Open in app

Sign in

Write

Sign in

CTF Collection Vol. 2 TryHackMe Writeup

Shivam Taneja
5 min readOct 21, 2022

--

TryHackMe: CTF Collection Vol. 2 Writeup

The title is enough.

Challenge home page.

0. Scanning & Enumeration

Port Scanning

PORT STATE SERVICE VERSION

6/tcp filtered unknown

22/tcp open ssh OpenSSH 5.9p1 Debian 5ubuntu1.10 (Ubuntu Linux; protocol 2.0)

| ssh-hostkey:

| 1024 1b:c2:b6:2d:fb:32:cc:11:68:61:ab:31:5b:45:5c:f4 (DSA)

| 2048 8d:88:65:9d:31:ff:b4:62:f9:28:f2:7d:42:07:89:58 (RSA)

|_ 256 40:2e:b0:ed:2a:5a:9d:83:6a:6e:59:31:db:09:4c:cb (ECDSA)

80/tcp open http Apache httpd 2.2.22 ((Ubuntu))

| http-methods:

|_ Supported Methods: GET HEAD POST OPTIONS

| http-robots.txt: 1 disallowed entry

|_/VlNCcElFSWdTQ0JKSUVZZ1dTQm5JR1VnYVNCQ0lGUWdTU0JFSUVrZ1p5QldJR2tnUWlCNklFa2dSaUJuSUdjZ1RTQjVJRUlnVHlCSklFY2dkeUJuSUZjZ1V5QkJJSG9nU1NCRklHOGdaeUJpSUVNZ1FpQnJJRWtnUlNCWklHY2dUeUJUSUVJZ2NDQkpJRVlnYXlCbklGY2dReUJDSUU4Z1NTQkhJSGNnUFElM0QlM0Q=

|_http-server-header: Apache/2.2.22 (Ubuntu)

|_http-title: 360 No Scope!

Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

I do not know about port 6, but we see some interesting stuff in robots.txt right away.

Web Enumeration

┌──(kali㉿kali)-[~]

└─$ gobuster dir -u 10.10.9.174 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x ‘php,html,txt’ -t 32 -q

/login (Status: 301) [Size: 310] [ → http://10.10.9.174/login/]

/index (Status: 200) [Size: 94328]

/index.php (Status: 200) [Size: 94328]

/button (Status: 200) [Size: 39148]

/static (Status: 200) [Size: 253890]

/cat (Status: 200) [Size: 62048]

/small (Status: 200) [Size: 689]

/who (Status: 200) [Size: 3847428]

/robots (Status: 200) [Size: 430]

/robots.txt (Status: 200) [Size: 430]

/iphone (Status: 200) [Size: 19867]

/game1 (Status: 301) [Size: 310] [ → http://10.10.9.174/game1/]

/egg (Status: 200) [Size: 25557]

/dinner (Status: 200) [Size: 1264533]

/ty (Status: 200) [Size: 198518]

/ready (Status: 301) [Size: 310] [ → http://10.10.9.174/ready/]

/saw (Status: 200) [Size: 156274]

/game2 (Status: 301) [Size: 310] [ → http://10.10.9.174/game2/]

/wel (Status: 200) [Size: 155758]

/free_sub (Status: 301) [Size: 313] [ → http://10.10.9.174/free_sub/]

/nicole (Status: 200) [Size: 367650]

/server-status (Status: 403) [Size: 292]

I let this scan run, and explored the tasks one by one — albeit randomly.

Easter 1

Shove the hex thingy into CyberChef.

Easter 2

Take the disallowed directory name, and put it as such:

base64 -> base64 -> remove spaces -> base64 -> remove spaces -> base64

Feel free to use python3 snippet, ‘’.join(x.strip().split()), where x is the string to remove the spaces.

Go to the directory and view the source code.

Easter 3

/login/ source code :D

Easter 4

I used sqlmap to do the attacks automatically.

Database: THM_*****_**

Table: nothing_inside

[1 entry]

+ — — — — — — — — — — — — -+

| Easter_4 |

+ — — — — — — — — — — — — -+

| THM{noice} |

+ — — — — — — — — — — — — -+

Easter 5

Continuing on the previous one, look for the database dump, crack the hash using hashcat. The mode is 0 aka md5sum.

Easter 6

The hint says “Look out for the response header”.

┌──(kali㉿kali)-[/tmp]

└─$ curl -i 10.10.9.174 -s | grep -v “Easter 14” | grep -i “easter”

Busted: Hey, you found me, take this Easter 6: THM{yee}

<! — ! Easter 17 →

<h3> Hey! I got the easter 20 for you. I leave the credential for you to POST (username:DesKel, password:heIsDumb). Please, I beg you. Don’t let him know.</h3>

Here,

curl

  • -i gets the response header as well as the complete response
  • -s is Silent mode

grep

  • -v to inVert the search — that is, remove it from the search results
  • -i is case Insensitive search

Easter 7

Checking the cookies.

Easter 8

We change our user agent using curl as,

curl -A “Mozilla/5.0 (iPhone; CPU iPhone OS 13_1_2 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/13.0.1 Mobile/15E148 Safari/604.1” 10.10.9.174 > rich.txt

Taken from here.

┌──(kali㉿kali)-[/tmp]

└─$ cat rich.txt | grep “Easter 8”

<h4>You are Rich! Subscribe to THM server ^^ now. Oh btw, Easter 8: THM{mmmmm}

Easter 9

This one is closely related to 13. Once you press the button, you are taken to an intermediate page. Read the source code.

Easter 10

We change the referer to tryhackme.com, without the http:// part.

┌──(kali㉿kali)-[~]

└─$ curl -H “referer: tryhackme.com” http://10.10.9.174/free_sub/

Nah, there are no voucher here, I’m too poor to buy a new one XD. But i got an egg for you. Easter 10: THM{mmmm}

Recall, -H is used to specify the header.

Easter 11

Main page, dinner menu. The hint is to select egg, but we do not have it as an option. So, we put a request as such:

curl — data “dinner=egg&submit=submit” 10.10.9.174 | grep -v “Easter 14” | grep -i “easter”

— data is self explanatory. Rest of the flags have been explained above.

Easter 12

We find a hidden and useless javascript file in the Network tab.

Go to console and execute the function.

Easter 13

Destroy the world to get the flag. Press the big button on the home page. Related to 9. Let the redirect happen.

Easter 14

Viewing the source code of the main page, we get the following comment:

<! — Easter 14<img src=”data:image/png;base64,iVBORw0KGgo …

Remove the comment parts and the html tags, and put it in CyberChef. As usual, magic button works its charm.

Easter 15: Game 1

This one is a concoction of smart and dumb at the same time. You have to realise that those hashes are just mappings from letters to numbers. Moreover, they are deterministic.

So, how do you get ALL the possible mappings? Its big brain time (for you. I did it already).

PS: Feel free to use python3 again :) PPS: And what does mapping map to, in python lingo?

Easter 16: Game 2

This one is very straight forward too, just use curl, and the -F flag to specify stuff. It stands for field.

Use the below:

curl -X POST http://10.10.9.174/game2/ -F “button3=button3” -F “button2=button2” -F “button1=button1”

Easy.

Easter 17

<script>

function catz(){

document.getElementById(“nyan”).innerHTML = “1000…”

}

</script>

Take the binary and then … Binary -> Hex -> Text -> Stonks.

Easter 18

The YES to say to the eggs one. curl -H “egg: YES” 10.10.9.174 | grep “Easter”

Easy :)

Easter 19

The thick dark line is an image. Check the source code :)

Easter 20

<h3> Hey! I got the easter 20 for you. I leave the credential for you to POST (username:DesKel, password:heIsDumb). Please, I beg you. Don’t let him know.</h3>

curl — data “username=DesKel&password=heIsDumb” -X POST 10.10.9.174 | grep “Easter 20”

And … we are done!

Sign up to discover human stories that deepen your understanding of the world.

Free

Distraction-free reading. No ads.

Organize your knowledge with lists and highlights.

Tell your story. Find your audience.

Membership

Read member-only stories

Support writers you read most

Earn money for your writing

Listen to audio narrations

Read offline with the Medium app

Ctf
Tryhackme
Coding
Hacking
Linux

--

--

Shivam Taneja
Shivam Taneja

Written by Shivam Taneja

28 Followers
17 Following

IT Security Consultant, Researcher, Penetration Tester & Hacker.

No responses yet

Write a response

What are your thoughts?

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams