Open in app

Sign in

Write

Sign in

TryHackMe: CTF Collection Vol. 2 Writeup

Lots of Easter Eggs, Lots of Fun Little Things. Do You CURL though?

Tanishq Chaudhary
5 min readJun 1, 2021
THM Challenge logo

0. Scanning & Enumeration

Port Scanning

PORT   STATE    SERVICE VERSION
6/tcp  filtered unknown
22/tcp open     ssh     OpenSSH 5.9p1 Debian 5ubuntu1.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   1024 1b:c2:b6:2d:fb:32:cc:11:68:61:ab:31:5b:45:5c:f4 (DSA)
|   2048 8d:88:65:9d:31:ff:b4:62:f9:28:f2:7d:42:07:89:58 (RSA)
|_  256 40:2e:b0:ed:2a:5a:9d:83:6a:6e:59:31:db:09:4c:cb (ECDSA)
80/tcp open     http    Apache httpd 2.2.22 ((Ubuntu))
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
| http-robots.txt: 1 disallowed entry 
|_/VlNCcElFSWdTQ0JKSUVZZ1dTQm5JR1VnYVNCQ0lGUWdTU0JFSUVrZ1p5QldJR2tnUWlCNklFa2dSaUJuSUdjZ1RTQjVJRUlnVHlCSklFY2dkeUJuSUZjZ1V5QkJJSG9nU1NCRklHOGdaeUJpSUVNZ1FpQnJJRWtnUlNCWklHY2dUeUJUSUVJZ2NDQkpJRVlnYXlCbklGY2dReUJDSUU4Z1NTQkhJSGNnUFElM0QlM0Q=
|_http-server-header: Apache/2.2.22 (Ubuntu)
|_http-title: 360 No Scope!
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

I do not know about port 6, but we see some interesting stuff in robots.txt right away.

Web Enumeration

┌──(kali㉿kali)-[~]
└─$ gobuster dir -u 10.10.9.174 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x 'php,html,txt' -t 32 -q/login                (Status: 301) [Size: 310] [--> http://10.10.9.174/login/]                   
/index                (Status: 200) [Size: 94328]                              
/index.php            (Status: 200) [Size: 94328]                              
/button               (Status: 200) [Size: 39148]                              
/static               (Status: 200) [Size: 253890]                             
/cat                  (Status: 200) [Size: 62048]                              
/small                (Status: 200) [Size: 689]                                
/who                  (Status: 200) [Size: 3847428]                            
/robots               (Status: 200) [Size: 430]                                
/robots.txt           (Status: 200) [Size: 430]                                
/iphone               (Status: 200) [Size: 19867]                              
/game1                (Status: 301) [Size: 310] [--> http://10.10.9.174/game1/]
/egg                  (Status: 200) [Size: 25557]                              
/dinner               (Status: 200) [Size: 1264533]                            
/ty                   (Status: 200) [Size: 198518]                             
/ready                (Status: 301) [Size: 310] [--> http://10.10.9.174/ready/]
/saw                  (Status: 200) [Size: 156274]                             
/game2                (Status: 301) [Size: 310] [--> http://10.10.9.174/game2/]
/wel                  (Status: 200) [Size: 155758]                             
/free_sub             (Status: 301) [Size: 313] [--> http://10.10.9.174/free_sub/]
/nicole               (Status: 200) [Size: 367650]                                
/server-status        (Status: 403) [Size: 292]

I let this scan run, and explored the tasks one by one — albeit randomly.

Easter 1

robots.txt page on the website, even shown by nmap is present here.

Shove the hex thingy into CyberChef.

Easter 2

Take the disallowed directory name, and put it as such:

base64 -> base64 -> remove spaces -> base64 -> remove spaces -> base64

Feel free to use python3 snippet, ''.join(x.strip().split()), where x is the string to remove the spaces.

Go to the directory and view the source code.

Easter 3

/login/ source code :D

Easter 4

I used sqlmap to do the attacks automatically.

Database: THM_*****_**
Table: nothing_inside
[1 entry]
+-------------------------+
| Easter_4                |
+-------------------------+
| THM{noice}              |
+-------------------------+

Easter 5

Continuing on the previous one, look for the database dump, crack the hash using hashcat. The mode is 0 aka md5sum.

Easter 6

The hint says “Look out for the response header”.

┌──(kali㉿kali)-[/tmp]
└─$ curl -i 10.10.9.174 -s | grep -v "Easter 14" | grep -i "easter"
Busted: Hey, you found me, take this Easter 6: THM{yee}
        <!--! Easter 17-->
        <h3> Hey! I got the easter 20 for you. I leave the credential for you to POST (username:DesKel, password:heIsDumb). Please, I beg you. Don't let him know.</h3>

Here,

curl

  • -i gets the response header as well as the complete response
  • -s is Silent mode

grep:

  • -v to inVert the search — that is, remove it from the search results
  • -i is case Insensitive search

Easter 7

Checking the cookies.

checking the cookies in the storage.

Easter 8

We change our user agent using curl as,

curl -A "Mozilla/5.0 (iPhone; CPU iPhone OS 13_1_2 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/13.0.1 Mobile/15E148 Safari/604.1" 10.10.9.174 > rich.txt

Taken from here.

┌──(kali㉿kali)-[/tmp]
└─$ cat rich.txt | grep "Easter 8"
                        <h4>You are Rich! Subscribe to THM server ^^ now. Oh btw, Easter 8: THM{mmmmm}

Easter 9

This one is closely related to 13. Once you press the button, you are taken to an intermediate page. Read the source code.

source code, if we quickly swoop in

Easter 10

We change the referer to tryhackme.com, without the http:// part.

┌──(kali㉿kali)-[~]
└─$ curl -H "referer: tryhackme.com" http://10.10.9.174/free_sub/ 
Nah, there are no voucher here, I'm too poor to buy a new one XD. But i got an egg for you. Easter 10: THM{mmmm}

Recall, -H is used to specify the header.

Easter 11

the menu part of the page, suggesting to use eggs.

Main page, dinner menu. The hint is to select egg, but we do not have it as an option. So, we put a request as such:

curl --data "dinner=egg&submit=submit" 10.10.9.174 | grep -v "Easter 14" | grep -i "easter"

--data is self explanatory. Rest of the flags have been explained above.

Easter 12

We find a hidden and useless javascript file in the Network tab.

The network pane, showing an additional JavaScript file.

Go to console and execute the function.

Easter 13

Destroy the world to get the flag. Press the big button on the home page. Related to 9. Let the redirect happen.

Easter 14

Viewing the source code of the main page, we get the following comment:

<!--Easter 14<img src="data:image/png;base64,iVBORw0KGgo ...

Remove the comment parts and the html tags, and put it in CyberChef. As usual, magic button works its charm.

Easter 15: Game 1

This one is a concoction of smart and dumb at the same time. You have to realise that those hashes are just mappings from letters to numbers. Moreover, they are deterministic.

So, how do you get ALL the possible mappings? Its big brain time (for you. I did it already).

PS: Feel free to use python3 again :) PPS: And what does mapping map to, in python lingo?

Easter 16: Game 2

This one is very straight forward too, just use curl, and the -F flag to specify stuff. It stands for field.

Use the below:

curl -X POST http://10.10.9.174/game2/ -F "button3=button3" -F "button2=button2" -F "button1=button1"

Easy.

Easter 17

<script>
	function catz(){
        	document.getElementById("nyan").innerHTML = "1000..."
	}
	</script>

Take the binary and then … Binary -> Hex -> Text -> Stonks.

Easter 18

The YES to say to the eggs one. curl -H "egg: YES" 10.10.9.174 | grep "Easter"

Easy :)

Easter 19

The thick dark line is an image. Check the source code :)

Easter 20

In the source code, we have:

<h3> Hey! I got the easter 20 for you. I leave the credential for you to POST (username:DesKel, password:heIsDumb). Please, I beg you. Don't let him know.</h3>

So we use curl again, and specify this additional data.

curl --data "username=DesKel&password=heIsDumb" -X POST 10.10.9.174 | grep "Easter 20"

And we are done!

Originally published at https://chaudhary1337.github.io.

Tryhackme Writeup

--

--

Tanishq Chaudhary
Tanishq Chaudhary

Written by Tanishq Chaudhary

86 Followers
1 Following

Trying out some stuff.

No responses yet

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams