TryHackMe: Advent of Cyber [Day 9] Requests

Samantha
5 min readSep 17, 2020

Room: Advent of Cyber

Difficulty: Beginner

“McSkiddy has been keeping inventory of all the infrastructure but he finds a random web server running on port 3000. All he receives when accessing ‘/’ is

{"value":"s","next":"f"}

McSkiddy needs to access the next page at /f (which is the value received from the data above) and keep track of the value at each step (in this case ‘s’). McSkiddy needs to do this until the ‘value’ and ‘next’ data have the value equal to ‘end’.

You can access the machines at the following IP:

  • 10.10.169.100

Things to note about this challenge:

  • The JSON object retrieved will need to be converted from unicode to ASCII (as shown in the supporting material)
  • All the values retrieved until the ‘end’ will be the flag (end is not included in the flag)”

The first thing we need to do is ensure we have both Python3 and Pip installed on whatever system you are using. Click HERE or HERE for Python3 and HERE for Pip instructions.

We will also be connecting to the THM network, so use OpenVPN or your THM Kali machine to do so.

Question #1: What is the value of the flag?

Let’s pull up that web server and take a look. Type 10.10.169.100:3000 into your browser navigation bar:

The Raw Data section:

Yep, this is exactly what McSkiddy described. Let’s leave that open, and create a new .py file.

touch mcksiddy.py (or whatever you want to call it)

Then, open up that file so you can start writing a small python program inside:

The first line you need to type is “import requests”. This just means that we are going to be sending and receiving HTTP requests.

After that, we can define a few global variables so that our program knows what it’s working with:

path = “/”
host = “
http://10.10.169.100:3000"

Also, we need an empty global array to store things in:

values = []

Just a quick side note here. If we go back to the browser and add on an “/f” to the address in our navigation bar, we get this:

You could actually keep doing this manually, always adding on the “next” value to the end of your address. For example, we would now add on an “/s” to get to the next page, like so:

And next you would add on an “a”, and so on, until both of those say “end”. If you write down the consecutive letters you receive from the “value” slot as you go through all the pages, they would eventually spell out the flag after about 10 hops.

However, the job of the program we are writing is to do all of that for us automatically.

Let’s continue on:

So, from McSkiddy’s message, we know that the program needs to run until both the “value” and “next” slots simultaneously equal “end”. Let’s make sure our progam knows that:

while path != “/end”:

This is saying that while the / path is not equal to “end”, the program should keep running the indented lines of code beneath it (we will add those next).

Next, we will give our while loop something to work with:

response=requests.get(host+path)

This goes to the website we specified and sends a GET request, which it then stores in a variable called “response” that we just created:

After that, we will need this:

json_response = response.json()

This line tells our program to interpret the JSON data we get from the webpage (the value pairs) and create a dictionary for the program to use. If you would like more info about JSON, please click HERE and HERE.

Next,

path = “/” + json_response[“next”]

This directs the program to use the / variable as well as the “next” value from the dictionary we just created.

After that we will make an “if” statement:

if path != “/end”:

values.append(json_response[“value”])

This is saying that if the value equals anything other than “/end” we should be placing it in our dictionary. Remember the indentation under your “if” statement, like so:

Next, let’s get out of our while loop and add the final line:

print(“”.join(values))

This just prints out our values strung together to give us the flag.

So that’s our completed program. Save your file, and let’s run it to print out the flag!

python3 <yourfilename>.py

Just for fun, I did it the manual way and I eventually made it here:

Thank you for following along!

Happy Hacking ❤

--

--

Samantha

CTF writeups to facilitate cyber education and help me earn CPEs