TryHackMe: Web Fundamentals
- author:: Nathan Acks
- date:: 2022-01-03
Introduction to Django
“Additionally, Django is arguably one of the most secure developing frameworks, which in the right configuration, can strongly resist against SQL injections and XSS.”
— Swafox in the “Introduction to Django” room
That’s a hell of a statement. We shall see.
Kali Linux comes with Django 3.2.10 pre-installed. I’m going to use that and hope it’s not too different from 2.2.12.
Creating a Website
Okay, one difference between Django 2.2 and 3.2 is that the import of
urls.py does not pull in
include() in 3.2. So this needs to be added manually before inserting additional
The app created with
python3 manage.py startapp articles also doesn’t include a
urls.py file (though this seems to be by design; I checked a few other tutorials, and it isn’t listed there either). This meant that I had to construct both a basic
views.py file in
python3 manage.py migrate could successfully set up the new app.
This CTF involves a Django site. The target is at 10.10.219.71.
Going to http://10.10.219.71:8000/ reveals an error page stating that the target IP needs to be added to the
The provided username and password gets us into the target via SSH; we can see a Django project called
messagebox here. Adding
10.10.219.71 to the
ALLOWED_HOSTS array in
~/messagebox/messagebox/settings.py resolves the initial error, though it takes a few minutes to reload.
The app now directs us to http://10.10.219.71:8000/messages/, where there’s a kind of weird stream-of-consciousness wall of text. At the bottom of this is a “Decode this message?” prompt, but clicking “Yes” results in an error dialog.
The Django admin interface at http://10.10.219.71:8000/admin/ doesn’t accept the SSH credentials.
Poking around more on the server, it turns out that the error produced by the “Decode this message?” prompt is hard-coded. Which I could probably have figured out if I looked at the page source.
strings db.sqlite3 | grep THMreveals the first flag.
sudo -l reveals that the
django-admin user has full superuser access. Using this, we can conduct a search of the entire filesystem for “THM” style flags.
- The second flag is in
- The third flag is embedded as an HTML comment near the bottom of