Room: Advent of Cyber
Difficulty: Beginner
“A big part of working at the best festival company is the social life! The elves have always loved interacting with everyone. Unfortunately, the Christmas Monster took down their main form of communication — the arctic forum!
Elf McForum has been sobbing away in McElferson’s office. How could the monster take down the forum! In an attempt to make McElferson happy, she sends you to McForum’s office to help.”
For this challenge you will have to deploy the VM from the question and then use either OpenVPN or the THM virtual Kali machine (if you are a subscriber) to connect to it. If you need instructions for how to do that, click HERE.
Question #1: What is the path of the hidden page?
We are instructed to access the forum at http://[your-ip-here]:3000.
With either your OpenVPN connection or your Kali machine, open a browser and type in that address. Your IP is the VM you just deployed from the question.
You will then be greeted with the Arctic Forum login page:
Ok, what now? Well, we can try brute forcing the website’s directory to see if there are any public facing pages open that shouldn't be, and then see what their status codes are. This could point towards a potential path that the Christmas Monster used.
There are quite a few ways you can do this. Today I will use dirsearch, which is a pretty basic command line tool. If you don’t have it, you can get it by running this command:
git clone https://github.com/maurosoria/dirsearch.git
Before using dirsearch, ensure that you have python installed on your system. This command will show you what version you have:
If you don’t have it, or you have a really outdated version, HERE is a great guide for getting it installed/updated.
Next we need to make sure we have a wordlist for dirsearch to look through (common pages/directories to scan for). You can find a download for that HERE.
Next, navigate to the dirsearch directory, it’s time to execute the command:
In this example, -u represents the hostname or website, -w is the path to the wordlist, and -e stands for the extension of the website if you know it. In this case, it’s 3000. If you don’t know it, you can simply add -f in that spot and dirsearch will brute force that too.
Give dirsearch some time to do it’s thing. You can probably grab a snack. Eventually, you will see something similar to this:
Do you see anything interesting? Looks like we have found our first flag!
Question #2: What is the password you found?
So, what we found looked pretty promising, right? The status code is 200, which means we are good to access it. Type it into your browser navigation bar and let’s see what pops up:
Yes, we are definitely getting somewhere.
Right click on your screen, somewhere inside your browser on that page, and choose “Inspect Element (Q)” to see if we can gather any more information that will help us.
On the very first tab we see an interesting message:
Why don’t we search for that github repo?
If we click that first link, we see a read-me file:
How likely do you think it is that the admin is still using the default username and password? Let’s try it out!
Yep, we’re in.
Question #3: What do you have to take to the 'partay'
If we scroll down just a little ways, we can see a special message for partaygoers:
Looks like we were able to thwart the Christmas Monster’s plans of ruining the celebration!
I hope you had a good time and learned something useful. For example, DO NOT use default username/password combos. Default credentials are a recipe for disaster, maybe even worse than drinking too much eggnog.
Happy Hacking! ❤
