Easy Peasy THM CTF Writeup

Easy Peasy | THM | CTF | Writeup

Zargham Siddiqui
4 min readFeb 13, 2022

--

Room is EasyPeasy

Task 1 Enumeration through Nmap

Lets deploy the machine and start enumerating using nmap.
It will take 20 to 30 minutes because we have used T4. Otherwise it would take hours if you are going to checking all 65535 ports ⏰

lets check the version of the services running on these 3 ports.
We can achieve this using -sV.

# nmap -p80,6498,65524 10.10.138.10 -sV -Pn -v

Task 2 Compromising the machine

Lets enumerate the directory on the deployed server on port 80.
We can use GoBuster against Nginx service which is running on port 80.

Lets further enumerate this /hidden directory. Again using GoBuster

Lets visit and check what is waiting for us in this directory. 😃

Lets check its page source.

We got something but probably encoded. Lets find out using CyberChef what is encoded in it. 😆

lets check for other web service running on port 65524.

lets enumerate this Apache server using GoBuster dir scan.

We have found something in robots.txt file. 😅

Lets decode it using online resources. such as MD5Hashing.net

After checking page source we have found our flag3. 😄

Also we have found something encoded. which we need to look at it.

lets use CyberChef again to check what is in there, Base62 will work here.

It is looking like a directory, lets try it on this apache server.

Lets check its page source.

We need to crack this hash using john with wordlist EasyPeasy.txt provided in tasks files. lets save this hash into a file.

Now we will use the magic of john.

Eventually, when we will check that there is an extra image embedded on a webpage.

Steghide is a tool which is used for steganography purposes. lets try this on this image. 🔏

Wow..!!! Now we have user id and some binary encoded password. Lets use CyberChef and check what is the password. 🔑

Now we will use ssh to login into the server while using this id and password.

This wont work as flag. it is rotated as mentioned. We will now try rotate it with ROT13 using CyberChef.

Now we have our foothold into the system. Lets begin for the deep diving.
After spending sometime on the machine. we would be able to knew that cronjobs file is owned by the current user and we can use this to escalate privileges.

lets edit this file and inject the shell to have root access.
Also start a listener on pre decided port.

After some time we will have our root shell access. 👏

At the end we need to find the root flag. This is some tricky. We will locate the file

Hurray…!!! we have captured the last flag of this machine. 😆

I have also made a video if you want to check.

--

--

Zargham Siddiqui

I am an Informatics Specialist , Cyber Security and Digital Forensics researcher.