ππ£πͺβπππππ πππππππ£π π¦ππ ππππ_βππ½
The L3ak_CTF on TryHackMe is a Capture the Flag (CTF) challenge that focuses on testing a participantβs skills in identifying and exploiting information leaks, basic web vulnerabilities, and other security issues. Hereβs a walkthrough of the key steps to solve the challenge.
Step 1: Enumeration
. Adding registries to your /etc/hosts file makes it easier for machines to remember and learn by their unique names rather than their IP addresses. It also helps in cases where a DNS resolution may not be available or reliable
1
echo "$IP l3ak.thm" | sudo tee -a /etc/hosts
1 Start with an Nmap Scan:
Use Nmap to scan the target for open ports and services.
1
nmap -sC -sV -oN nmap_scan <target_ip>
The output will show you which ports are open and the services running on those ports.
Examine the Web Server:
If HTTP/HTTPS ports (80/443) are open, open the website in a browser. Use tools like gobuster or dirb to find hidden directories.
1
gobuster dir -u http://<target_ip> -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
This may reveal hidden files or directories such as: /1/index.html
Show the page source, any commented information, or undefined scripts.
1
<?php if($_SERVER["REQUEST_METHOD"]=="POST"){$9="B";$3="A";$4="K";$5="{";$11="}";$6="T";$username=$_POST["username"];$password=$_POST["password"];$8="_";$2="3";$pdo=new PDO("mysql:host=localhost;dbname=mydatabase","username","password");$10="S";$7="H";$1="L";$flag=$1.$2.$3.$4.$5.$6.$7.$8.$9.$10.$11;$stmt=$pdo;prepare("SELECT * FROM users WHERE username=?");$stmt execute([$username]);$user=$stmt fetch();if($user&&password_verify($password,$user['password'])){session_start();$_SESSION['user_id']=$user['id'];echo"Welcome,".htmlspecialchars($user['username'])."this is your flag".$flag."!";}else{echo"Invalid username or password.";}}?><html><head><meta charset="UTF-8"><title>Sign In Form</title><link rel="stylesheet" type="text/css" href="s.css"></head><body><form class="form" autocomplete="off" method="post"><div class="control"><h1>Sign In</h1></div><div class="control block-cube block-input"><input name="username" type="text" placeholder="Username"/><div class="bg-top"><div class="bg-inner"></div></div><div class="bg-right"><div class="bg-inner"></div></div><div class="bg"><div class="bg-inner"></div></div></div><div class="control block-cube block-input"><input name="password" type="password" placeholder="Password"/><div class="bg-top"><div class="bg-inner"></div></div><div class="bg-right"><div class="bg-inner"></div></div><div class="bg"><div class="bg-inner"></div></div></div><button class="btn block-cube block-cube-hover" type="submit"><div class="bg-top"><div class="bg-inner"></div></div><div class="bg-right"><div class="bg-inner"></div></div><div class="bg"><div class="bg-inner"></div></div><div class="text">Log In</div></button><script src="js.js"></script></div></form></body></html>```
PHP Code Analysis :
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
<?php
if($_SERVER["REQUEST_METHOD"]=="POST"){
$9="B";
$3="A";
$4="K";
$5="{";
$11="}";
$6="T";
$username=$_POST["username"];
$password=$_POST["password"];
$8="_";
$2="3";
$pdo=new PDO("mysql:host=localhost;dbname=mydatabase","username","password");
$10="S";
$7="H";
$1="L";
$flag=$1.$2.$3.$4.$5.$6.$7.$8.$9.$10.$11;
$stmt=$pdo->prepare("SELECT * FROM users WHERE username=?");
$stmt->execute([$username]);
$user=$stmt->fetch();
if($user && password_verify($password, $user['password'])){
session_start();
$_SESSION['user_id']=$user['id'];
echo "Welcome, ".htmlspecialchars($user['username']).", this is your flag: ".$flag."!";
} else {
echo "Invalid username or password.";
}
}
?>
Letβs substitute these variables into the flag construction string:
1
2
3
4
5
6
7
8
9
10
11
$1 = "L"
$2 = "3"
$3 = "A"
$4 = "K"
$5 = "{"
$6 = "T"
$7 = "H"
$8 = "_"
$9 = "B"
$10 = "S"
$11 = "}"
Putting these together:
1
L + 3 + A + K + { + T + H + _ + B + S + }
So, the flag is:
1
L3AK{TH_BS}