.iamlearning.thm>

What would be the scheme in the following URL? https://www.iamlearning.thm/contact

https

Task 4: Conclusion

This room wrapped up the basics of how internet devices offer services to one another using the client-server model, where the client initiates and the server responds. It also provided a practical look into the HTTP protocol to show what client requests and server responses look like behind the scenes. The next step is to explore the infrastructure that supports these services by looking into virtualization.

On to the next room!

No answer needed

Thanks for reading. See you in the next lab.

Wait a minute, I thought. This site is built entirely on Astro.

For the uninitiated, Astro is a Static Site Generator (SSG). It spits out highly optimized, pure HTML, CSS, and minimal JavaScript. There is no backend rendering on the fly, no database to inject into, and absolutely no native reCAPTCHA integrated into this specific build. Seeing a dynamic, interactive "security" prompt on a purely static page is like finding a working television in the middle of the Jurassic period. It simply shouldn't be there.

So, where was this payload coming from? The answer lay not in the server, but in the delivery. I was looking at a textbook Edge Infrastructure compromise.

Here is a detailed of how my Cloudflare account was weaponized to serve a Living-off-the-Land (LotL) Pastejacking attack, and how I nuked it from orbit.

Stage 1: The Illusion of the Origin and the Edge Intercept

When you use a CDN and Web Application Firewall (WAF) like Cloudflare, your architecture fundamentally changes. Your users don't talk to your server; they talk to Cloudflare's Edge network, which then fetches content from your server. It's a fantastic mechanism for speed and security, but it introduces a massive single point of failure: if an attacker controls your Edge routing, they control reality for your users.

Upon inspecting my Cloudflare dashboard, the anomaly was glaringly obvious. Hidden in the Workers & Pages section was a rogue script running under the name worker-white-shadow-3de7.

Cloudflare Workers allow developers to run serverless JavaScript or Rust code directly on Cloudflare's global edge network. They are designed to intercept requests, modify responses, and handle routing before the traffic ever hits the origin server.

The attacker had successfully deployed this malicious Worker and bound it to the wildcard routes of my domains (e.g., *mydomain.com/*).

This meant every single HTTP request made to my static Astro site was being intercepted by this Worker. The Worker acted as a Man-in-the-Middle (MitM). It took the clean HTML generated by Astro, injected a malicious JavaScript payload into the DOM, and served the poisoned HTML to the visitor. My origin server was innocent, but the delivery mechanism was completely compromised.

Stage 2: The Social Engineering Trap (Pastejacking)

Once the malicious Worker successfully injected the script into the victim's browser, the second phase of the attack commenced. This wasn't a silent drive-by download exploiting a browser zero-day. Instead, it relied on a much older, highly effective vulnerability: human psychology.

The payload rendered an overlay that perfectly mimicked a generic CAPTCHA challenge: "Verify you are human. Click 'I'm not a robot'."

This is where the technique known as Pastejacking (or Clipboard Poisoning) comes into play. The visual button is completely fake. It's not communicating with Google's reCAPTCHA servers. Instead, it is bound to an invisible JavaScript event listener utilizing the asynchronous Clipboard API (navigator.clipboard.writeText).

When an unsuspecting user clicks that button, thinking they are solving a CAPTCHA, the malicious script silently copies a heavily obfuscated command-line payload directly into their operating system's clipboard.

Immediately after the click, the UI changes, presenting the victim with a bizarre set of instructions.

The prompt instructs the user to:

1. Press Windows Key + R (This opens the Windows Run dialog).

2. Press Ctrl + V (This pastes the poisoned payload they unknowingly copied in the previous step).

3. Press Enter (This executes the payload with the privileges of the current user).

It sounds ridiculous to a seasoned IT professional. Who would blindly paste and run a command from a website? But to a non-technical user conditioned to jump through hoops to access content, following instructions on a screen under the guise of "human verification" is dangerously plausible.

Stage 3: Living off the Land (LotL) Execution

So, what exactly was the payload trying to execute?

Based on the errors generated when the payload failed to execute smoothly, the attacker was utilizing a Living off the Land (LotL) technique. The error specifically mentioned: Network Error: Windows cannot access C:\WINDOWS\system32\rundll32.exe.

LotL attacks are insidious because they don't drop a standalone, easily detectable executable (like a .exe virus) onto the disk. Instead, they hijack legitimate, built-in system administration tools—like PowerShell, WMI, or in this case, rundll32.exe—to do their dirty work.

rundll32.exe is a standard Windows utility used to load dynamic-link libraries (.dll files) into memory. Attackers love it because it's a trusted Microsoft binary, meaning it often bypasses basic Antivirus and Application Whitelisting rules.

The attacker's pasted command was likely structured to force rundll32.exe to reach out over the network (likely via an SMB/UNC path or a crafted web request), download a malicious DLL payload from an external Command and Control (C2) server, and execute it directly in system memory.

The fact that it threw a "Network Error" suggests that either the endpoint's EDR (Endpoint Detection and Response) caught the anomalous behavior and blocked the outgoing connection, or the attacker's C2 server was temporarily down. Regardless, the intent was a full system compromise, likely aiming to drop an info-stealer or ransomware.

The Incident Response: Nuking the Threat

Identifying the threat is only half the battle; eradicating it quickly is the priority. My remediation process was straightforward but required immediate action.

1. Severing the Edge Connection The immediate fix was to kill the rogue Worker. I navigated to the Cloudflare dashboard, unbinded all the routes associated with worker-white-shadow-3de7, and deleted the Worker entirely. Finally, I purged the Cloudflare cache globally to ensure no poisoned HTML remained in the edge nodes. The site was instantly clean again.

2. The Root Cause and Credential Rotation How did the attacker deploy the Worker in the first place? Cloudflare Workers aren't created by magic; they require authenticated API access or a compromised dashboard session.

The most likely vector was a compromised API token or a hijacked session cookie. It’s highly probable that my credentials were swept up in an info-stealer malware log from another machine, or an overly permissive API token was leaked or abused.

The solution was absolute:

• I immediately revoked all existing API tokens.

• I changed my Cloudflare account password.

• I verified that my Hardware Key / Time-based One-Time Password (TOTP) 2FA was still securely intact and hadn't been tampered with.

Opinion: The Shifting Perimeter and the Danger of the Edge

This incident serves as a stark reminder that the modern security perimeter is incredibly fluid. We spend so much time hardening our origin servers, configuring iptables, and writing secure application code, only to forget that the infrastructure layer above the application holds ultimate power.

An attack on the Edge is an attack on reality. If an attacker controls your DNS or your CDN, your pristine, perfectly secure static site becomes a weapon. They don't need to hack your code; they just need to hijack the pipes delivering it.

Furthermore, the reliance on Social Engineering coupled with LotL techniques highlights a terrifying trend. Attackers are bypassing complex endpoint security not by writing better malware, but by convincing the end-user to execute native system commands for them. The "Fake reCAPTCHA to Clipboard" pipeline is a brilliant, albeit malicious, piece of UX design aimed at exploiting human trust.

The Takeaway: If you manage infrastructure, treat your CDN and DNS provider accounts with the same paranoia as your root server access.

1. Audit your API Tokens regularly: Never use global API keys. Scope them strictly to the specific resources and actions they need.

2. Monitor Edge Deployments: Set up alerts for any new Workers or DNS changes in your account.

3. Assume Compromise: Even if your underlying tech stack (like an SSG) is inherently secure against server-side injection, the delivery network is always a potential attack vector.

Stay paranoid, rotate your keys, and don't trust the Edge implicitly. Anyway, Thanks for reading and see you in the next write-up.

Task 1: Introduction

Summary: This task introduces the Linux Command-Line Interface (CLI) as an essential tool for navigating servers, using security tools, and setting up hacking environments. It establishes a storyline where you play a new IT Support Engineer tasked with learning basic terminal navigation to find your supervisor's notes.

Prerequisites

• Operating Systems: Introduction

• Windows Basics

What does "CLI" stand for?

Command-Line Interface

Task 2: Navigation Mission: "Find the Missing Notes"

Summary: This section teaches the fundamental commands for navigating the Linux filesystem. You learn pwd to print your current directory, ls (along with -l and -al flags) to list files including hidden ones, and cd to change directories. It also introduces the find command to locate specific files across the system and the cat command to read their contents, culminating in finding a file named mission_brief.txt.

What is the full path of the mission_brief.txt file found on the system using the find command?

Just run and wait for the complete path to appear.

/home/ubuntu/Documents/.research/archive/mission_brief.txt

What is the flag hidden inside the mission_brief.txt file?

then run the script to the full path with the cat command

MISSION-FOUND

Task 3: Investigating the System

Summary: Here, the focus shifts to gathering system information to understand the environment you are operating in. You are introduced to whoami to check your current user, uname -a to get kernel and architecture details, and df -h to check disk space in a human-readable format. Additionally, you learn to explore the /etc directory to read configuration files like os-release. The task ends with a mini-challenge to find and read a file called day1_report.txt.

What is the username returned by the whoami command?

ubuntu

What is the kernel version shown by uname -a?

6.14.0-1018-aws

How much free disk space does df -h report?

58G

What is the message written inside day1_report.txt?

We can run this script first to find the file path: find ~ -name day1_report.txt

Once found, it's at this path: /home/ubuntu/.logs/archive/day1_report.txt

Just run it with the cat command: cat /home/ubuntu/.logs/archive/day1_report.txt

END-OF-DAY1

Task 4: Conclusion

Summary: This final task summarizes the skills acquired during your "first day" on the job. It recaps that you have successfully learned to navigate the filesystem, search for files, inspect system info, and read configs. These basics serve as the foundation for learning more advanced Linux topics like file permissions, processes, and security tooling.

Continue to complete the room.

No answer needed

Thanks for reading. See you in the next lab.

Task 1: Introduction

This task introduces the Microsoft Windows operating system, setting the scenario as your first day working at "TryHatMe." It outlines the learning objectives, such as navigating the graphical interface, using File Explorer, adjusting system settings, and utilizing basic tools like Task Manager. Prerequisites for this room include a foundational understanding of computer components and what an operating system is.

Prerequisites

• Inside a Computer System

• Computer Types

• Operating Systems: Introduction

I understand the learning objectives and am ready to learn about Windows!

No answer needed

Task 2: Exploring the Windows Workspace

This section covers the evolution of Windows from early command-line interfaces to the modern GUI. It explains user authentication levels (Guest, Standard, Administrator) and breaks down the core elements of the Windows desktop, including the Taskbar, Start Menu, and built-in apps like File Explorer and Notepad. Finally, it guides you on how to check your machine's hardware and OS specifications using the "About your PC" settings and how to navigate the system's hierarchical folder structure.

Please ensure the virtual machine is open in split-screen, then take a look at the computer's Desktop. After opening About your PC, navigate to the Device specifications section. What is the Device name specified?

just follow the instruction

TryHatMe

Continue looking through the Device specifications. How much RAM is installed on your new work PC?

4.00 GB

Scroll down to the Windows specifications section. Which Version of Windows Server 2019 Datacenter is installed?

1809

Explore the TryHatMe Onboarding folder located on your computer's Desktop. What is the flag value found within Welcome.txt?

THM{welcome_to_tryhatme!}

Task 3: Configuring and Securing Windows

This task focuses on application management, system configuration, and built-in security. It explains how to update, install (.exe/.msi files), and uninstall applications. You are introduced to the modern Windows Settings app and the legacy Control Panel for system configurations. Additionally, it covers how to monitor real-time system performance using Task Manager, run custom malware scans via Windows Security, and understand network traffic rules using the Windows Defender Firewall.

Use the TryHatMeWelcome installer located within the TryHatMe Onboarding folder. What is the flag value you receive after installing and running the application?

Hello New Employee,

Welcome to the TryHatMe team!

Within this folder, you will find everything you need to get started with your onboarding tasks.
These files will be used throughout the room to help you practice navigating Windows, managing files and folders, and exploring built-in tools.

Take some time to review the contents, follow the instructions carefully, and don’t hesitate to explore. This environment is safe to experiment in.

Good luck, and welcome aboard!

flag: THM{welcome_to_tryhatme!}

THM{welcome_to_tryhatme!}

Investigate the Time & Language section of the Windows Settings app. Which country or region is your computer currently set to?

Use the region settings and see if United States is the answer.

United States

Open the Task Manager on your workstation's Desktop and navigate to the Users tab. Which account is currently logged in?

You can right click and then click Task Manager.

Administrator

After performing your custom scan, click Virus:DOS/EICAR_Test_File and select See details. What is the file name shown in the Affected items section?

Simply click Windows, then search for virus and threat protection. Then click quick scan. After that, view the results.

tryhatmemaldoc.txt

Task 4: Conclusion

The final task wraps up the "Windows Basics" room, summarizing the hands-on experience you gained while navigating Windows Server 2019. It provides a helpful glossary of key terminology covered in the room (such as Desktop, Start Menu, File Explorer, and Task Manager) and recommends further learning paths, specifically pointing toward command-line interface (CLI) basics for both Linux and Windows.

Complete the room and continue on your cyber learning journey!

No answer needed

Thanks for reading. See you in the next lab.

Task 1: Introduction

This section introduces the concept of an Operating System (OS) as the invisible foundational layer that connects a computer's physical hardware with its applications. Through a scenario involving a gifted old computer, the task outlines the learning objectives: understanding the core duties of an OS, identifying common OS types, and practicing basic OS interaction to gather system specifications.

Prerequisites

• Inside a Computer System

• Computer Types

I understand the learning objectives and am ready to learn about operating systems!

No answer needed

Task 2: The Invisible Manager

An Operating System acts as the central manager of a computer, functioning much like air traffic control at an airport to prevent conflicts and ensure smooth operations. It separates system privileges into two layers: the highly-privileged Kernel space (direct hardware access) and the restricted User space (where standard apps run and must request permissions). The core duties of an OS include managing processes, memory, file systems, users, and devices, while also providing foundational security features like authentication, permissions, and isolation.

Which OS space has unrestricted access to your computer's hardware?

Kernel space

Which OS responsibility manages user accounts, authentication, and permissions?

User Management

After opening the About This Computer shortcut, you are greeted with an overview of the system's specifications. What version of Ubuntu Mate is your computer running?

From here we know whether the version of Ubuntu used is MATE 1.26.2.

1.26.2

Check out the Hardware section of the System tab. How much memory is allocated to your machine?

1.9 GiB

Task 3: OS Interaction and Landscape

Users typically interact with an OS through two main interfaces: a Graphical User Interface (GUI), which uses visual elements like icons and windows, or a Command-Line Interface (CLI), which relies on precise text-based commands for control. Operating systems vary widely based on their environment and are categorized into Desktop (Windows, macOS, Linux), Server (Linux, Windows Server), Mobile (Android, iOS), Embedded/IoT (Embedded Linux, RTOS), and Virtual/Cloud environments. This diverse landscape exists because different devices require unique balances of user-friendliness, stability, efficiency, and resource management.

Open the File Systems tab in System Monitor. What Type is listed for the /dev/root device?

standard Ubuntu VM environment

ext4

After opening the Home directory on the Desktop, how many user directories exist?

3

Navigate to Alex's home directory and explore the Documents folder. What is the flag value contained in note.txt?

THM{new_pc_for_free!}

Task 4: Conclusion

This concluding section wraps up the module by reviewing the core concepts of what an operating system manages behind the scenes. It provides a quick recap of essential terminology, including the definitions of an OS, Kernel space, User space, GUI, and CLI. Finally, it offers suggestions for further learning paths, encouraging students to dive deeper into Windows and Linux CLI basics.

Complete the room and continue on your cyber learning journey!

No answer needed

Thanks for reading. See you in the next lab.

Task 1: Introduction

Sophia discovers that computers are not limited to traditional laptops and phones; they are also hidden inside everyday objects like smart refrigerators. The goal of this section is to help you identify and differentiate between direct-use computers (laptops, smartphones) and indirect ones (servers, IoT devices, embedded systems) based on their purposes.

Ready to find the hidden computers?

No answer needed

Task 2: Sophia’s Summer of Hidden Computers – Month 1

Sophia learns that computers are built differently depending on their intended use. Laptops offer portability but struggle with sustained performance due to cooling limitations. Desktops provide steady, sustained performance at a fixed location. Workstations are specialized for precision and reliability in professional tasks. Finally, Servers operate entirely without screens or keyboards, running continuously to provide services to multiple users over a network.

Which computer type usually runs without a dedicated screen and keyboard?

Server

What kind of computer with specialized components would one buy to carry out precision work?

Workstation

Task 3: Sophia’s Summer of Hidden Computers – Month 2

Millions of computers hide in plain sight inside everyday objects. Smartphones are the most popular pocket-sized computers, while tablets offer a touch-first experience. The main difference between IoT and Embedded systems is connectivity: IoT devices (like smart doorbells) connect to a network for single-purpose tasks, whereas embedded computers (found inside coffee machines or automatic doors) operate silently inside a machine and often never connect to the internet.

What is the currently most popular pocket-sized computer?

Smartphone

What kind of computer would you expect to find in a coffee machine?

Embedded computer

Task 4: Why Computers Come in Different Flavors

Computers come in different types because every design involves trade-offs. Making a device mobile means sacrificing sustained power, while making a system highly reliable increases the cost due to redundancy (extra power supplies and disks). There is no single "best" computer; the design is entirely shaped by its specific purpose.

Go through the attached static site and get the flag.

• Workstation: edit 4K video all day.

• Server: Host a website 24/7.

• Embedded: Ring when button pressed.

Why do laptops throttle more than desktops?

Less cooling space

What does server redundancy prevent?

Single point of failure

Why do smartphones last longer on battery than laptops?

Optimized for efficiency

Which feature is more common in workstations?

ECC RAM and certified drivers

In many smart homes, what coordinates devices?

Hub or cloud service

THM{8_computer_types}

Task 5: Summary

Sophia concludes her internship by realizing that computers are everywhere, often running silently in the background to keep daily life functioning (like opening doors or flying planes). The module covered eight distinct types of computers and the specific trade-offs involved in choosing the right tool for a given job.

Room complete!

No answer needed

Thanks for reading. See you in the next lab.

Task 1: Think like a Hacker

Offensive Security involves thinking like an attacker to identify and fix vulnerabilities before malicious hackers can exploit them. In this exercise, you will practice hacking a simulated website to understand the methods used by ethical hackers.

Which term describes simulating a hacker's actions to find weaknesses?

Offensive Security

Task 2: Starting the Lab

This task introduces the virtual desktop environment used for the simulation. You will be targeting a simulated banking application called FakeBank, which automatically opens in the lab's browser.

What is the bank account number in the FakeBank application?

8881

Task 3: Find Hidden Pages

A common web vulnerability is leaving hidden administrative pages accessible. You will use a terminal-based hacking tool called dirb to find these pages. By running the command dirb http://fakebank.thm, the tool will scan the website and reveal hidden directories marked with a +.

Dirb found one URL, http://fakebank.thm/images. What is the other hidden URL?

http://fakebank.thm/bank-transfer

Task 4: Attack the Admin Page

Using the hidden URL discovered in the previous task, you can access an admin panel that allows you to transfer funds. By navigating to the /bank-transfer page, you can input your account number (8881) and deposit $2000 to successfully manipulate your account balance.

When your balance turns positive, a pop-up with green text appears. Enter the green words as the answer (ALL CAPS)

BANK HACKED

Thanks for reading. See you in the next lab.

Task 1: Introduction

Summary: This task introduces the importance of learning computer fundamentals before jumping into cybersecurity. Using the analogy of defending a castle, it emphasizes that you cannot protect a system if you don't understand how it works, what its building blocks are, and how they interact. The main objective is to recognize and understand the functions of various computing components.

Let's get started!

No answer needed

Task 2: Inside a Computer System

Summary: This section explains that nearly every computer system consists of the same fundamental building blocks, each with a specific job. To make it easier to understand, the lesson uses an analogy comparing PC components to parts of the human body. An interactive static site is provided to explore these components and retrieve a flag.

Give in the flag you received after completing the exercise on the static site.

The motherboard is like the skeleton and nervous system, connecting everything together.

The CPU is the brain of the computer, constantly executing instructions.

RAM is like short-term memory - fast but temporary.

Storage devices are for long-term data retention.

Network adapters let your computer talk to other systems.

The PSU is like the heart, pumping power to everything.

The graphics card processes visuals for your monitor.

I/O devices are how we interact with computers.

THM{4llpccomp0n3nts1d3nt1f13d}

Task 3: What Happens When You Press the Start Button?

Summary: This task details the 5-step boot sequence a computer goes through before loading the Operating System, continuing the human body analogy:

1. Press the Power Button: Sends a signal to the Power Supply Unit (PSU) to allow power to flow.

2. Firmware Starts: The Unified Extensible Firmware Interface (UEFI), which has largely replaced BIOS, starts up the components.

3. Power-On Self Test (POST): The UEFI tests if all required components are present and functioning correctly.

4. Select Boot Device: The UEFI checks its prioritized list to find the device containing the OS bootup routine.

5. Initiate Bootloader: The bootloader transfers the Operating System from the boot device into the RAM and hands over control to the OS.

What is the flag that you received after completing the exercise?

THM{pc5ucce55fully5t4rt3d}

Task 4: Conclusion

Summary: The final task wraps up the module by reminding you that understanding core components and the boot process is crucial for future cybersecurity concepts, as hackers frequently target these areas. It also sets the stage for the next room, which will cover how different combinations of these components create diverse types of computer systems.

I am ready to discover the different types of computer systems and their function!

No answer needed

Thanks for reading. See you in the next lab.