EasyPeasy
Practice using tools such as Nmap and GoBuster to locate a hidden directory to get initial access to a vulnerable machine. Then escalate your privileges through a vulnerable cronjob.
Last updated
Was this helpful?
Practice using tools such as Nmap and GoBuster to locate a hidden directory to get initial access to a vulnerable machine. Then escalate your privileges through a vulnerable cronjob.
Last updated
Was this helpful?
Try this challenge in
I tried this easy CTF and below is my thought process on how I answered the questions and some notes for future reference. I got some hints from this Medium walkthrough:
Let's run a nmap scan to check the open ports on the IP assigned to us. Just replace the 10.10.X.X to the IP given to you.
To answer the next two questions, we’ll be running a nmap scan for the open ports:
Run gobuster for http://10.10.X.X/
We found out that there is a /hidden directory. Let's try to run gobuster for http://10.10.X.X/hidden
Go to http://10.10.X.X/hidden/whatever
Copy the hidden hash
Run gobuster for http://10.10.X.X:65524
Check 10.10.X.X:65524/robots.txt
In the User-Agent
field, there’s a hash
Decrypt hash using an online MD5 decrypter
From our nmap scan, go to http://10.10.X.X:65524
Flag 3 is written in plain sight on the web page
When you View the Page Source of http://10.10.X.X:65524
, a hidden field will be seen that has a hash.
When you go to the hidden directory, you’ll see a picture
Save the image with its default name
We’ll use steganography to decode the message in the image
But a passphrase is needed to decrypt this file
Let’s try to View the Page Source of the image page to get some clues. We indeed retrieved a hash.
Save the hash using the filename hash.txt
To decrypt the hash, use the johntheripper module
Going back to the steghide module, enter the passphrase that we got.
A file secrettext.txt was extracted. Use this to view the contents of the file.
We’ll get a username boring and binary numbers that need to be decrypted
Use a Binary to Text converter tool online like this:
From our previous nmap scan, we’ll use the port 6498 for the ssh access
From the Hint, we got the term “Rotated”, which suggests that this may be encrypted with ROT13. Using CyberChef, we decrypt the flag.
From the description of this room, we are expected to escalate our privileges through a vulnerable cronjob
The cron job is located in /var/www
We’ll see the cronjob mysecretcronjob.sh that said that will run as root.
We can set up a netcat listener in our machine to have a reverse shell since the cronjob has root privileges.
Let's craft our payload:
*use your machine IP & port 5556
Let's now wait for the cronjob to be executed to receive a shell
We can see the flag in the .root.txt file.
To decrypt the hash, go to an online decrypter like for faster results
To find the type of the hash, use module
We’ll use to decrypt hash from Base6X (explore options available in CyberChef)
Get the reverse shell script from then replace the contents of mysecretcronjob.sh