Easy Peasy

Practice using tools such as Nmap and GoBuster to locate a hidden directory to get initial access to a vulnerable machine. Then escalate your privileges through a vulnerable cronjob.

First step we are going with on this machine is to enumerate using nmap to see what may be available.

The first question is asking how many ports are open. Initial scan only gave one (80) which was incorrect. So we are going to expand our ports we are scanning and end up with 3 open ports

Second question is looking for the version of nginx. We get version 1.16.1

Last is the highest port which after using trigger -p- we get 65524 running apache httpd

Next we are going to use Gobuster to search for any hidden directories.

And we get /hidden!

This gives us a webpage with an image

Page source gives us this image. Download and ran steghide against it and it appears to password protected (something hidden!)

Came to a hault so decided to run gobuster against the hidden directory and located /hidden/whatever

Checking into the page source I find the download link as well as something base64 encoded it appears (ZmxhZ3tmMXJzN19mbDRnfQ==)

Using cyberchef against it we get our first flag!

THM now states we should continue to enumerate. Gobuster seems like a dead end

Going back to our open ports, we confirm apache is being run on port 65524

navigating to the robots.txt file, we get a user agent that looks interesting


This appears to be a hash so we are going to attempt to crack it

Using cyberchef we analyze it and get this

Had no luck with Crackstation or other online tools with this

Looked up some writeups and it appears a site called md5hashing.net is able to decrypt

Using https://md5hashing.net/hash/md5/a18672860d0510e5ab6699730763b250 we are able to locate the second flag!


Flag 3 states to crack the hash with easypeasy.txt attachment for flag 3 (Cheating you can just notepad it and use the search function but thats no fun)

Navigating back to the page source of the site, we see the flag listed


Next we are looking for a hidden directory

We also find this

Looks like it was encoded in Base62. Using cyber chef to decrypt, we get this hidden directory


Page source of that displays this