[Hacking walkthrough] THM: CTF 100 – Stage 5

[Hacking walkthrough] THM: CTF 100 – Stage 5

Link to the room: https://tryhackme.com/room/ctf100

Hello there, welcome to another CTF 100 write-up and it was a long journey. Today, we are going to finish off the stage 5. The theme of the stage is Apache and OSINT. OSINT basically makes you a real stalker. Just kidding, OSINT is gathering user personal information on social media accounts that includes the date of birthday, traveled location, whereabout, activity and so much more Excited to be a great stalker? Alright, joke aside and let’s get started.

Task 5: Stage 5

If you have done the Nmap scan on the targetted machine, you should notice there is two open port.

Port 80 is our only focus here while port 9999 is basically useless.

We got an apache default page running on the targetted machine. Directory buster is not the case here and what you need to do is change the hostname associated with the IP. The hostname can be found on stage 4 and the host file is located at /etc/hosts for Linux.

Task 5-1: Flag 61

If you have the host file getting a correct setup, visiting the hostname will lead you yo the following page.

Task 5-2: flag 62

As for the next few flags, you are required to use directory buster. Since our theme of the stage is on OSINT, there are not many hidden directories on the server. I’m preferring the big.txt (dirb).

We have 2 directory and file of interest.

  • robots.txt
  • /e******

The flag is located at /e******

Task 5-3: Flag 63

In the same directory, there is a downloadable binary file called hello.

You can either download and execute the file or just read it.

Task 5-4: Flag 64

The flag is hidden inside the robots.txt.

huh, where is it? Notice the scroll bar?

Just down below it.

Task 5-5: Flag 65

We have three more directories yet to visit, /TB, /PI, /TW. The name of the directory are a significant short form of certain social account and we will go through them after that. Flag 65 is located at /TW.

You can’t directly submit the cipher yet because it was encrypted. Check the source code of the page leads us to the following.

Decrypt it with Beaufort cipher.

Task 5-6: Flag 66

Flag 66 is located at /PI.

The flag is correct but not with the username. Check the source code.

The cipher referred to here is Atbash cipher.

Task 5-7: Flag 67

After decrypting the username, we need to guess the correct social media name. With the hint and the directory name, it is a Pinterest.


Flag 67 is inside one of the pins.

Be sure to take note of the number 28817. You need it for the next stage.

Task 5-8: Flag 68

Let’s revisit the /TW directory. With the name and description as a hint, the flag is located on Twitter.


The flag is inside one of the tweets.

Also, take note of the numbering.

Task 5-9: Flag 69

You are required to solve the following tweet in order to capture Flag 69.

This is a Four-square cipher. The Key is located on Pinterest.

Ther are four of them and the title of the hints are translated as.

  • TR – Top Right
  • TL – Top Left
  • BR- Bottom Right
  • BL – Bottom Left

You have to enter all the combinations by yourself ^^.

Task 5-10: Flag 70

Flag 70 is on the /TB directory.

Similarly, the username is encrypted as usual.

The cipher is Ceaser.

Task 5-11: Flag 71

The final OSINT flag is located at Tumblr, quite obvious with the directory name. The naming for the URL is a bit special.


The message on the first post is encrypted with AES-CBC block cipher and the key can be found at twitter.

There is a knocking sequence for the next stage. From this point onward, you should have three numbers.

Hidden secret

Alright, there is one hidden secret on the server. A directory buster with lowercase-medium (dirbuster) leads us to the following result.

We got a directory /g******. Let’s visit the page.

The above cipher can be decrypted using Pigpen. Save it for stage 6.


That’s all for the CTF 100 stage 5 write-up. Stage 6 coming soon ^^.

Share the knowledge

Leave a Reply