# Nmap 7.91 scan initiated Wed May 5 10:52:11 2021 as: nmap -sSVC -p- -oA nmap_full -v 10.10.65.232 Nmap scan report for adventuretime.thm (10.10.65.232) Host is up (0.080s latency). Not shown: 65530 closed ports PORT STATE SERVICE VERSION 21/tcp open ftp vsftpd 3.0.3 | ftp-anon: Anonymous FTP login allowed (FTP code 230) | -r--r--r-- 1 ftp ftp 1401357 Sep 21 2019 1.jpg | -r--r--r-- 1 ftp ftp 233977 Sep 21 2019 2.jpg | -r--r--r-- 1 ftp ftp 524615 Sep 21 2019 3.jpg | -r--r--r-- 1 ftp ftp 771076 Sep 21 2019 4.jpg | -r--r--r-- 1 ftp ftp 1644395 Sep 21 2019 5.jpg |_-r--r--r-- 1 ftp ftp 40355 Sep 21 2019 6.jpg | ftp-syst: | STAT: | FTP server status: | Connected to ::ffff:10.9.19.77 | Logged in as ftp | TYPE: ASCII | No session bandwidth limit | Session timeout in seconds is 300 | Control connection is plain text | Data connections will be plain text | At session startup, client count was 2 | vsFTPd 3.0.3 - secure, fast, stable |_End of status 22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 58:d2:86:99:c2:62:2d:95:d0:75:9c:4e:83:b6:1b:ca (RSA) | 256 db:87:9e:06:43:c7:6e:00:7b:c3:bc:a1:97:dd:5e:83 (ECDSA) |_ 256 6b:40:84:e6:9c:bc:1c:a8:de:b2:a1:8b:a3:6a:ef:f0 (ED25519) 80/tcp open http Apache httpd 2.4.29 | http-methods: |_ Supported Methods: GET POST OPTIONS HEAD |_http-server-header: Apache/2.4.29 (Ubuntu) |_http-title: 404 Not Found 443/tcp open ssl/http Apache httpd 2.4.29 ((Ubuntu)) | http-methods: |_ Supported Methods: GET HEAD POST OPTIONS |_http-server-header: Apache/2.4.29 (Ubuntu) |_http-title: 400 Bad Request | ssl-cert: Subject: commonName=adventure-time.com/organizationName=Candy Corporate Inc./stateOrProvinceName=Candy Kingdom/countryName=CK | Issuer: commonName=adventure-time.com/organizationName=Candy Corporate Inc./stateOrProvinceName=Candy Kingdom/countryName=CK | Public Key type: rsa | Public Key bits: 2048 | Signature Algorithm: sha256WithRSAEncryption | Not valid before: 2019-09-20T08:29:36 | Not valid after: 2020-09-19T08:29:36 | MD5: fe38 d852 1fab ee33 b560 42ab 3e53 c129 |_SHA-1: 66ba 29fa 3a0e 26f6 d31b c61b ed83 61a1 609f e621 31337/tcp open Elite? | fingerprint-strings: | DNSStatusRequestTCP, RPCCheck, SSLSessionReq: | Hello Princess Bubblegum. What is the magic word? | magic word is not | DNSVersionBindReqTCP: | Hello Princess Bubblegum. What is the magic word? | magic word is not | version | bind | GenericLines, NULL: | Hello Princess Bubblegum. What is the magic word? | GetRequest: | Hello Princess Bubblegum. What is the magic word? | magic word is not GET / HTTP/1.0 | HTTPOptions: | Hello Princess Bubblegum. What is the magic word? | magic word is not OPTIONS / HTTP/1.0 | Help: | Hello Princess Bubblegum. What is the magic word? | magic word is not HELP | RTSPRequest: | Hello Princess Bubblegum. What is the magic word? | magic word is not OPTIONS / RTSP/1.0 | SIPOptions: | Hello Princess Bubblegum. What is the magic word? | magic word is not OPTIONS sip:nm SIP/2.0 | Via: SIP/2.0/TCP nm;branch=foo | From: <sip:nm@nm>;tag=root | <sip:nm2@nm2> | Call-ID: 50000 | CSeq: 42 OPTIONS | Max-Forwards: 70 | Content-Length: 0 | Contact: <sip:nm@nm> |_ Accept: application/sdp 1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service : SF-Port31337-TCP:V=7.91%I=7%D=5/5%Time=60925D45%P=x86_64-unknown-linux-gnu SF:%r(NULL,32,"Hello\x20Princess\x20Bubblegum\.\x20What\x20is\x20the\x20ma SF:gic\x20word\?\n")%r(GetRequest,57,"Hello\x20Princess\x20Bubblegum\.\x20 SF:What\x20is\x20the\x20magic\x20word\?\nThe\x20magic\x20word\x20is\x20not SF:\x20GET\x20/\x20HTTP/1\.0\n")%r(SIPOptions,124,"Hello\x20Princess\x20Bu SF:bblegum\.\x20What\x20is\x20the\x20magic\x20word\?\nThe\x20magic\x20word SF:\x20is\x20not\x20OPTIONS\x20sip:nm\x20SIP/2\.0\r\nVia:\x20SIP/2\.0/TCP\ SF:x20nm;branch=foo\r\nFrom:\x20<sip:nm@nm>;tag=root\r\nTo:\x20<sip:nm2@nm SF:2>\r\nCall-ID:\x2050000\r\nCSeq:\x2042\x20OPTIONS\r\nMax-Forwards:\x207 SF:0\r\nContent-Length:\x200\r\nContact:\x20<sip:nm@nm>\r\nAccept:\x20appl SF:ication/sdp\n")%r(GenericLines,32,"Hello\x20Princess\x20Bubblegum\.\x20 SF:What\x20is\x20the\x20magic\x20word\?\n")%r(HTTPOptions,5B,"Hello\x20Pri SF:ncess\x20Bubblegum\.\x20What\x20is\x20the\x20magic\x20word\?\nThe\x20ma SF:gic\x20word\x20is\x20not\x20OPTIONS\x20/\x20HTTP/1\.0\n")%r(RTSPRequest SF:,5B,"Hello\x20Princess\x20Bubblegum\.\x20What\x20is\x20the\x20magic\x20 SF:word\?\nThe\x20magic\x20word\x20is\x20not\x20OPTIONS\x20/\x20RTSP/1\.0\ SF:n")%r(RPCCheck,75,"Hello\x20Princess\x20Bubblegum\.\x20What\x20is\x20th SF:e\x20magic\x20word\?\nThe\x20magic\x20word\x20is\x20not\x20\x80\0\0\(r\ SF:xfe\x1d\x13\0\0\0\0\0\0\0\x02\0\x01\x86\xa0\0\x01\x97\|\0\0\0\0\0\0\0\0 SF:\0\0\0\0\0\0\0\0\0\0\0\0\n")%r(DNSVersionBindReqTCP,69,"Hello\x20Prince SF:ss\x20Bubblegum\.\x20What\x20is\x20the\x20magic\x20word\?\nThe\x20magic SF:\x20word\x20is\x20not\x20\0\x1e\0\x06\x01\0\0\x01\0\0\0\0\0\0\x07versio SF:n\x04bind\0\0\x10\0\x03\n")%r(DNSStatusRequestTCP,57,"Hello\x20Princess SF:\x20Bubblegum\.\x20What\x20is\x20the\x20magic\x20word\?\nThe\x20magic\x SF:20word\x20is\x20not\x20\0\x0c\0\0\x10\0\0\0\0\0\0\0\0\0\n")%r(Help,4D," SF:Hello\x20Princess\x20Bubblegum\.\x20What\x20is\x20the\x20magic\x20word\ SF:?\nThe\x20magic\x20word\x20is\x20not\x20HELP\n")%r(SSLSessionReq,A1,"He SF:llo\x20Princess\x20Bubblegum\.\x20What\x20is\x20the\x20magic\x20word\?\ SF:nThe\x20magic\x20word\x20is\x20not\x20\x16\x03\0\0S\x01\0\0O\x03\0\?G\x SF:d7\xf7\xba,\xee\xea\xb2`~\xf3\0\xfd\x82{\xb9\xd5\x96\xc8w\x9b\xe6\xc4\x SF:db<=\xdbo\xef\x10n\0\0\(\0\x16\0\x13\0\n\0f\0\x05\0\x04\0e\0d\0c\0b\0a\ SF:0`\0\x15\0\x12\0\t\0\x14\0\x11\0\x08\0\x06\0\x03\x01\0\n"); Service Info: Host: 127.0.1.1; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Read data files from: /usr/bin/../share/nmap Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . # Nmap done at Wed May 5 10:57:27 2021 -- 1 IP address (1 host up) scanned in 316.60 seconds
Warning: This step is pure guessing and not real enumeration as the directory you are
supposed to find is candybar and is not in most wordlist, so using common
real-life wordlist won't help you, you have to find the only right one by chance.
Also the app is available over HTTPS but not HTTP.
When you find https://adventuretime.thm/candybar/ you realize the challenge is
a bit of a cancer because you have a whole base32 string to decode but it's given
to you as an image that you have to manually recopy as OCR doesn't work very
well with non-words.
But "hopefully" you can CTRL+U and have the string in a HTML comment:
Warning: This step is pure guessing and not real enumeration as the directory you are
supposed to find is yellowdog and is not in most wordlist, so using common
real-life wordlist won't help you, you have to find the only right one by chance.
Warning: This step is pure guessing and not real enumeration as the directory you are
supposed to find is princess and is not in most wordlist, so using common
real-life wordlist won't help you, you have to find the only right one by chance.
apple-guards@at:~$ cat mbox From marceline@at Fri Sep 20 16:39:54 2019 Return-Path: <marceline@at> X-Original-To: apple-guards@at Delivered-To: apple-guards@at Received: by at.localdomain (Postfix, from userid 1004) id 6737B24261C; Fri, 20 Sep 2019 16:39:54 +0200 (CEST) Subject: Need help??? To: <apple-guards@at> X-Mailer: mail (GNU Mailutils 3.4) Message-Id: <20190920143954.6737B24261C@at.localdomain> Date: Fri, 20 Sep 2019 16:39:54 +0200 (CEST) From: marceline@at
Hi there bananaheads!!! I heard Princess B revoked your access to the system. Bummer! But I'll help you guys out.....doesn't cost you a thing.....well almost nothing.
I hid a file for you guys. If you get the answer right, you'll get better access. Good luck!!!!
The sender is marceline which is a valid user on the machine, so lets find files
owned by her.
====================================== BananaHead Access Pass created by Marceline ======================================
Hi there bananaheads!!! So you found my file? But it won't help you if you can't answer this question correct. What? I told you guys I would help and that it wouldn't cost you a thing.... Well I lied hahahaha
Ready for the question?
The key to solve this puzzle is gone And you need the key to get this readable: Gpnhkse
Did you solve the puzzle? yes
What is the word I'm looking for? Abadeer
That's it!!!! You solved my puzzle Don't tell princess B I helped you guys!!! My password is 'My friend Finn'
We can connect as marceline.
1 2 3 4 5
apple-guards@at:~$ su marceline Password: marceline@at:/home/apple-guards$ cd marceline@at:~$ cat /home/marceline/flag2 tryhackme{edited}
I heard that you pulled a fast one over the banana guards. B was very upset hahahahaha. I also heard you guys are looking for BMO's resetcode. You guys broke him again with those silly games?
You know I like you Finn, but I don't want to anger B too much. So I will help you a little bit...
But you have to solve my little puzzle. Think you're up for it? Hahahahaha....I know you are.
Somehow you have to guess it's a program in spoon.
The output is: The magic word you are looking for is ApplePie.
You have to guess that it can be used on the useless netcat service since it's tagged
as a magic word.
1 2 3 4
$ pwncat adventure-time.com 31337 Hello Princess Bubblegum. What is the magic word? ApplePie The password of peppermint-butler is: That Black Magic
Connect as peppermint-butler and grab the flag:
1 2 3 4 5
marceline@at:~$ su peppermint-butler Password: peppermint-butler@at:/home/marceline$ cd peppermint-butler@at:~$ cat /home/peppermint-butler/flag3 tryhackme{edited}
peppermint-butler@at:~$ cat /usr/share/xml/steg.txt I need to keep my secrets safe. There are people in this castle who can't be trusted. Those banana guards are not the smartest of guards. And that Marceline is a friend of princess Bubblegum, but I don't trust her.
So I need to keep this safe.
The password of my secret file is 'ToKeepASecretSafe'
peppermint-butler@at:~$ cat /etc/php/zip.txt I need to keep my secrets safe. There are people in this castle who can't be trusted. Those banana guards are not the smartest of guards. And that Marceline is a friend of princess Bubblegum, but I don't trust her.
So I need to keep this safe.
The password of my secret file is 'ThisIsReallySave'
Using ToKeepASecretSafe as password we can extract secret.zip from the image.
1 2 3
$ steghide extract -sf butler-1.jpg Enter passphrase: wrote extracted data to "secrets.zip".
ThisIsReallySave is the password required to extract the zip:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
$ 7z x secrets.zip $ cat secrets.txt [0200 hours][upper stairs] I was looking for my arch nemesis Peace Master, but instead I saw that cowering little puppet from the Ice King.....gunter. What was he up to, I don't know. But I saw him sneaking in the secret lab of Princess Bubblegum. To be able to see what he was doing I used my spell 'the evil eye' and saw him. He was hacking the secret laptop with something small like a duck of rubber. I had to look closely, but I think I saw him type in something. It was unclear, but it was something like 'The Ice King s????'. The last 4 letters where a blur.
Should I tell princess Bubblegum or see how this all plays out? I don't know.......
The password of gunter is incomplete The Ice King s????.
For that we can extract all passwords of 5 chars beginning with an s:
I finished it only for the points. One of the worst challenge I played in my
life and the worst recently. Looks like the room is designed to be painful and
it's not even an april fool. I'm not surprised the room is that low rated.
Do we learn something? No
Is it useful in real-life? No
Have we discovered new security attacks or tools? No
Have we lost our time guessing? Yes
Have we lost our time finding improbable/unrealistic stuff? Yes