Introduction to Django Framework
I recently picked up the basics of flask and have been wanting to learn Django. Here's my go @ it with the help of TryHackMe! Django is a high-level Python web framework that enables the rapid development of secure and maintainable websites. It allows you to develop websites and web applications in a matter of hours.
Django can automatically compile HTML code, therefore making it possible for anyone without any advanced knowledge in markup languages to develop a website. Additionally, Django is arguably one of the most secure developing frameworks, which in the right configuration, can strongly resist SQL injections and XSS.
In terms of penetration testing, it's critical to grasp the basic structure of Django-powered websites in order to spot potential flaws and developer errors.
Getting Started
Here's how to get started with Django on your local machine!
Installing Django
βββ(rootπ4pfsec)-[~/boxes/thm/django]
ββ# pip3 install Django==2.2.12

Creating new Project
βββ(rootπ4pfsec)-[~/boxes/thm/django]
ββ# django-admin startproject site_4pfsec

Configure created Project
manage.py
is a command-line utility that lets you interact with your Django project in various ways. It is especially handy in creating web apps, managing databases, and most importantly running the server.
βββ(rootπ4pfsec)-[~/boxes/thm/django/site_4pfsec]
ββ# ls
manage.py site_4pfsec
βββ(rootπ4pfsec)-[~/boxes/thm/django/site_4pfsec]
ββ# python3 manage.py migrate

βββ(rootπ4pfsec)-[~/boxes/thm/django/site_4pfsec]
ββ# ls
db.sqlite3 manage.py site_4pfsec

Run Django Server
The basic syntax for using this utility is python3 manage.py {command}
Modify Bind Host
Modify line 28. Add 0.0.0.0
and 127.0.0.1
~/django/site_4pfsec/site_4pfsec/settings.py

runserver
Runserver is the most important command used with manage.py. It allows you to deploy your website on the server. Django has a wonderful feature that allows you to instantly see changes made on the website without restarting it. (It is only necessary to restart runserver command when adding a new app).
βββ(rootπ4pfsec)-[~/boxes/thm/django/site_4pfsec]
ββ# python3 manage.py runserver 0.0.0.0:8000


createsuperuser
This command allows you to create an admin account for your Django web admin panel.
βββ(rootπ4pfsec)-[~/boxes/thm/django/site_4pfsec]
ββ# python3 manage.py createsuperuser

Django Admin Panel
0.0.0.0:8000/admin
This URL can be used to access Django web admin panel.


startapp
Startapp allows you to initialize an app for your project. Django projects can have an infinite number of apps.
βββ(rootπ4pfsec)-[~/boxes/thm/django/site_4pfsec]
ββ# python3 manage.py startapp slatt

Creating a Site
let's go ahead and create a very simple app.
Modify settings.py
INSTALLED_APPS = [
'slatt',
'django.contrib.admin',
'django.contrib.auth',
'django.contrib.contenttypes',
'django.contrib.sessions',
'django.contrib.messages',
'django.contrib.staticfiles',
]

Modify urls.py
from django.contrib import admin
from django.urls import path, include
urlpatterns = [
path('slatt/', include('slatt.urls')),
path('admin/', admin.site.urls),
]

App Directory
There are a couple files that need to be created in here for the app to work!
urls.py
from django.urls import path
from . import views
app_name = 'slatt'
urlpatterns = [
path('', views.index, name='index'),
]

views.py
from django.shortcuts import render
from django.http import HttpResponse
# Create your views here.
def index(request):
return HttpResponse("Hello, World!")

Running App
βββ(rootπ4pfsec)-[~/boxes/thm/django/site_4pfsec]
ββ# python3 manage.py migrate
βββ(rootπ4pfsec)-[~/boxes/thm/django/site_4pfsec]
ββ# python3 manage.py runserver 0.0.0.0:8000


Rendering Templates with Django
Django is able to automatically generate HTML markdown if properly told so. Templates are the ones who help us with that.
Templates
Create a template subdirectory in the app directory to hold all of our templates.


Base.html
<!DOCTYPE html>
<html lang='en'>
<head>
<meta charset="UTF-8">
<title>{% block title %}Slatt{% endblock %}</title>
</head>
<body>
{% block content %} {% endblock %}
</body>
</html>

index.html
{% extends 'base.html'%}
{% block content %}
Hello world!
-Nee!
{% endblock %}

views.py
from django.shortcuts import render
from django.http import HttpResponse
# Create your views here.
def index(request):
return render(request, 'index.html')

Running App
βββ(rootπ4pfsec)-[~/boxes/thm/django/site_4pfsec]
ββ# python3 manage.py migrate
βββ(rootπ4pfsec)-[~/boxes/thm/django/site_4pfsec]
ββ# python3 manage.py runserver 0.0.0.0:8000



CTF
Target host = 10.10.131.20
Target Port = 8000
Target Username = django-admin
Target Password = roottoor1212
Browsing to the host on that port returned a disallowed error as shown below.

I was able to log in to the server via SSH with the given credentials.

Since I had access to the server, I modified the ALLOWED_HOSTS
list in settings.py
[email protected]:~/messagebox/messagebox$ nano settings.py

That modification led me into the application as shown below.

Exploring messages returned the following.

Admin panel flag?
Since I had access to the server, I used the createsuperuser command to create my own user to be able to login to the Admin panel.
[email protected]:~/messagebox$ python3 manage.py createsuperuser

http://10.10.131.20:8000/admin/
With that, I was able to login to the admin panel as shown below.


Browsing to http://10.10.131.20:8000/admin/auth/user/
reveals the flag and some other interesting information as shown below!

User flag?
The previous challenge gave us a new username and a password hash.
Username: StrangeFox
Password hash: https://pastebin.com/nmK---
Using https://toolz.4pfsec.com/hashId/
I was able to detect the hash as shown below.

SHA-256 [Hashcat Mode: 1400]
Since I knew it was a SHA-256
hash, I used hashcat mode 1400
to go ahead and crack it.
.\hashcat.exe -m 1400 .\hashes\djangoCtf.txt .\wordlists\mylist.txt --force

c06029563b2765020613f5bf79fc528344ffa039ef1483d0c390786d8010c630:WildNature
Target User = StrangeFox
Target User's Password = WildNature
Knowing the credentials, I switched to that user.
su StrangeFox
WildNature

Hidden flag?
Knowing that the flag would be on the machine, I grep-ed recursively throughout the FS to find the flag. (as shown below)
[email protected]:/$ cd /
[email protected]:/$ grep -Hr "THM{"

Conclusion
With that, this room has successfully taught me the basics of Django and how to use it against devs! Hope it helped you in some way π!