EasyPeasy

Try this challenge in TryHackMe: Easy Peasy

I tried this easy CTF and below is my thought process on how I answered the questions and some notes for future reference. I got some hints from this Medium walkthrough: TryHackMe: Easy Peasy Write-up by Kevin De Vijlder

Task 1: Enumeration through Nmap

1.1 How many ports are open?

Let's run a nmap scan to check the open ports on the IP assigned to us. Just replace the 10.10.X.X to the IP given to you.

nmap -sT -p 1-65535 10.10.X.X

To answer the next two questions, we’ll be running a nmap scan for the open ports:

1.2 What is the version of nginx?

1.3 What is running on the highest port?

Task 2: Compromising the machine

2.1 Using GoBuster, find flag 1.

Run gobuster for http://10.10.X.X/

We found out that there is a /hidden directory. Let's try to run gobuster for http://10.10.X.X/hidden

Go to http://10.10.X.X/hidden/whatever

Copy the hidden hash

To decrypt the hash, go to an online decrypter like https://hashes.com/en/decrypt/hash for faster results

2.2 Further enumerate the machine, what is flag 2?

Run gobuster for http://10.10.X.X:65524

Check 10.10.X.X:65524/robots.txt

In the User-Agent field, there’s a hash

To find the type of the hash, use hash-identifier module

Decrypt hash using an online MD5 decrypter

2.3 Crack the hash with easypeasy.txt, What is the flag 3?

From our nmap scan, go to http://10.10.X.X:65524

Flag 3 is written in plain sight on the web page

2.4 What is the hidden directory?

When you View the Page Source of http://10.10.X.X:65524, a hidden field will be seen that has a hash.

We’ll use CyberChef to decrypt hash from Base6X (explore options available in CyberChef)

2.5 Using the wordlist that was provided to you in this task crack the hash what is the password?

When you go to the hidden directory, you’ll see a picture

Save the image with its default name

We’ll use steganography to decode the message in the image

But a passphrase is needed to decrypt this file

Let’s try to View the Page Source of the image page to get some clues. We indeed retrieved a hash.

Save the hash using the filename hash.txt

To decrypt the hash, use the johntheripper module

2.6 What is the password to login to the machine via SSH?

Going back to the steghide module, enter the passphrase that we got.

A file secrettext.txt was extracted. Use this to view the contents of the file.

We’ll get a username boring and binary numbers that need to be decrypted

Use a Binary to Text converter tool online like this:

https://www.rapidtables.com/convert/number/binary-to-ascii.html

2.7 What is the user flag?

From our previous nmap scan, we’ll use the port 6498 for the ssh access

From the Hint, we got the term “Rotated”, which suggests that this may be encrypted with ROT13. Using CyberChef, we decrypt the flag.

2.8 What is the root flag?

From the description of this room, we are expected to escalate our privileges through a vulnerable cronjob

The cron job is located in /var/www

We’ll see the cronjob mysecretcronjob.sh that said that will run as root.

We can set up a netcat listener in our machine to have a reverse shell since the cronjob has root privileges.

Let's craft our payload:

Get the reverse shell script from pentestmonkey's reverse shell cheat sheet then replace the contents of mysecretcronjob.sh

*use your machine IP & port 5556

Let's now wait for the cronjob to be executed to receive a shell