Intro to Django

10-10-2021 Written by: otter-admin

Web Fundamentals - Intro to Django

This room can be found here.

First ssh into the box with the provided credentials:

Username: django-admin
Password: roottoor1212

root@kali:~# ssh django-admin@
The authenticity of host ' (' can't be established.
ECDSA key fingerprint is SHA256:6e2cPhl+76hmwqPelHGq0T5KXqFu4cuyptr8miKD2cA.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '' (ECDSA) to the list of known hosts.
django-admin@'s password:
Permission denied, please try again.
django-admin@'s password:
Welcome to Ubuntu 18.04 LTS (GNU/Linux 4.15.0-20-generic x86_64)

Next find the settings file and add IP address to ALLOWED_HOSTS

django-admin@py:~$ ls
django-admin@py:~$ cd messagebox/
django-admin@py:~/messagebox$ ls
db.sqlite3  lmessages  messagebox
django-admin@py:~/messagebox$ cd messagebox/
django-admin@py:~/messagebox/messagebox$ ls
home.html  __pycache__
django-admin@py:~/messagebox/messagebox$ nano

This is the line to edit, just add your tryhackme IP after the last one.

Next visit the site again:

Looks like we have a message. Let's check it out by clicking "message"

Look around the site, you'll find a button at the bottom...decode something?

I didn't see any codes or entry fields. Looking at the source code, it's a fake button. Nothing happens except the pop up message. 

Nothing on the site, let's try the admin panel. In Django the default URL for the admin page is usually just /admin. Let's try it and use our provided credentials.

Nope. Looks like this account isn't setup. Easy fix, let's create a new superuser. Here I was lazy and used a really short password, hence the warning.

django-admin@py:~/messagebox$ python3 createsuperuser
Username (leave blank to use 'django-admin'): admin
Email address:
Password (again):
The password is too similar to the username.
This password is too short. It must contain at least 8 characters.
Bypass password validation and create user anyway? [y/N]: y
Superuser created successfully.

Now log in with new user and you will be greeted with the admin page:

First stop users. Here we find some useful information:

We found the admin panel flag! Next is the user flag - StrageFox. We are provided a link to a paste bin. Looks some encrypted/hashed text. I used hash identifier: Copy the text and start up the program:

Hash identifier thinks it's either SHA-256 or Haval-256.

For whatever reason I had trouble cracking this. Eventually I stumbled upon and this worked.

Switch over to this other user and have a look around.

django-admin@py:~/messagebox$ su StrangeFox
StrangeFox@py:/home/django-admin/messagebox$ id
uid=1001(StrangeFox) gid=1001(StrangeFox) groups=1001(StrangeFox)

I went straight for StrageFox's home directory and found the flag.

Finally there is one more flag, the hidden flag. Time to poke around...

This part took me a little longer than I'd like to admit, but I found a random html file in the messagebox directory.

StrangeFox@py:/home/django-admin/messagebox/messagebox$ ls -lsa
total 40
4 drwxr-xr-x 3 django-admin django-admin 4096 Jun  3 16:57 .
4 drwxr-xr-x 4 django-admin django-admin 4096 Jun  3 17:37 ..
8 -rw-r--r-- 1 django-admin django-admin 6148 Apr 10 13:23 .DS_Store
4 -rw-r--r-- 1 django-admin django-admin  412 Apr 10 14:10 home.html
0 -rw-r--r-- 1 django-admin django-admin    0 Apr 10 12:59
4 drwxr-xr-x 2 django-admin django-admin 4096 Jun  3 16:56 __pycache__
4 -rw-r--r-- 1 django-admin django-admin 3155 Jun  3 16:56
4 -rw-r--r-- 1 django-admin django-admin  866 Apr 10 13:31
4 -rw-r--r-- 1 django-admin django-admin   94 Apr 10 13:32
4 -rw-r--r-- 1 django-admin django-admin  397 Apr 10 13:14
StrangeFox@py:/home/django-admin/messagebox/messagebox$ cat home.html
        <center><p>Hi! Welcome back to your inbox. Seems like you got a new message!</p></center>
        <center><p>Check it out here:</p></center>
        <center><p><a href="/messages">Messages</a></p></center>
        <!-- Flag 3: THM{REDACTED} -->

Jump back into tryhackme and enter this last flag. Congrats, check this one off. We are done.