This room was designed by kral4 for Try Hack Me. You can access the room by clicking here.
Let’s start by doing a port scan of the target.

I usually run a full range port scan not to miss any important information or services running.

There is a robots.txt that we could check (from the first scan). Checking the file nothing comes up. Let’s do some directory discovery. For that i use gobuster.

You can see a newly discovered directory named hidden
. Accessing the directory nothing interesting comes up, therefore I bruteforce the hidden directory.

A new directory comes up: whatever
. Accessing and checking the page source a base64 string can be discovered. After decoding it that strings seems to be our first flag.

I ran gobuster again just to make sure i’m not missing any other directories or files inside whatever
directory.
Gaining foothold
Nothing came up therefore I proceed to check port 65524 on which Apache runs. I run Gobuster again.

Checking robots.txt we can notice a hash.

You can decrypt the hash (it’s a md5 hash) and get the second flag.
I was missing something and decided to go back and check the apache default webpage. There was a base62 encoded string.

I used CyberChef to decode the value.

Access the newly discovered directory. If you check the page source code you can find a hash. I tried to crack it offline but i didn’t have any success so I looked online for a decrypter (It’s a GOST algorithm) and i was able to crack it.

I downloaded the image and used steghide to recover a text file.

Taking a look in the text file there is a username and a binary encoded password. To decode it i used rapidtables.

I then used the recovered username and password to login to the target using SSH.

You can retrieve the user flag from the home directory of the user. Use ROT13 to convert it correctly.
Privilege Escalation
I used linux smart enumeration script to enumerate the system.
LSE finds a writable file (/var/www/.mysecretcronjob.sh
).

The script also points a cronjob that runs the script as root.

Create a listener and echo a reverse shell one liner to the file so when the cronjob executes the script we’ll receive the connection. Now all you have to do is to way in order for the script to be ran.

Hope you enjoyed reading this and learned something new from this box.