[THM] Easy Peasy

Aug 4, 2020
Iulian

This room was designed by kral4 for Try Hack Me. You can access the room by clicking here.

Let’s start by doing a port scan of the target.

NMap Scan

I usually run a full range port scan not to miss any important information or services running.

There is a robots.txt that we could check (from the first scan). Checking the file nothing comes up. Let’s do some directory discovery. For that i use gobuster.

Gobuster output

You can see a newly discovered directory named hidden. Accessing the directory nothing interesting comes up, therefore I bruteforce the hidden directory.

Hidden dir bruteforce

A new directory comes up: whatever. Accessing and checking the page source a base64 string can be discovered. After decoding it that strings seems to be our first flag.

Decoding the string

I ran gobuster again just to make sure i’m not missing any other directories or files inside whatever directory.

Gaining foothold

Nothing came up therefore I proceed to check port 65524 on which Apache runs. I run Gobuster again.

Gobuster on higher port

Checking robots.txt we can notice a hash.

Robots.txt content

You can decrypt the hash (it’s a md5 hash) and get the second flag.

I was missing something and decided to go back and check the apache default webpage. There was a base62 encoded string.

Finding the string

I used CyberChef to decode the value.

Decoding the base62 string

Access the newly discovered directory. If you check the page source code you can find a hash. I tried to crack it offline but i didn’t have any success so I looked online for a decrypter (It’s a GOST algorithm) and i was able to crack it.

Cracked hash

I downloaded the image and used steghide to recover a text file.

Extracting the file

Taking a look in the text file there is a username and a binary encoded password. To decode it i used rapidtables.

Decoding the binary

I then used the recovered username and password to login to the target using SSH.

Connecting to target

You can retrieve the user flag from the home directory of the user. Use ROT13 to convert it correctly.

Privilege Escalation

I used linux smart enumeration script to enumerate the system.

LSE finds a writable file (/var/www/.mysecretcronjob.sh).

LSE pointing the file

The script also points a cronjob that runs the script as root.

Cronjob

Create a listener and echo a reverse shell one liner to the file so when the cronjob executes the script we’ll receive the connection. Now all you have to do is to way in order for the script to be ran.

Receiving the connection

Hope you enjoyed reading this and learned something new from this box.