Understanding CTF TryHackMe - Include
Capture The Flag (CTF) challenges on platforms like TryHackMe provide hands-on experience in identifying and exploiting vulnerabilities in web applications and servers. This guide focuses on a practical CTF scenario that tests skills in server exploitation, web penetration testing, privilege escalation, and API exploitation. By following a structured approach—from initial reconnaissance to flag retrieval—you’ll gain insights into real-world attack vectors and defensive strategies.
Key Points
- Initial Reconnaissance: Use tools like
nmapto map open ports and services. - Web Application Analysis: Identify and exploit vulnerabilities in web apps running on different ports.
- Privilege Escalation: Modify request parameters (e.g.,
isAdmin) to gain elevated access. - API Exploitation: Leverage internal APIs to extract sensitive data (e.g., admin credentials).
- Local File Inclusion (LFI): Exploit file path vulnerabilities to access system files (e.g.,
/etc/passwd). - User Enumeration: Extract valid usernames from system files for targeted attacks.
- Brute Force Attacks: Use tools like
hydrato crack SSH passwords. - Flag Retrieval: Locate and submit flags hidden in the system to complete the challenge.
Step-by-Step Walkthrough
Initial Reconnaissance with Nmap
Start by scanning the target for open ports and services using nmap. This helps identify potential entry points.
Command:
nmap -sV <TARGET_IP>
Scan Results:
| Port | Service | Version |
|---|---|---|
| 22 | SSH | OpenSSH 8.2p1 |
| 25 | SMTP | Postfix |
| 110/995 | POP3 / SSL POP3 | Dovecot |
| 143/993 | IMAP / SSL IMAP | Dovecot |
| 4000 | HTTP | Node.js (Express) |
| 50000 | HTTP | Apache 2.4.41 |
Note: Ports 4000 and 50000 host web applications critical to the challenge.
Web Application Exploration
Port 4000: Review App (Node.js)
- Login Page: Accessible with default credentials (
guest:guest). - Features:
- Social interface (add friends, edit profile).
- Critical Observation: The
isAdminparameter in profile updates can be modified to escalate privileges.
Port 50000: SysMon (Apache)
- Login Page: Protected; requires admin credentials (obtained later via API exploitation).
Privilege Escalation via isAdmin
Modify the isAdmin field in a POST request to unlock admin sections.
Example Payload:
{ "isAdmin": true }
Outcome:
- Grants access to
SettingsandAPIsections for theguestuser.
Exploiting the Internal API
The API section reveals two routes:
- Example call (non-sensitive).
- Sensitive route:
/getAllAdmins101099991.
Exploitation Steps:
- In the
Settingssection, change the banner image URL to an internal API endpoint:http://127.0.0.1:5000/getAllAdmins101099991 - The response is base64-encoded. Decode it to retrieve admin credentials.
Decoding Command:
echo "<BASE64_PAYLOAD>" | base64 --decode
Result: Credentials for both the Review App and SysMon admin panels.
Admin Access to SysMon (Port 50000)
- Log in using the decoded credentials.
- Flag 1 is visible on the dashboard.
Local File Inclusion (LFI) Exploitation
Analyze the source code to find dynamic file loading:
/profile?img=<FILE_PATH>
Exploit LFI:
Use a payload to bypass filters and access /etc/passwd:
....%2F%2F....%2F%2F....%2F%2F....%2F%2Fetc%2Fpasswd
Extracted Users:
joshuacharles
Brute Force SSH Access
Use hydra to crack joshua’s SSH password.
Command:
hydra -l joshua -P /usr/share/wordlists/fasttrack.txt <TARGET_IP> ssh
Successful Connection:
ssh joshua@<TARGET_IP>
Flag 2 Location:
/var/www/html
Summary of Steps
| Step | Action |
|---|---|
| Scan | nmap identifies open ports/services. |
| Web Exploration | Analyze apps on ports 4000 (Node.js) and 50000 (Apache). |
| Privilege Escalation | Modify isAdmin to unlock admin sections. |
| API Exploitation | Decode base64 payload to retrieve admin credentials. |
| SysMon Access | Log in to port 50000 to find Flag 1. |
| LFI Exploit | Access /etc/passwd to enumerate users. |
| Brute Force | Use hydra to crack joshua’s SSH password. |
| Flag Retrieval | Connect via SSH and locate Flag 2 in /var/www/html. |
Tools and Wordlists
Essential Tools:
nmap: Port scanning and service detection.hydra: Brute force attacks.gobuster: Directory brute-forcing (if needed).base64: Decode API responses.
Wordlists:
/usr/share/wordlists/fasttrack.txt: For brute force attacks./usr/share/wordlists/SecLists/Discovery/Web-Content/LFI-Jhaddix.txt: LFI payloads.
Best Practices and Mitigations
-
For Defenders:
- Sanitize user inputs to prevent LFI and parameter tampering.
- Restrict internal API access to authenticated users only.
- Implement rate limiting to thwart brute force attacks.
- Use strong, unique passwords for all accounts.
-
For Attackers:
- Always check for hidden parameters (e.g.,
isAdmin). - Test for SSRF (Server-Side Request Forgery) when inputting URLs.
- Validate LFI payloads against common filters (e.g.,
../bypasses).
- Always check for hidden parameters (e.g.,
Learn More
- TryHackMe: Explore additional CTF challenges and learning paths. TryHackMe Platform
- OWASP Testing Guide: Detailed methodologies for web app security testing. OWASP Web Security Testing Guide
- PortSwigger Academy: Free resources on API and web exploitation. PortSwigger Academy
- Nmap Documentation: Advanced scanning techniques. Nmap Official Guide