[Hacking walkthrough] THM: CTF 100 – Stage 3

[Hacking walkthrough] THM: CTF 100 – Stage 3

Link to the room: https://tryhackme.com/room/ctf100

Howdy there, welcome to another CTF 100 write-up series. Today, we are going to finish off stage 3. Well, the theme of the stage is Apache HTTP with the virtual host. It is a bit different compared to the last stage, simple HTTP. However, the overall challenges still involving directory brute-force. At the end of the stage, you should learn how to configure the virtual host in your Linux machine. Without further ado, let’s get it on.

  1. Flag-34
  2. Flag-35
  3. Flag-36
  4. Flag-37
  5. Flag-38
  6. Flag-39
  7. Flag-40
  8. Flag-41
  9. Flag-42
  10. Flag-43
  11. Flag-44
  12. Flag-45
  13. Flag-46

Task 3: Stage 3

Deploy the machine and telnet to the port 9999. Be sure to enter the port sequence which you obtained from stage 2.

After that, fire up your Nmap scanner with the following command.

nmap -Pn -v --min-parallelism 100 <Machine IP>

Looks like we have port 80 opened on the machine. A further scan on the port leads us to an HTTP server.

Task 3-1: Flag 34

Don’t let the Apache default page fool you. If you look at the page, something is missing. Guess what? The logo is missing which means someone tempered the page.

Simply scroll down to the page and capture the flag.

Task 3-2: Flag 35

As for the next few flags, you are required to use directory brute-forcing tools such as gobuster, dirbuster, and dirb. In this walkthrough, I’m going to use gobuster with the following command.

gobuster dir -u <machine IP> -w <worlist path>

I strongly recommend big.txt from dirb and directory-list-lowercase-2.3-medium from dirbuster.

Flag 35 is located at directory /webadmin. Simply visit the site and capture the flag.

Something down there? We will come back for that later on.

Task 3-3: Flag 36

If you refer to the directory busting result on the previous task, there are two more places still yet to be explored. One of them is /feardead

Similar to task 3-5, there is something hidden down the page. Find it out at task 3-13

Task 3-4: Flag 37

Remember the message from task 2-2? There is something down there which means we need to do a recursive search on the directory with the following command. I recommend common.txt as wordlists from dirb.

gobuster dir -u http://<machine IP>/webadmin -w <worlist path>

Look like we have a hidden directory called /hidden under /webadmin. Let’s check that out.

Task 3-5: Flag 38

End of the line? How about breaking the line by launching another brute-force attack with gobuster. (Recommend directory-list-lowercase-2.3-small from dirbuster)

gobuster dir -u http://<machine IP>/webadmin/hidden -w <worlist path>

Hmm… a 404 page. Something not right, I talking about the capturetheflag.com. By the way, let’s check the page source for any hidden comment.

Flag captured, what about the link? Actually, the hint is on the directory name, virtual. I suspect this hostname is belong to something called the virtual host. We will talk about that later on.

Task 3-6: Flag 39

Referring to task 2-2, there is still one place left we yet to explore, the /keepalive directory.

This is not the end yet. Inspect the code and read the comment. It is somehow related to flag 40.

Task 3-7: Flag 40

By checking the comment section, you came across something called DH. This DH refers to Diffie hellman key exchange. We got all the necessary information in the comment and you just need an online tool to find the secret key. The secret key is in 3 digits. Use the number as the directory name to redirect yourself to another secret page.

What? we need to submit ’40’ in order to get the flag. But where is the input field? Worry not, simply inspect the webpage by pressing F12 and change the value to 40 within the form tag.

Task 3-8: Flag 41

By referring to task 3-5, we have a virtual host called capturetheflag.com. If you are not sure what is virtual host all about, I got a great article right here. To visit the virtual host, you are required to configure the host file. The file is located at /etc/hosts for kali or ubuntu. Actually people used this host file in a honeypot such as WiFi pineapple for fake DNS and capture user’s login credentials.

Configure you hosts file as follow

Change the machine IP according to the room IP. After that, visit the given URL and you will be redirected to a secret page.

Task 3-9: Flag 42

This one is a bit tricky. The flag is inside a hidden robot file. Did you get it? What special symbol make a file hidden in Linux? A dot. Hence the hidden robot file is called .robots.txt

Task 3-10: Flag 43

Since we found a whole new page, time to brute-force the virtual host. (Recommend big.txt from dirb)

gobuster dir -u http://capturetheflag.com -w <worlist path>

Alright, we found a directory called /wireless. Check that out!

If you have finished stage 1 before, it shouldn’t be a problem for you. This is a multi-layer base and the sequence to decode the base is as follow:

Base91 -> Base85 -> Base64 -> Base58 -> Base32 -> Base16(hex) to ascii 

Task 3-11: Flag 44

Refer to task 3-10, we got another directory called /shark.

You can either solve it with a script (preferred way) or manually decode. Download the file and run the following code.

import base64

i = 0

f = open("b64.txt","r")
data = f.read()
f.close()
while 1:
        data = base64.b64decode(data)
        i = i + 1
        if "flag" in data:
                print("Encoded " + str(i) + " times")
                print("Decode: " + data)
                break

Task 3-12: Flag 45

Combine the directory name from task 3-10 and 3-11, form a new directory, /wirelessshark and you should be able to redirect yourself to a hidden page.

Spoofing and wirelessshark? There must be something inside the page. Inspect it.

We got a packet file inside the directory. Download the file and open up with the Wireshark.

This is a port knocking sequence for the FTP server for the next challenge. Save it for stage 4.

Task 3-13: Flag 46

I guess this is a little bit late. Still, remember the message from task 3-3 from /feardead? You need to brute-force the directory. (prefer common.txt).

gobuster dir -u http://<machine IP>/feardead -w <wordlists path>

I did an oopsie here, the flag actually written in Chinese numbering. This is a free flag for all: 50793785871220489068. For your information, the page is only for the cover-up. The real stuff is inside the page. Check the page source and download the picture.

The picture contains a stretch and reversed message. Undo it to reveal the FTP login credential.

Conclusion

That concludes the CTF 100 stage 3 write-up. Stage 4 write-up coming soon. See ya 😉

Share the knowledge

Leave a Reply