Clocky

A writeup for the room Clocky on TryHackMe.

Time is an illusion.

Starting with a nmap scan:

nmap -sS TARGET_IP

We can look for more details:

nmap -A -p 80,8000,8080 TARGET_IP

While trying to connect to both port 80 and 8000 returns a forbidden error, the website on port 8080 is directly accessible.

There is nothing to do in this homepage, neither in the code.

We can try to scan with gobuster for interesting subpaths.

gobuster dir -e -u http://TARGET_IP -w /usr/share/wordlists/dirb/common.txt

gobuster dir -e -u http://TARGET_IP:8000 -w /usr/share/wordlists/dirb/common.txt

gobuster dir -e -u http://TARGET_IP:8080 -w /usr/share/wordlists/dirb/common.txt

Inside the robots.txt file under port 8000 we can find the first flag.

A robots.txt file is used to tell web crawlers which pages or files the crawler can or can't request from your site.

Because of this, if something is blocked in the robots.txt file, it is usually interesting.

We can try to scan again with gobuster but this time searching for sql, zip, and baq files.

gobuster dir -e -u http://TARGET_IP:8000 -w /usr/share/wordlists/dirb/big.txt -x zip,sql,baq

Inside the the file index.zip we can find the second flag and a file called app.py.

Inside the file app.py we can see the code of a Python Flask application.

Looking to the endpoints we can understand that the application is the one running on port 8080.

After doing some tests, the code seems old.

For example, if we try to access http://TARGET_IT:8080/password_reset?token=something we can see that we receive a wrong token response.

This is different from the code in the app.py file.