Username: django-admin
Password: roottoor1212
root@kali:~# ssh django-admin@10.10.44.132
The authenticity of host '10.10.44.132 (10.10.44.132)' can't be established.
ECDSA key fingerprint is SHA256:6e2cPhl+76hmwqPelHGq0T5KXqFu4cuyptr8miKD2cA.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.44.132' (ECDSA) to the list of known hosts.
django-admin@10.10.44.132's password:
Permission denied, please try again.
django-admin@10.10.44.132's password:
Welcome to Ubuntu 18.04 LTS (GNU/Linux 4.15.0-20-generic x86_64)
django-admin@py:~$
Next find the settings file and add IP address to ALLOWED_HOSTS
django-admin@py:~$ ls
messagebox
django-admin@py:~$ cd messagebox/
django-admin@py:~/messagebox$ ls
db.sqlite3 lmessages manage.py messagebox
django-admin@py:~/messagebox$ cd messagebox/
django-admin@py:~/messagebox/messagebox$ ls
home.html __init__.py __pycache__ settings.py urls.py views.py wsgi.py
django-admin@py:~/messagebox/messagebox$ nano settings.py
This is the line to edit, just add your tryhackme IP after the last one.
Next visit the site again:
Looks like we have a message. Let's check it out by clicking "message"
Look around the site, you'll find a button at the bottom...decode something?
I didn't see any codes or entry fields. Looking at the source code, it's a fake button. Nothing happens except the pop up message.
Nothing on the site, let's try the admin panel. In Django the default URL for the admin page is usually just /admin. Let's try it and use our provided credentials.
Nope. Looks like this account isn't setup. Easy fix, let's create a new superuser. Here I was lazy and used a really short password, hence the warning.
django-admin@py:~/messagebox$ python3 manage.py createsuperuser
Username (leave blank to use 'django-admin'): admin
Email address:
Password:
Password (again):
The password is too similar to the username.
This password is too short. It must contain at least 8 characters.
Bypass password validation and create user anyway? [y/N]: y
Superuser created successfully.
Now log in with new user and you will be greeted with the admin page:
First stop users. Here we find some useful information:
We found the admin panel flag! Next is the user flag - StrageFox. We are provided a link to a paste bin. Looks some encrypted/hashed text. I used hash identifier: Copy the text and start up the program:
Hash identifier thinks it's either SHA-256 or Haval-256.
For whatever reason I had trouble cracking this. Eventually I stumbled upon crackstation.net and this worked.
Switch over to this other user and have a look around.
django-admin@py:~/messagebox$ su StrangeFox
Password:
StrangeFox@py:/home/django-admin/messagebox$ id
uid=1001(StrangeFox) gid=1001(StrangeFox) groups=1001(StrangeFox)
I went straight for StrageFox's home directory and found the flag.
Finally there is one more flag, the hidden flag. Time to poke around...
This part took me a little longer than I'd like to admit, but I found a random html file in the messagebox directory.
StrangeFox@py:/home/django-admin/messagebox/messagebox$ ls -lsa
total 40
4 drwxr-xr-x 3 django-admin django-admin 4096 Jun 3 16:57 .
4 drwxr-xr-x 4 django-admin django-admin 4096 Jun 3 17:37 ..
8 -rw-r--r-- 1 django-admin django-admin 6148 Apr 10 13:23 .DS_Store
4 -rw-r--r-- 1 django-admin django-admin 412 Apr 10 14:10 home.html
0 -rw-r--r-- 1 django-admin django-admin 0 Apr 10 12:59 __init__.py
4 drwxr-xr-x 2 django-admin django-admin 4096 Jun 3 16:56 __pycache__
4 -rw-r--r-- 1 django-admin django-admin 3155 Jun 3 16:56 settings.py
4 -rw-r--r-- 1 django-admin django-admin 866 Apr 10 13:31 urls.py
4 -rw-r--r-- 1 django-admin django-admin 94 Apr 10 13:32 views.py
4 -rw-r--r-- 1 django-admin django-admin 397 Apr 10 13:14 wsgi.py
StrangeFox@py:/home/django-admin/messagebox/messagebox$ cat home.html
<center><p>Hi! Welcome back to your inbox. Seems like you got a new message!</p></center>
<center><p>Check it out here:</p></center>
<center><p><a href="/messages">Messages</a></p></center>
<!-- Flag 3: THM{REDACTED} -->
Jump back into tryhackme and enter this last flag. Congrats, check this one off. We are done.
-ott3r