Content Discovery – TryHackMe Walkthrough

Content Discovery - New Room | TryHackMe Walkthrough

Content discovery is about finding things on a web server that aren’t meant to be publicly visible – hidden directories, sensitive files, old endpoints, subdomains, and misconfigured paths. This TryHackMe room walks through three approaches: manual, OSINT, and automated.

Task 2: Manual Discovery – Common Files

Before running any tool, check the standard files web servers expose by default. They give away a lot for free.

robots.txt

robots.txt tells search crawlers what not to index. For a pentester, it’s basically a shortlist of interesting paths.

Navigate to http://10.82.188.81/robots.txt:

What is the directory in robots.txt that isn’t allowed to be viewed by web crawlers?
/staff-portal

sitemap.xml

sitemap.xml tells crawlers what to index. It sometimes includes staging paths, old content, or sensitive endpoints that the dev forgot about.

Navigate to http://10.82.188.81/sitemap.xml. Among the standard pages (/news, /contact), one path stands out:

What is the path of the secret area found in sitemap.xml?
/s3cr3t-area

Task 3: Manual Discovery – Headers & Framework Stack

HTTP Headers

Response headers often leak server and framework info. Run:

curl http://10.82.188.81 -v
What is the flag value from the X-FLAG header?
THM{HEADER_FLAG}

Framework Stack

The page source has a comment at the bottom with a link to the framework docs:

https://static-labs.tryhackme.cloud/sites/thm-web-framework

Check the documentation. It mentions:

Navigate to the /thm-framework-login path on your website. Login with admin / admin.

Hit http://10.82.188.81/thm-framework-login, log in with default creds, and grab the flag.

What is the flag from the framework’s administration portal?
THM{CHANGE_DEFAULT_CREDENTIALS}

Task 4: OSINT – Search Engines & Web Tools

Google Dorking

Google advanced operators let you surface things that were accidentally indexed:

OperatorExampleWhat it does
site:site:tryhackme.comLimits to a specific domain
inurl:inurl:adminMatches on URL content
filetype:filetype:pdfFilters by file type
intitle:intitle:loginMatches page title
What Google dork operator limits results to a specific site?
site:

Wappalyzer

Browser extension that fingerprints the tech stack of any site – CMS, framework, CDN, analytics, etc. Often shows version numbers too, which is useful when checking for known CVEs.

What online tool and browser extension identifies what technologies a website is running?
Wappalyzer

Task 5: OSINT – Repositories & Archives

Wayback Machine

Archives snapshots of websites going back to the late 90s. Useful for finding pages that were removed from live sites but never disappeared from the archive – old login forms, forgotten API endpoints, briefly published content.

What is the website address for the Wayback Machine?
https://web.archive.org/

GitHub

Developers sometimes push API keys, .env files, and credentials before realising a repo is public. Always check commit history, not just current files – sensitive data removed in a later commit still lives in the history.

S3 Buckets

Misconfigured public S3 buckets are a common finding.

Common naming patterns: {company}-assets, {company}-backup, {company}-dev.

What URL format do Amazon S3 buckets end in?
.s3.amazonaws.com

Task 6: Automated Discovery – Gobuster Fundamentals

Manual recon only gets you so far. Gobuster automates directory and file brute-forcing using wordlists.

gobuster dir -u http://10.82.188.81 -w /usr/share/wordlists/seclists/Discovery/Web-Content/common.txt
What is the name of the directory beginning with /mo that was discovered?
/monthly
What is the name of the log file that was discovered?
development.log

Task 7: Automated Discovery – Subdomains & Virtual Hosts

DNS Mode

gobuster dns -d example.thm -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-5000.txt --wildcard

The -d flag is required for dns mode alongside -w.

Apart from dns and -w, which shorthand flag is required for dns mode?
-d

Virtual Host Enumeration

Virtual hosts aren’t resolved via DNS – the web server uses the Host: header to decide which site to serve. Gobuster’s vhost mode cycles through wordlist entries as the Host header value.

First, add the domain to /etc/hosts:

10.82.188.81 acmeitsupport.thm

Then run:

bash

gobuster vhost -u "http://10.82.188.81" --domain acmeitsupport.thm \
  -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-5000.txt \
  --append-domain --exclude-length 250-320
How many virtual hosts on acmeitsupport.thm respond with status code 200?
3

Leave a Reply

Your email address will not be published. Required fields are marked *