CTF collection Vol.2 Tryhackme Writeup
By Shamsher khan This is a Writeup of Tryhackme room “CTF collection Vol.2”
Note: Please Complete CTF collection Vol.1 Before Vol.2
Room link: https://tryhackme.com/room/ctfcollectionvol2
Note: This room is Free
Difficulty: Medium
Welcome, welcome and welcome to another CTF collection. This is the second installment of the CTF collection series. For your information, the second serious focuses on the web-based challenge. There are a total of 20 easter eggs a.k.a flags can be found within the box. Let see how good is your CTF skill.
Now, deploy the machine and collect the eggs!
Warning: The challenge contains seizure images and background. If you feeling uncomfortable, try removing the background on <style> tag.
Note: All the challenges flag are formatted as THM{flag}
, unless stated otherwise
Fact: Eggs contain the highest quality protein you can buy.
Task 2 : Easter egg
Enumeration
we have two ports open, the first one is 22 serving us SSH, the second one is 80 for HTTP running Apache, and I noticed something weird in the results, something that looks like a base64, but let us move on and discover what it is.
Port 80
Gobuster
gobuster dir -u http://10.10.159.96 -w directory-list-2.3-medium.txt -x php,html,txt
http://10.10.159.96/robots.txt
Easter 1
Another Method
Easter 2
Hint: Decode the base64 multiple times. Don’t forget there are something being encoded.
From the robots.txt
file, there is a hidden resource:
Install urlencode tool
sudo apt-get install gridsite-clients
Easter 3
Hint: Directory buster with common.txt might help.
Dirsearch found /login/
. The page itself contains an easter egg:
Easter 4
Hint: time-based sqli
The /login/
page was found by dirsearch. Let’s check if fields are vulnerable to SQL injection. We’ll first use Burp Suite to intercept a POST request to the login form, save it from the HTTP history as request.txt
This process will take 10 minutes
Now that we have the database, let’s dump the tables:
Let’s see the structure of the nothing_inside
table:
Only 1 field, let’s dump the table:
Easter 5
Hint: Another sqli
Still using the same SQL injection as for easter 4, let’s dump the user table:
Search for the 05f3672ba34409136aa71b8d00070d1b
hash on Google, it corresponds to the following password: *****
Now, let’s authenticate with Deskel:*****:
Easter 6
Hint: Look out for the response header.
Easter 7
Hint: Cookie is delicious
When you visit the home page, you see the following title:
From the header, we see that there is a cookie named Invited
set to 0:
Let’s set 1
instead:
Easter 8
Hint: Mozilla/5.0 (iPhone; CPU iPhone OS 13_1_2 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/13.0.1 Mobile/15E148 Safari/604.1
curl -s --user-agent "Mozilla/5.0 (iPhone; CPU iPhone OS 13_1_2 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/13.0.1 Mobile/15E148 Safari/604.1" http://10.10.159.96 | grep "THM"
Easter 9
Hint: Something is redirected too fast. You need to capture it.
Easter 10
Hint: Look at THM URL without https:// and use it as a referrer.
When we try to visit the /free_sub/
page (link provided in the home page), we are told that only people coming from tryhackme are allowed:
Let’s modify our referer:
Easter 11
Hint: Temper the html
There is a dropdown on the main page, in the menu section. It allows to choose between salad, sandwich, tyre or DesKel.
If you choose salad for example, you will be told to choose an egg instead, but egg is not on the list.
Oh, you prefer eggs? No problem…
Easter 12
Hint: Fake js file
A Javscript file is included in the home page:
But this is a fake jquery:
in this the function ahem() not calling so just add one line to call ahem() function in a Javascript interpreter (e.g. http://math.chapman.edu/~jipsen/js/):
function ahem()
{
str1 = '4561737465722031322069732054484d7b68316464336e5f6a355f66316c337d'
var hex = str1.toString();
var str = '';
for (var n = 0; n < hex.length; n += 2) {
str += String.fromCharCode(parseInt(hex.substr(n, 2), 16));
}
return str;
}
write(ahem());
Easter 13
The page discovered at easter #9 redirects to /ready/gone.php
, which contains the flag:
Easter 14
Hint: Embed image code
For flag 14, it’s straight forward, the main page source code contain the flag as a png encoded to base64, decode it, and get the flag from the picture.
decode base64
Easter 15
Hint: Try guest the alphabet and the hash code
When we connect to /game1/
(found by dirsearch), we are prompted for a combination, and we see a hash proposed as hint:
If we post the alphabet, we have the correspondance of numerical values. Let’s do it for the upper case letters:
ABCDEFGHIJKLMNOPQRSTUVWXYZ
And also for the lower case letters:
We now have the numbers associated to each upper (99=A, 100=B, 101=C, … 141=Z) and lower (89=a, 90=b, …, 18=z) and we can now decode the message:
51 89 77 93 126 14 93 10
G a m e O v e r
Let’s post our answer to get the flag:
Easter 16
Hint: Make all inputs into one form.
The page has 3 forms whose action points to the same page, using the same method (POST), each containing a button.
It is not possible to push all the buttons in the same time. However, we can send all the values in POST to the page. The server will think that the buttons have all been clicked:
Easter 17
Hint: bin -> dec -> hex -> ascii
From the source code of the main page:
<!--! Easter 17-->
<button onclick="nyan()">Mulfunction button</button><br>
<p id="nyan"></p>
<script>
function catz(){
document.getElementById("nyan").innerHTML = "100010101100001011100110111010001100101011100100010000000110001001101110011101000100000010101000100100001001101011110110110101000110101010111110110101000110101010111110110101100110011011100000101111101100100001100110110001100110000011001000011001101111101"
}
</script>
Let’s solve that in python:
Easter 18
Hint: Request header. Format is egg:Yes
Easter 19
Hint: A thick dark line
$ wget http://10.10.141.149/small
$ file small.png
small.png: PNG image data, 900 x 100, 4-bit colormap, non-interlaced
Easter 20
Hint: You need to POST the data instead of GET. Burp suite or curl might help.
From the source code of the main page:
Now, if we send the username and password using the POST method to the main page, we are provided with the easter egg:
You can find me on:
LinkedIn:- https://www.linkedin.com/in/shamsher-khan-651a35162/
Twitter:- https://twitter.com/shamsherkhannn
Tryhackme:- https://tryhackme.com/p/Shamsher
For more walkthroughs stay tuned…
Before you go…
Visit my other walkthrough’s:-
and thank you for taking the time to read my walkthrough.
If you found it helpful, please hit the 👏 button 👏 (up to 40x) and share
it to help others with similar interests! + Feedback is always welcome!