Based on the Twins film, find the hidden keys.
Julius and Vincent have gone into the SERVICES market to try and get the family back together.
They have just deployed a new version of their code, but Vincent has messed up the deployment!Can you help their mother find and recover the hidden keys and bring the family and girlfriends back together?
Enumeration
The first thing I did was to scan the IP with NMAP to learn more about the host and the technologies it was using.
- -sC : Equivalent to — script=default
- -sV : Probe open ports to determine service/version info
- -Pn : Treat all hosts as online
There are SSH on port 22 and a web server on port 80.
- SSH on port 22 runs OpenSSH 8.0
- HTTP on port 80 runs Nginx 1.14.1
After discovering this, I decided to see what the website looked like on port 80.
Mmmh, I was a little disapointed so I launched Gobuster to do a little more enumeration.
- dir : Enumerate directories
- -u : The URL to enumerate
- -w : The wordlist to use
As soon as I saw the /info page, I decided to check it out.
The login API needs to be called with the username and password form fields fields. It has not been fully tested yet so may not be full developped and secure
After further enumeration, I opened Burpsuite to try to learn more about the API.
With another request…
After multiple requests, it sent me back different build numbers and different server names.
Remember “Vincent has messed up the deployment!” ? At this time, I knew I was in the right way…
I needed to login with the API. So I tried this:
Bingo, that’s what I looked for. I used the GET method, but for login forms, it needs to be with POST method so here’s what I did :
The username or password passed are not correct.
SQL Injection
After having tried many times to perform SQL injections via Burpsuite, I then tried with Curl.
- -X : The method used
- -d : HTTP POST data
That’s how I was able to discover the users.
After this little victory, I tried to go further…
I then extracted the tables :
I saw 3 tables :
- notes
- sqlite_sequence
- users
When I dumped users’s table, it gaves me an error 500 :
So, I dumped notes :
I have left my notes on the server. They will me help get the family back together. My password is **********************************
I used hash-identifier to know the type of hash that was given to me.
SHA-512
The first thing I did after discovering the hash type was to go and check the online databases. So I went to Crackstation, and so I was able to get the password.
To find out who the password belonged to, I created a list of usernames, with the ones retrieved earlier, and brute-forced the SSH with Hydra.
- -L : List of usernames
- -p : The password
- -t : Number of threads
I was then connected to SSH with mary_ann, and got the user flag.
Final Flag
Now you have found my notes you now you need to put my extended family together. We need to GET their IMAGE for the family album. These can be retrieved by NAME. You need to find all of them and a picture of myself!
As soon as I read this note, I knew it wasn’t going to be a classic elevation of privilege.
I immediately realized that the directory I had found earlier with Gobuster (/get_image) was going to be useful now.
After finding the first image, I decided to look for messages hidden inside, for that I used StegHide.
- -sf : Select stego file & extract data from it
You need to find all my children and arrange in a rainbow!
All I had to do was to extract the txt file of the photos of the other people of his family, and to organize the answers according to the colors of the rainbow, that gave me a chain of characters which can easily be deciphered with CyberChief.
After deciphering the chain of characters, I got the Final Flag.
PWNED !!!
Thank you for reading this write-up, I hope it helped you.