TryHackMe|EasyPeasy WriteUp\Walkthrough (English)

Easy Peasy

Room Link: https://tryhackme.com/room/easypeasyctf

• First you will do a complete scan on the target using sudo nmap -p- -T5 10.10.221.138 -v. After identifying the available ports. Redo an nmap scan on them to know the services on them sudo nmap -p80,6498,65524 10.10.221.138. These steps will give you the answers of the first 3 questions ✨.

• Now we will start with port 80. When opening with the browser nothing interesting, not even in the source code, so we will enumerate any hidden files or directories with gobuster dir -w /usr/share/dirb/wordlists/common.txt -u http://10.10.221.138 -r. This gave us robots.txt and hidden. Robots.txt doesn’t have anything and hidden doesn’t have anything even in the source code.

• Now we will enumerate the hidden directory with gobuster dir -w /usr/share/dirb/wordlists/common.txt -u http://10.10.221.138/hidden -r. This gave us a new folder called whatever. The source code of /whatever page has an interesting value that looks like a hash.

This looks like a base64 coding, we will decode the value with base64 decoder, and this will give us the first flag ✨.

• /Whatever directory has dead end as the page title, so we will assume that we are done with port 80. We will start with port 65524 that has the Apache server. Lets take a look at the page itself. You will notice a weird sequence of numbers on the page. This is because this is flag 3 ✨.

• If we look at the source code of the same page we will notice a hidden string also 

After taking this value into a cipher identifier it show that it is base62 encoded. So we need to decode it using base62. The result is /n0th1ng3ls3m4tt3r. Which is the result for the hidden directory ✨.

• After gaining this initial information from the home page of the Apache server. We will run it through gobuster to discover more. gobuster dir -w /usr/share/dirb/wordlists/common.txt -u http://10.10.221.138:65524 -r. this showed multiple directories, the only one that we have permission to view is robots.txt. robots.txt contains an interesting value as the user agent. It looks like a hash, and it is indeed a hash. It is a bit frustrating to solve, the only site that unhashed it is https://md5hashing.net/. And this will be our second flag ✨.

• Next, we want to visit the hidden directory /n0th1ng3ls3m4tt3r. this page has an image on it and a smaller image at the middle of the bigger one.

If we took a look at the source code we can confirm that it indeed has two images in this page. One in the style element and the other in the image element. Here we also have a value that appears to look like a hash. We will use the same website on step 6 to get the value which resulted to be ********************. This is the result for question 5✨. 

 

• Sometimes we might find interesting information concealed inside a picture. This type of concealing information is called steganography which is the practice of concealing messages or information within other nonsecret text or data. There is a tool in linux called steghide that we can use to extract hidden info from a file or a picture. Now, we will save the smaller image into our machine then try to figure out if it has anything hidden in it by steghide info binarycodepixabay.jpg. the passphrase will be the result of the previous step.

This showed that we have an embedded file called secrettext.txt. to extract it steghide extract -sf binarycodepixabay.jpg.

• The output of this file is a username and a password, most likely for the ssh server that is on the third and last open port on this machine. The user name is give boring, but the password is given in binary, using cyberchef we can obtain the password ***... . Which is the result for question 6✨.

• Now that we have a username and a password, we will connect to the target ssh boring@IP -p 6498 with the password ***... . By getting into the system the user.txt will be immediately at the home directory. There is a hint in the same file that the data is rotated. We can retrieve the original value by rot13.

• Now the last question requires the root flag, therefore we need root privileges. In the room it told us that we will escalate our privileges by using a misconfigured cron job. To view the cron jobs we can go to cd /etc then sea the cron folders and files. We will notice that we have a crontab file owned by root. If we show the contents of this file we can see that we have multiple cron jobs, the last one is what we are interested in. 

• The last cron will navigate to /var/www and then execute the file .mysecretcronjob.sh with root privileges. By navigating to /var/www, we will find that .mysecretcronjob.sh is actually owned by boring but eventually, it will be executed with root privileges. Knowing this we will create a script that grants the user boring to be able to execute any command with sudo without providing any password. echo "boring ALL=NOPASSWD:ALL" >> /etc/sudoers. We will change the contents of .mysecretcronjob.sh with this script and it will be executed with root privileges at the beginning of the next minute, because this script runs every minute.

• sudo su then cd /root , after that ls -al then retrieve the flag ✨.