One minute
THM: Neighbour
Title:Neighbour
Description:Check out our new cloud service, Authentication Anywhere. Can you find other user's secrets?
Difficulty:Easy
Tags:
Nmap
First we scan for open ports
# nmap -p- -T4 -sV -sC 10.10.174.255 -oA nmap
Starting Nmap 7.95 ( https://nmap.org ) at 2025-08-21 05:38 BST
Nmap scan report for 10.10.174.255
Host is up (0.018s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 b1:bb:3e:48:88:cc:01:80:37:36:d3:44:42:d7:9a:dd (RSA)
| 256 f8:ff:f4:6a:3c:a1:e5:dd:51:90:2f:fa:8a:c7:ba:91 (ECDSA)
|_ 256 eb:fc:6b:02:cb:4e:e8:b1:0a:82:af:18:18:b0:fb:b9 (ED25519)
80/tcp open http Apache httpd 2.4.53 ((Debian))
|_http-server-header: Apache/2.4.53 (Debian)
|_http-title: Login
| http-cookie-flags:
| /:
| PHPSESSID:
|_ httponly flag not set
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 16.61 seconds
Website
We start we by visiting the site and see that it contains a basic login page.
On the page is a message indicating to use the guest account and looking in the source code also see this message.
After logging in to the site with the guest credentials we can see the URL is specifying a user profile.
By simply changing to URL to /profile.php?user=admin we get the admin’s profile and the flag.
