![[TryHackMe] CyberHeroes](https://cdn.hashnode.com/res/hashnode/image/upload/v1656009032198/0lAmWxIed.png?w=1600&h=840&fit=crop&crop=entropy&auto=compress,format&format=webp)
Table of contents
Want to be a part of the elite club of CyberHeroes? Prove your merit by finding a way to log in!
Footprinting
Open ports
Nmap scan:
$ sudo nmap -sS -Pn -v10 -oA syn_full 10.10.45.211
PORT STATE SERVICE REASON
22/tcp open ssh syn-ack ttl 60
80/tcp open http syn-ack ttl 59
$ sudo nmap -v10 -sC -sV -p80 -oA nse 10.10.45.211
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack ttl 60 OpenSSH 8.2p1 Ubuntu 4ubuntu0.4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 ed:52:5a:8d:2e:a3:76:b3:13:0b:53:30:78:1d:91:61 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCZWY5PGvLuZs/Bicyko/m/wlK9ugmih5hCl6w00q6w43lLdM43GZN7fHYjeO6oITWgY8zhJlrnUC30TBlUPFFEHAZSxHcIE0z5jdvnxmP7xVfFV70ILRnb8gYyvuzsZ4ijzV69aE+12Zc0CGPUWBxyBi7WiJt+gJNRGnrIV2wgOjhhmfGiMjY3NNV8KSqxwWripEKBYIzGrAqV6xRpf41hL0YOXqWAs2D8YCzuZHDAsPXfcf9h9KVuGYNF6VTqK2ynse+lQ64ke00Jha98nskD46PLmtpgQTpM6eO3S3Ps1XJrqrMgEwXFhFUadSkgInhgXqqNhub+TkAvPppBzKWFJhkFx6cMj0jPlQniG1AZkDBqBSTBdJQdMvq6xtSOW/ID/5Dpvt9UydONws9M9T8DhM60US+CwNn+M8HnKj0L09cQfy1+C7Q4+XSz9PAEt0pv8gXo5lyr933xRFtM+k6Z+6Cfj9PgOXgSbeCkjo0T91kabdqcFk+0UhmKvrZ1ny0=
| 256 2b:62:0e:ca:e1:be:f8:cc:e2:35:ef:5c:4e:cb:95:bf (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBIc8gkSkjdJZ15xv1n0Rk7wEUcG7tFeHfNXgDxdiUfooYGbIFQYwWqa4ghhxdmGI00IkPtQj5E879/7JEwaMgjk=
| 256 91:5d:b2:3c:f8:cd:26:32:8d:28:b9:2b:53:86:94:1a (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDCuAk2NNN0DtSylh0JNKR5Vh9gFXiOua4dDYyULD/oH
80/tcp open http syn-ack ttl 59 Apache httpd 2.4.48 ((Ubuntu))
|_http-server-header: Apache/2.4.48 (Ubuntu)
| http-methods:
|_ Supported Methods: HEAD GET POST OPTIONS
|_http-title: CyberHeros : Index
|_http-favicon: Unknown favicon MD5: 03983666D3C4B72ECAAB464BD200E6FA
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
HTTP
Login form
The website contains a login form:
>>>
GET /login.html HTTP/1.1
Host: 10.10.45.211
<<<
<form id="todel" class="">
<div class="section-title">
<h2>Login</h2>
<h4>Show your hacking skills and login to became a CyberHero ! :D</h4>
</div>
<input type="text" id="uname" placeholder="username" />
<input type="password" id="pass" placeholder="password" />
</form>
<button id="rm" onclick="authenticate()">login</button>
But no request is logged in the Burp's HTTP history when submitting credentials. Then, the login/password are likely to be in the JavaScript code. And indeed, the authenticate() function is declared in the response:
<script>
function authenticate() {
a = document.getElementById('uname')
b = document.getElementById('pass')
const RevereString = str => [...str].reverse().join('');
if (a.value == "h[...]oi" & b.value == RevereString("54[...]uS")) {
var xhttp = new XMLHttpRequest();
xhttp.onreadystatechange = function() {
if (this.readyState == 4 && this.status == 200) {
document.getElementById("flag").innerHTML = this.responseText;
document.getElementById("todel").innerHTML = "";
document.getElementById("rm").remove();
}
};
xhttp.open("GET", "RandomLo0o0o0o0o0o0o0o0o0o0gpath12345_Flag_" + a.value + "_" + b.value + ".txt", true);
xhttp.send();
} else {
alert("Incorrect Password, try again.. you got this hacker !")
}
}
</script>
The username is h3[...]oi, and the password Su[...]45:
$ const RevereString = str => [...str].reverse().join('');
$ RevereString("54[...]uS");
Su[...]45
The flag is revealed once logged in:
>>>
GET /RandomLo0o0o0o0o0o0o0o0o0o0gpath12345_Flag_h3[...]oi_Su[...]45.txt HTTP/1.1
Host: 10.10.45.211
<<<
Congrats Hacker, you made it !!
Go ahead and nail other challenges as well :D
flag{ed[...]6e}
Well, I wasn't expecting the CTF to be that easy ^^
But I'm a Cyber Hero, that's fine.