Practice using tools such as Nmap and GoBuster to locate a hidden directory to get initial access to a vulnerable machine. Then escalate your privileges through a vulnerable cronjob.
First step we are going with on this machine is to enumerate using nmap to see what may be available.
The first question is asking how many ports are open. Initial scan only gave one (80) which was incorrect. So we are going to expand our ports we are scanning and end up with 3 open ports
Second question is looking for the version of nginx. We get version 1.16.1
Last is the highest port which after using trigger -p- we get 65524 running apache httpd
Next we are going to use Gobuster to search for any hidden directories.
And we get /hidden!
This gives us a webpage with an image
Page source gives us this image. Download and ran steghide against it and it appears to password protected (something hidden!)
Came to a hault so decided to run gobuster against the hidden directory and located /hidden/whatever
Checking into the page source I find the download link as well as something base64 encoded it appears (ZmxhZ3tmMXJzN19mbDRnfQ==)
Using cyberchef against it we get our first flag!
THM now states we should continue to enumerate. Gobuster seems like a dead end
Going back to our open ports, we confirm apache is being run on port 65524
navigating to the robots.txt file, we get a user agent that looks interesting
a18672860d0510e5ab6699730763b250
This appears to be a hash so we are going to attempt to crack it
Using cyberchef we analyze it and get this
Had no luck with Crackstation or other online tools with this
Looked up some writeups and it appears a site called md5hashing.net is able to decrypt
Using https://md5hashing.net/hash/md5/a18672860d0510e5ab6699730763b250 we are able to locate the second flag!
flag{1m_s3c0nd_fl4g}
Flag 3 states to crack the hash with easypeasy.txt attachment for flag 3 (Cheating you can just notepad it and use the search function but thats no fun)
Navigating back to the page source of the 10.10.192.18:65524 site, we see the flag listed
flag{9fdafbd64c47471a8f54cd3fc64cd312}
Next we are looking for a hidden directory
We also find this
Looks like it was encoded in Base62. Using cyber chef to decrypt, we get this hidden directory
/n0th1ng3ls3m4tt3r
Page source of that displays this
