Practice using tools such as Nmap and GoBuster to locate a hidden directory to get initial access to a vulnerable machine.
Practice using tools such as Nmap and GoBuster to locate a hidden directory to get initial access to a vulnerable machine. Then escalate your privileges through a vulnerable cronjob.
This writeup contains all the steps necessary to root the easy box: Easy Peasy on TryHackMe.
First, Like always, we start by scanning the ports Along with services and their version on the machine by using Nmap, By using the following command.
nmap -sV -sC -A -T4 10.10.97.146
But we found only 1 port is Open! What?
Hint says there is 3 ports, there must be a higher ports available
So we'll try to scan all ports and their service version using this command:
Nmap -A 10.10.97.146 -Pn -T4 -p-
Nmap again to scan all ports on the machine, It takes time.
#1 How many ports are open?
Answer: 3
#2 What is the version of nginx?
Answer: 1.16.1
#3 What is running on the highest port?
Answer: Notice we have 3 ports open:
· 80: nginx 1.16.1
· 6498: OpenSSH 7.6p1
· 65524: Apache httpd 2.4.43
The result shows us 3 open ports. There are 2 web services running. The web service on port 80 runs on a Nginx web server and the web service on port 65524 runs on an Apache web server. Additionally, there is 1 SSH server running on port 6498. Let’s start by checking the web server on port 80.
http://10.10.97.146/
There is no information hidden in the source code as well. Let’s try gobuster
to find hidden files and directories.
Use command :
gobuster dir -u http://10.10.97.146 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
The outcome is shown below:
/hidden (Status: 301)
/index.html (Status: 200)
/robots.txt (Status: 200)
If /hidden we access the directory, you should get the following website
There is nothing interesting, We can use gobuster
again in order to find even more hidden directories or files within the hidden
directory.
gobuster dir -u http://10.10.97.146/hidden -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
After the scan finishes ( you can run it for 15 mins, it’s more than enough too for this machine) you can see the following directories being discovered
Hidden/whatever/
Let us check what’s inside its source code, shall we?
Nice! Our first flag with base64 encode. Let’s decode it with:
You can try to enumerate anything inside /whatever , but nothing will show up, so let’s go to the other service running on port 65524
http://10.10.97.146:65524
Apache web server. The content of the page is:
inspecting the source code we find the, we got our 1st flag!
Try to look Deeper for juicy information in /robots.txt
Here we get a hash(which seems to me like a md5 hash), our first step will be to crack it, for this we are gonna use a website MD5Hashing, which yields us another flag.
we got our 2nd flag!
Try to investigate futher, look into source code did you find anything?
YES!
The encoding turns out to be base62
which gives, directory path..
Using the file found in the hidden directory, find and crack a password hidden in the file:
We notice there is a hash and a picture waiting for us to investigate
john --wordlists=easypeasy.txt hash.txt
And we have successfully Cracked the password!
Remember the image on the hidden directory? Let’s download it on our desktop to reveal what’s inside?
Use steghide to extract secrets out of this image and enter the password we just cracked.
steghide extract -sf binarycodepixabay.jpg
Used that password to extract the secrettext.txt
. And in that we get another set of credentails. And password seems to be encrypted!
This seems like the credentials for the SSH server. We already got a username. The password seems to be binary encoded. You can decode it using CyberChef. Now log into the server using the following command:
ssh -p 6498 [email protected]
Try to login using SSH credentials
Don’t forget the flag -p 6498 because this machine’s ssh port is not 22, but 6498!
BOOM!!! we CRACKED!!!
ls -la to see the user.txt waiting for us to be opened.
I searched “rotated online decode” on Google and found this site to decode this:
We got the USER FLAG!
To solve the last question, I needed to get a root access.
I found the vulnerable cronjob who locates in the /var/www directory. It was a hidden sh file who could be edited and executed. I’ve inserted the following code into the file to get a reverse shell.
#! /bash/bin
# i will run as root
This file has permission and this can be run as root so we can use this to get the root flag, by getting a reverse shell on this machine as a root.
nc nlvp -port number-
After opening a listener in our machine, we run crontab
in remote machine and we get back a shell which is root. Yay!!
we get a flag, which was hidden in .root.txt
!!
Now we have all our Answers let’s submit it and we have successfully completed our CTF !!
Keep Trying, Keep Working :)
Thank you for Reading!!
Happy Hacking
Follow me more to get more tips and tricks! 🙏
Author: Xploit Ayush