CTF collection Vol.2 Tryhackme Writeup

8 min readApr 24, 2021

By Shamsher khan This is a Writeup of Tryhackme room “CTF collection Vol.2”

Note: Please Complete CTF collection Vol.1 Before Vol.2

Room link: https://tryhackme.com/room/ctfcollectionvol2
Note: This room is Free

Difficulty: Medium

Welcome, welcome and welcome to another CTF collection. This is the second installment of the CTF collection series. For your information, the second serious focuses on the web-based challenge. There are a total of 20 easter eggs a.k.a flags can be found within the box. Let see how good is your CTF skill.

Now, deploy the machine and collect the eggs!

Warning: The challenge contains seizure images and background. If you feeling uncomfortable, try removing the background on <style> tag.

Note: All the challenges flag are formatted as THM{flag}, unless stated otherwise

Fact: Eggs contain the highest quality protein you can buy.

Task 2 : Easter egg

Enumeration

we have two ports open, the first one is 22 serving us SSH, the second one is 80 for HTTP running Apache, and I noticed something weird in the results, something that looks like a base64, but let us move on and discover what it is.

Port 80

Gobuster

gobuster dir -u http://10.10.159.96 -w directory-list-2.3-medium.txt -x php,html,txt

http://10.10.159.96/robots.txt

Easter 1

https://www.duplichecker.com/hex-to-text.php

Another Method

Easter 2

Hint: Decode the base64 multiple times. Don’t forget there are something being encoded.

From the robots.txt file, there is a hidden resource:

Install urlencode tool

sudo apt-get install gridsite-clients

Easter 3

Hint: Directory buster with common.txt might help.

Dirsearch found /login/. The page itself contains an easter egg:

Easter 4

Hint: time-based sqli

The /login/ page was found by dirsearch. Let’s check if fields are vulnerable to SQL injection. We’ll first use Burp Suite to intercept a POST request to the login form, save it from the HTTP history as request.txt

This process will take 10 minutes

Now that we have the database, let’s dump the tables:

Let’s see the structure of the nothing_inside table:

Only 1 field, let’s dump the table:

Easter 5

Hint: Another sqli

Still using the same SQL injection as for easter 4, let’s dump the user table:

Search for the 05f3672ba34409136aa71b8d00070d1b hash on Google, it corresponds to the following password: *****

Now, let’s authenticate with Deskel:*****:

Easter 6

Hint: Look out for the response header.

Easter 7

Hint: Cookie is delicious

When you visit the home page, you see the following title:

From the header, we see that there is a cookie named Invited set to 0:

Let’s set 1 instead:

Easter 8

Hint: Mozilla/5.0 (iPhone; CPU iPhone OS 13_1_2 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/13.0.1 Mobile/15E148 Safari/604.1

curl -s --user-agent "Mozilla/5.0 (iPhone; CPU iPhone OS 13_1_2 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/13.0.1 Mobile/15E148 Safari/604.1" http://10.10.159.96 | grep "THM"

Easter 9

Hint: Something is redirected too fast. You need to capture it.

Easter 10

Hint: Look at THM URL without https:// and use it as a referrer.

When we try to visit the /free_sub/ page (link provided in the home page), we are told that only people coming from tryhackme are allowed:

Let’s modify our referer:

Easter 11

Hint: Temper the html

There is a dropdown on the main page, in the menu section. It allows to choose between salad, sandwich, tyre or DesKel.

If you choose salad for example, you will be told to choose an egg instead, but egg is not on the list.

Oh, you prefer eggs? No problem…

Easter 12

Hint: Fake js file

A Javscript file is included in the home page:

But this is a fake jquery:

in this the function ahem() not calling so just add one line to call ahem() function in a Javascript interpreter (e.g. http://math.chapman.edu/~jipsen/js/):

function ahem()
 {
    str1 = '4561737465722031322069732054484d7b68316464336e5f6a355f66316c337d'
    var hex  = str1.toString();
    var str = '';
    for (var n = 0; n < hex.length; n += 2) {
        str += String.fromCharCode(parseInt(hex.substr(n, 2), 16));
    }
    return str;
 }
write(ahem());

Easter 13

The page discovered at easter #9 redirects to /ready/gone.php, which contains the flag:

Easter 14

Hint: Embed image code

For flag 14, it’s straight forward, the main page source code contain the flag as a png encoded to base64, decode it, and get the flag from the picture.

decode base64

https://codebeautify.org/base64-to-image-converter

Easter 15

Hint: Try guest the alphabet and the hash code

When we connect to /game1/ (found by dirsearch), we are prompted for a combination, and we see a hash proposed as hint:

If we post the alphabet, we have the correspondance of numerical values. Let’s do it for the upper case letters:

ABCDEFGHIJKLMNOPQRSTUVWXYZ

And also for the lower case letters:

We now have the numbers associated to each upper (99=A, 100=B, 101=C, … 141=Z) and lower (89=a, 90=b, …, 18=z) and we can now decode the message:

51 89 77 93 126 14 93 10
G  a  m  e  O   v  e  r

Let’s post our answer to get the flag:

Easter 16

Hint: Make all inputs into one form.

The page has 3 forms whose action points to the same page, using the same method (POST), each containing a button.

It is not possible to push all the buttons in the same time. However, we can send all the values in POST to the page. The server will think that the buttons have all been clicked:

Easter 17

Hint: bin -> dec -> hex -> ascii

From the source code of the main page:

<!--! Easter 17-->
<button onclick="nyan()">Mulfunction button</button><br>
<p id="nyan"></p>
<script>
function catz(){
        document.getElementById("nyan").innerHTML = "100010101100001011100110111010001100101011100100010000000110001001101110011101000100000010101000100100001001101011110110110101000110101010111110110101000110101010111110110101100110011011100000101111101100100001100110110001100110000011001000011001101111101"
}
</script>

Let’s solve that in python:

Easter 18

Hint: Request header. Format is egg:Yes

Easter 19

Hint: A thick dark line

$ wget http://10.10.141.149/small
$ file small.png 
small.png: PNG image data, 900 x 100, 4-bit colormap, non-interlaced

Easter 20

Hint: You need to POST the data instead of GET. Burp suite or curl might help.