TryHackMe: Offensive Security Intro — Learning Notes
My notes on the Offensive Security Intro room: using Gobuster to find an unlinked page on a fake banking app, and why hidden-but-not-protected fails.
These are my personal learning notes as I work through TryHackMe — honest notes, not an authoritative guide. Corrections welcome.
Overview
- Room: Offensive Security Intro — link
- Difficulty: Info / Easy
- What it teaches: The attacker mindset, and directory brute-forcing — finding pages on a website that exist but aren’t linked anywhere.
This was my first proper hands-on room. The scenario is a deliberately vulnerable online bank called “FakeBank.” The whole point is to show that a page being hidden is not the same as a page being protected — and that a simple tool can find the hidden ones in seconds.
Reconnaissance
The bank’s website only links to the normal customer pages you’d expect. But websites often have extra pages — admin panels, internal tools — that aren’t linked from anywhere and that the owner assumes nobody will find.
The tool for finding them is Gobuster. It takes a wordlist of common page and folder names and requests each one against the target, watching which ones actually exist instead of returning “not found.” It’s essentially guessing URLs at high speed from a dictionary.
1
gobuster dir -u http://TARGET_IP -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt
dir— brute-force directories/files-u— the target URL-w— the wordlist to guess from
Reading the output, most guesses came back as misses, but a handful returned a status code showing the page really existed — including one directory that clearly wasn’t meant to be reachable by a customer.
Exploitation / Foothold
That unlinked directory turned out to be an internal bank-transfer page — a form that could move money between accounts, sitting there with no login and no access control in front of it. Because I could reach it directly by URL, I could just use it.
I’m deliberately not printing the exact path here — the learning point is the technique (brute-forcing reveals unlinked pages), not the specific answer to this room. Anyone doing the room will find it in seconds with the scan above.
The “attack” was simply: open the page the scan revealed, fill in the transfer form, submit. No exploit code, no clever trick — the vulnerability was entirely that a sensitive page was left unprotected on the assumption that being unlinked made it safe.
Lessons Learned
- New to me: Gobuster, and the whole idea of directory brute-forcing. I hadn’t realised how much of “hacking” at this level is just enumeration — methodically discovering what’s there — rather than dramatic exploits.
- The core concept that stuck: “security through obscurity” is not security. Hiding a page (not linking to it) does nothing if the page itself has no authentication. Reachability equals usability for an attacker.
- Where I got tripped up: I first pointed Gobuster at the wrong URL/port and got nothing but errors — a good reminder to confirm the target is actually up and I’m hitting the right address before assuming the tool is misbehaving.
- Do differently / revisit: I want to understand HTTP status codes properly (200 vs 301 vs 403 vs 404), because reading them is what tells you a “hidden” page exists. That’s clearly foundational and I’ll come back to it.
References
- Gobuster documentation
- The room’s own guided tasks on TryHackMe