# Nmap 7.91 scan initiated Mon Aug 2 17:06:40 2021 as: nmap -sSVC -p- -v -oA nmap_scan unstabletwin.thm Nmap scan report for unstabletwin.thm (10.10.123.253) Host is up (0.024s latency). Not shown: 65533 filtered ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.0 (protocol 2.0) | ssh-hostkey: | 3072 ba:a2:40:8e:de:c3:7b:c7:f7:b3:7e:0c:1e:ec:9f:b8 (RSA) | 256 38:28:4c:e1:4a:75:3d:0d:e7:e4:85:64:38:2a:8e:c7 (ECDSA) |_ 256 1a:33:a0:ed:83:ba:09:a5:62:a7:df:ab:2f:ee:d0:99 (ED25519) 80/tcp open http nginx 1.14.1 | http-methods: |_ Supported Methods: HEAD OPTIONS GET |_http-server-header: nginx/1.14.1 |_http-title: Site doesn't have a title (text/html; charset=utf-8).
Read data files from: /usr/bin/../share/nmap Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . # Nmap done at Mon Aug 2 17:09:35 2021 -- 1 IP address (1 host up) scanned in 174.83 seconds
$ curl http://unstabletwin.thm/api/login <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN"> <title>405 Method Not Allowed</title> <h1>Method Not Allowed</h1> <p>The method is not allowed for the requested URL.</p>
$ curl -X POST http://unstabletwin.thm/api/login []
$ curl -X POST http://unstabletwin.thm/api/login --data 'username=noraj&password=pass' "The username or password passed are not correct."
$ curl -X POST http://unstabletwin.thm/api/login --data "username=noraj'&password=pass" <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN"> <title>500 Internal Server Error</title> <h1>Internal Server Error</h1> <p>The server encountered an internal error and was unable to complete your request. Either the server is overloaded or there is an error in the application.</p>
[mary_ann@UnstableTwin ~]$ cat user.flag THM{edited} [mary_ann@UnstableTwin ~]$ cat server_notes.txt Now you have found my notes you now you need to put my extended family together.
We need to GET their IMAGE for the family album. These can be retrieved by NAME.
You need to find all of them and a picture of myself!
I first tried curl http://unstabletwin.thm/api/image?name=vincent but it
was curl 'http://unstabletwin.thm/get_image?name=vincent'.
Extract a hidden file with steghide for each image, eg.
1
$ steghide extract -sf julias.jpg
Then let's read the extracted files:
1 2 3 4 5 6
$ cat julias.txt linda.txt marine.txt mary_ann.txt vincent.txt Red - 1<edited>Z Green - e<edited>1 Yellow - j<edited>X You need to find all my children and arrange in a rainbow! Orange - P<edited>w
So let's re-order the colors:
1 2 3 4
Red - 1<edited>Z Orange - P<edited>w Yellow - j<edited>X Green - e<edited>1