TryHackMe: Easy Peasy
Tools and Commands Used To Solve This Room.
Task 1 Enumeration through Nmap
* All answers found using “Zenmap”.
- How many ports are open?
* 3 ports.
- What is the version of nginx?
* Version is 1.16.1.
- What is running on the highest port?
* Apache Service running on the highest port.
Task 2 Compromising the machine
- Using GoBuster, find flag 1.
* “/hidden” directory found using GoBuster.
*dir — set the mode to directory discovering.
* — u — used for URL.
* -w — the path to the wordlist.
* Go to URL “$ip/hidden”. Check the source page. (Nothing Found).
* Further web content filtering of “/hidden” directory using GoBuster.
* New directory found “/whatever”.
* Go to URL “$ip/hidden/whatever”. Check the source page.
* Found a hash. Two equal signs show that hash is Base64 encoding.
* Decode Base64 text using any google website. (Flag Found)
- Further enumerate the machine, what is flag 2?
* Start digging on Apache port.
* During “Zenmap”, Apache service showed “robots.txt” file. (check that directory by going to URL “https://$ip:65524/robots.txt”.
* Robots.txt directory showed a hash.
* Type of hash found via “Hash-Identifier”. (Which is MD5).
* Decode text using any google website. (Flag Found)
- Crack the hash with easypeasy.txt, What is the flag 3?
* Flag Found on Apache’s main page.
- What is the hidden directory?
* Check source page of Apache main page.
* Tag “p” showing a hash with a hint that hash is encoded with any base.
* Go to CyberChef, decode the hash with Base62. (Hidden Directory Name Found).
- Using the wordlist that provided to you in this task crack the hash
what is the password?
* Go to newly discovered directory ($ip:65524/directory).
* check source page. (New hash found).
* Type of hash found via “Hash-Identifier”.
* Try decoding the code with the top three hash type.
* Flag Found via md5hashing ( hash type is GOST ).
- What is the password to login to the machine via SSH?
* An image is found on the apache port in (/n0th1ng3Is3m4tt3r) directory.
* Download the image and extract it by using the “steghide” with a recently discovered password.
* cat ( read ) the new extracted file.
* Convert the binary password into the plain text. ( Password Found)
- What is the user flag?
* “SSH” the user using the discovered username and password.
* ls — list the directories.
* cat — read the file.
* hint — flag is rotated.
* Tried ROT13. ( User Flag Found)
- What is the root flag?
* Located the schedule Cron jobs and found one which executes every minute with bash script.
* cd — change directory.
* Go to the founded directory, create a reverse shell with own IP and setup nc listener.
* After few minutes, a file named “root.txt” created.
* cat ( read) the file and Root Flag Found.