Non-members are welcome to access the full story here.
Press enter or click to view image in full size
This is my write-up for the TryHackMe room on Guided Pentest: Web. Written in 2026, I hope this write-up helps others learn and practice cybersecurity.
Task 1: Introduction
This section introduces the RecruitX web application penetration testing scenario, outlining the methodology from initial reconnaissance through to achieving remote code execution.
I can access the RecruitX web app.
No answer needed
Task 2: Reconnaissance and Enumeration
The initial reconnaissance phase covers port scanning with Nmap to identify running services, inspecting HTTP headers, and using Gobuster to discover hidden directories and exposed API endpoints.
What version of the Apache server is running?
2.4.58
What database service is running on the target?
mysql
What is the path to the password reset page?
/reset.php
Task 3: IDOR
This task demonstrates how to identify and exploit an Insecure Direct Object Reference (IDOR) vulnerability to…