Skip to content

TryHackMe Writeups

Codeanalysis

TryHackMe Writeups

Home
Crackthehash
Cyberadventtemplate
Template
25daysofchristmas
25daysofchristmas
- 25daysofchristmas
HackfinityBattle
HackfinityBattle
- HackfinityBattle
Adenumeration
Adenumeration
- Adenumeration
Adv3nt0fdbopsjcap
Adv3nt0fdbopsjcap
- Adv3nt0fdbopsjcap
Adventofcyber2
Adventofcyber2
- Adventofcyber2
Adventofcyber2023
Adventofcyber2023
- Adventofcyber2023
Adventofcyber2024
Adventofcyber2024
- Adventofcyber2024
Adventofcyber23sidequest
Adventofcyber23sidequest
- Adventofcyber23sidequest
Agentsudoctf
Agentsudoctf
- Agentsudoctf
Anonymous
Anonymous
- Anonymous
Auditingandmonitoringse
Auditingandmonitoringse
- Auditingandmonitoringse
Authenticationbypass
Authenticationbypass
- Authenticationbypass
Blaster
Blaster
- Blaster
Blue
Blue
- Blue
Bof1
Bof1
- Bof1
Breachingad
Breachingad
- Breachingad
Breakrsa
Breakrsa
- Breakrsa
Burpsuitebasics
Burpsuitebasics
- Burpsuitebasics
Burpsuiteintruder
Burpsuiteintruder
- Burpsuiteintruder
Burpsuiteom
Burpsuiteom
- Burpsuiteom
Burpsuiterepeater
Burpsuiterepeater
- Burpsuiterepeater
Codeanalysis
Codeanalysis
- Codeanalysis Codeanalysis
  Table of contents
  - Table of contents
    
    Mother's Secrets!
Commonlinuxprivesc
Commonlinuxprivesc
- Commonlinuxprivesc
Contentdiscovery
Contentdiscovery
- Contentdiscovery
Cowboyhacker
Cowboyhacker
- Cowboyhacker
Crackthehash
Crackthehash
- Crackthehash
Cryptographyintro
Cryptographyintro
- Cryptographyintro
Cybergovernanceregulation
Cybergovernanceregulation
- Cybergovernanceregulation
Dastzap
Dastzap
- Dastzap
Dataxexfilt
Dataxexfilt
- Dataxexfilt
Easyctf
Easyctf
- Easyctf
Encryptioncrypto101
Encryptioncrypto101
- Encryptioncrypto101
Enumerationpe
Enumerationpe
- Enumerationpe
Exploitingad
Exploitingad
- Exploitingad
Fileinc
Fileinc
- Fileinc
Hydra
Hydra
- Hydra
Ice
Ice
- Ice
Intronetworksecurity
Intronetworksecurity
- Intronetworksecurity
Johntheripper0
Johntheripper0
- Johntheripper0
Kenobi
Kenobi
- Kenobi
Lateralmovementandpivoting
Lateralmovementandpivoting
- Lateralmovementandpivoting
Linprivesc
Linprivesc
- Linprivesc
Linuxfundamentalspart1
Linuxfundamentalspart1
- Linuxfundamentalspart1
Linuxfundamentalspart2
Linuxfundamentalspart2
- Linuxfundamentalspart2
Linuxfundamentalspart3
Linuxfundamentalspart3
- Linuxfundamentalspart3
Linuxprivesc
Linuxprivesc
- Linuxprivesc
Linuxsystemhardening
Linuxsystemhardening
- Linuxsystemhardening
Malmalintroductory
Malmalintroductory
- Malmalintroductory
Metasploitexploitation
Metasploitexploitation
- Metasploitexploitation
Meterpreter
Meterpreter
- Meterpreter
Netsecchallenge
Netsecchallenge
- Netsecchallenge
Ohsint
Ohsint
- Ohsint
Operatingsystemsecurity
Operatingsystemsecurity
- Operatingsystemsecurity
Owaspjuiceshop
Owaspjuiceshop
- Owaspjuiceshop
Owasptop102021
Owasptop102021
- Owasptop102021
Passwordattacks
Passwordattacks
- Passwordattacks
Persistingad
Persistingad
- Persistingad
Picklerick
Picklerick
- Picklerick
Postexploit
Postexploit
- Postexploit
Powershell
Powershell
- Powershell
Printerhacking101
Printerhacking101
- Printerhacking101
Redteamrecon
Redteamrecon
- Redteamrecon
Rpnessusredux
Rpnessusredux
- Rpnessusredux
Rrootme
Rrootme
- Rrootme
Sast
Sast
- Sast
Seriskmanagement
Seriskmanagement
- Seriskmanagement
Shodan
Shodan
- Shodan
Sql injection
Sql injection
- Sql injection
Steelmountain
Steelmountain
- Steelmountain
Thelayoftheland
Thelayoftheland
- Thelayoftheland
Threatmodelling
Threatmodelling
- Threatmodelling
Traverse
Traverse
- Traverse
Uploadvulns
Uploadvulns
- Uploadvulns
Vulnerabilitycapstone
Vulnerabilitycapstone
- Vulnerabilitycapstone
Vulnerabilitymanagementkj
Vulnerabilitymanagementkj
- Vulnerabilitymanagementkj
Vulnversity
Vulnversity
- Vulnversity
Walkinganapplication
Walkinganapplication
- Walkinganapplication
Weaponization
Weaponization
- Weaponization
Winadbasics
Winadbasics
- Winadbasics
Windows10privesc
Windows10privesc
- Windows10privesc
Windowsfundamentals1
Windowsfundamentals1
- Windowsfundamentals
Windowsfundamentals2
Windowsfundamentals2
- Windowsfundamentals2
Windowsfundamentals3
Windowsfundamentals3
- Windowsfundamentals3
Windowslocalpersistence
Windowslocalpersistence
- Windowslocalpersistence
Windowsprivesc20
Windowsprivesc20
- Windowsprivesc20
Wiresharkpacketoperations
Wiresharkpacketoperations
- Wiresharkpacketoperations
Wiresharkthebasics
Wiresharkthebasics
- Wiresharkthebasics
Wonderland
Wonderland
- Wonderland

Mother's Secret Banner

Mother's Secret Logo

Mother's Secret

This guide contains the answer and steps necessary to get to them for the Mother's Secret room.

Table of contents

Mother's Secrets!

Mother's Secrets!

What is the number of the emergency command override?

The answer to this question can be found in the text.

Click for answer
100375

What is the special order number?

In the api routes file we downloaded, we can find two endpoints. Yaml and Nostromo. Visiting either one gives us a message telling us we are hitting the wrong route.

Wrong Route

I looked through the routes using semgrep for static analysis and ZAP spiders and scans for Dynamic analysis. Both without any results.

Looking closer at the routes we can see that the Yaml endpoint has declared a variable 'file_path' which is related to a Yaml file the system can read. This might be something we can use.

Since hitting the endpoint doesn't seem to do anything, we can capture the api request in Burpsuite and modify it to contain the 'file_path' variable. We can either modify it and forward the request or send it to repeater. The latter would be better as it would enable us to test various payloads.

To Repeater

We must change it to a POST request and add two lines. Our payload should contain the variable name and its value. If this value is not a yaml file, we get an error back.

If it is a yaml file extension, we get a message telling us the system is unable to read the file. This means we are on the right track.

Yaml Endpoint File

We just need to create the right payload/filename. It might be the code for the 'alian loaders' we got in the beginning (100375). The webpage on ALien Loader mentions a 'YAML' loaders that parses and loads YAML data. This is exactly what the yaml endpoint does judging from the api routes file.

Yaml Order Number

Looks like this was correct. The message gives us the order number!

Click for answer
937

What is the hidden flag in the Nostromo route?

Our next step would be to follow the Nostromo endpoint as suggested in the message. We capture it again in Burpsuite to modify the request in Repeater.

Nostromo Endpoint

Again we change the request to a POST request and add our payload in the form of the order number filename.

Nostromo Message

Here we find our first hidden flag.

Click for answer
Flag{X3n0M0Rph}

What is the name of the Science Officer with permissions?

If we had used a different filename, we would have gotten an error message that we are not the Science Officer. This is also apparent from the route file.

Nostromo Permission

So apparently we have now been identified as a Science Officer. If we look at the web application and navigate to role, we can see the name of this Science Officer.

Name

Click for answer
ash

What are the contents of the classified "Flag" box?

This can be found in the same webpage under Flag.

Click for answer
THM_FLAG{0RD3R_937}

Where is Mother's secret?

So we should now be identified as a Science Officer. Now we should be able to use the last endpoint. nostromo/mother.

In the text we are give a clue for a file located at this endpoint, 'secret.txt'. Lets try it and use it as the filename in our api request.

Secret

Click for answer
/opt/m0th3r

What is Mother's secret?

Now that we know the secrets location, we must read it. From the Pathways message we learn we should utilized path traversal. From the api routes file, we can see this would indeed be possible as the filname value is added to the filepath without sanitation.

Since we need to go all the way back to /opt/, we should add a few extra folder up commands just to be sure we hit the root folder.

../../../../../../opt/m0th3r

Success! If we try with fewer folder up movements, we can see that it won't work.

Secret Message

Click for answer
Flag{Ensure_return_of_organism_meow_meow!}