Room Link: Corp Website so here with wappalyzer we can see that this is built on React and Next.js which more likely tell us we should scan for React2Shell I’m using this scanner here you can see our guess was correct, this website is vulnerable to React2Shell Now to exploit it we will use Exploit here we got the user.txt flag. here we can see our uid is daniel and sudo -l tells us something interesting to run. ...
Check out Love At First Breach Rooms All the Walkthroughs for 10 Ticketing rooms are available on this page.
Room Link: Love Letter Locker Let’s visit the website and analyse the interface. we have sign in and login buttons as always we will register and new account. let’s login now and find write a new letter and let’s open it now here in this link you can notice that the 3 in the link matches the letter number as well, so let’s try to change it and try to read the other letters. ...
Room Link: Signed Message Let’s visit the URL and see what we got. upon gobuster scan I found out an endpoint /debug here I found out something which should have been shared. according to it, I wrote a python script which will find the HEX to verify the initial message that was sent by the admin. #!/usr/bin/env python3 from hashlib import sha256 from sympy import nextprime, mod_inverse from cryptography.hazmat.primitives import hashes from cryptography.hazmat.primitives.asymmetric import rsa, padding USERNAME = "admin" # IMPORTANT: must match byte-for-byte what /messages shows in the browser (rendered text). # Use the rendered apostrophe (') not the HTML entity ('). ADMIN_PUBLIC_MESSAGE = ( "Welcome to LoveNote! Send encrypted love messages this Valentine's Day. " "Your communications are secured with industry-standard RSA-2048 digital signatures." ) def derive_keypair(username: str): seed = f"{username}_lovenote_2026_valentine".encode() p_base = int.from_bytes(sha256(seed).digest(), "big") p = int(nextprime(p_base)) q_base = int.from_bytes(sha256(seed + b"pki").digest(), "big") q = int(nextprime(q_base)) n = p * q e = 65537 phi = (p - 1) * (q - 1) d = int(mod_inverse(e, phi)) pub = rsa.RSAPublicNumbers(e=e, n=n) priv = rsa.RSAPrivateNumbers( p=p, q=q, d=d, dmp1=d % (p - 1), dmq1=d % (q - 1), iqmp=int(mod_inverse(q, p)), public_numbers=pub, ).private_key() return priv def sign_pss_sha256(privkey, message: str) -> str: msg_bytes = message.encode("utf-8") # must match server encoding assumption; UTF-8 is the sane default sig = privkey.sign( msg_bytes, padding.PSS( mgf=padding.MGF1(hashes.SHA256()), salt_length=padding.PSS.MAX_LENGTH, # common “PSS default” ), hashes.SHA256(), ) return sig.hex() def main(): priv = derive_keypair(USERNAME) sig_hex = sign_pss_sha256(priv, ADMIN_PUBLIC_MESSAGE) print("username=admin") print("message (exact) =", ADMIN_PUBLIC_MESSAGE) print("signature hex =", sig_hex) if __name__ == "__main__": main() ...
Room Link: Valenfind Let’s Sign Up and create an account Complete your profile. upon looking all the other profiles, this profile seems to be something useful, let’s send the valentine request upon checking the source code of the website we can see that there is a comment saying that layout allows LFI if so let’s check what we can get. here we go we can see the /etc/passwd. ...
Let’s visit the website and see how it is and what it says. this is enough to give the hint that this is classic MD5 collision problem. for this challenge we will use fastcoll To it hassle free i downloaded the pre-made hash collision MD5 hash file wget https://www.mathstat.dal.ca/~selinger/md5collision/hello wget https://www.mathstat.dal.ca/~selinger/md5collision/erase md5sum hello erase mv hello a.jpg mv erase b.jpg now upload both one by one. ...
Room Link: Crypto Failures upon visiting the web of the IP of target machine we can see: so here it says we are logged in as guest and upon visiting the source code of this website. we can see there is a comment in the file which says: so let’s run a Gobuster scan and see what we get here. gobuster dir -u http://10.48.162.78 -w /usr/share/wordlists/dirb/common.txt -x bak,php,js,txt ...
Room Link: LazyAdmin Room Link add machine IP to /etc/hosts sudo echo "10.48.181.50 lazyadmin.thm" >> /etc/hosts First we are gonna perform NMAP scan nmap -A lazyadmin.thm -T5 -v this is what we got. let enumerate the directories gobuster dir -u http://lazyadmin.thm -w /usr/share/wordlists/dirb/common.txt we found these directories lets visit them this is what is in the /content upon seeing this we can identify that this website is built on basic-cms - sweet rice ...
Room Link: Keldagrim Room Link We gonna start with NMAP scan: Even if it is showing that these ports are filtered we are going to check it by visiting the website on port 80. add the IP to the /etc/hosts. okay we can visit the website and we can see that there multiple things listed on the website, from that we can enumerate more on the directories. upon seeing the website, there is /admin which is greyed out and visiting it isn’t showing anything. ...
Room Link: Airplane Room Link First of all add the machine IP to /etc/hosts As always we will perform a NMAP scan: $ nmap -sT -p- airplane.thm -T4 Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-06-07 20:01 CEST Nmap scan report for airplane.thm (10.10.196.89) Host is up (0.064s latency). Not shown: 65532 closed tcp ports (conn-refused) PORT STATE SERVICE 22/tcp open ssh 6048/tcp open x11 8000/tcp open http-alt We found 3 open Ports here: ...