CyberHeroes THM Writeup

CyberHeroes TryHackMe Writeup

Introduction

CyberHeroes is a beginner-level TryHackMe room focused on breaking weak client-side authentication by inspecting exposed web logic. The goal is to find a way to log in using what the application itself reveals.

Room link: https://tryhackme.com/room/cyberheroes

Initial Reconnaissance

I started with a basic Nmap scan to understand what services were exposed on the target.

~$ nmap -sV 10.48.153.105

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.4 (Ubuntu Linux; protocol 2.0)
80/tcp open  http    Apache httpd 2.4.48 ((Ubuntu))
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

There are two services running:

• SSH on port 22
• HTTP on port 80

Web Exploitation

Since port 80 was open, I navigated to it directly in the browser.

The landing page turned out to be a simple index page with three tabs, including an About section and a Login page.

The login page displayed a familiar challenge message inviting me to prove my hacking skills. With no credentials available upfront, I checked the page source and came across the following JavaScript block:

This is where everything clicked. The script validates the input by checking a hardcoded username and a reversed password string.

if (a.value=="h3ck3rBoi" & b.value==RevereString("54321@terceSrepuS"))

Reversing the string reveals the password as SuperSecret@12345. With that, the required credentials became clear.

Username

h3ck3rBoi

Password

SuperSecret@12345

Capturing the Flag

After logging in with the above credentials, the page returned the flag.

flag{edb0be532c540b1a150c3a7e85d2466e}

Conclusion

CyberHeroes was a short but clean room that reinforced a core lesson I keep coming back to: never ignore what the client side is doing. A simple look at exposed JavaScript was enough to break the authentication logic and reach the goal. No noise, no detours, just paying attention to what was already in plain sight.

Thanks for taking the time to read this walkthrough. If you found it useful and want more TryHackMe writeups like this, you can check out my GitHub repository here: TryHackMe walkthrough

More rooms, more notes, same hands-on approach.

CyberHeroes THM Writeup was originally published in InfoSec Write-ups on Medium, where people are continuing the conversation by highlighting and responding to this story.