Jack-of-All-Trades (THM)

Hello guys another machine was released on TryHackMe Jack-of-All-Trades. The machine was rated to be a medium box but i would rate it an easy box. The only problem was configuring Mozilla to allow to view a website running on port 22. The machine was to be exploited in securi-tay conference 2020 but maybe due to COVID-19 outbreak it was repurposed to be a machine for TryHackMe. Let’s jump in

As always we’ll begin with a Nmap scan

The Nmap looked weird since port 22 is normally used for ssh and port 80 is used as for HTTP protocol but in our case it’s the opposite. I hate doing brute force since mostly it never works. So i started enumerating port 22 (HTTP)

Opening the web server using Mozilla we get Access Restricted

Now you have to change the configuration of Mozilla to allow it to listen on a non-standard port using the following simple commands

Open a new tab on mozzila and type

about:config

Press enter and it will bring you to a new window with a search bar. Type

network.security.ports.banned.override

And in the result add port 22 and voila you’ll be good to go

After refreshing the page we get a simple website

I decided to see if Robots.txt existed but got nothing

On viewing the source code of the page we get base64 encoded text and a commented note saying

<!--Note to self - If I ever get locked out I can get back in at /recovery.php! -->

Decoded the Text and got a password (u?WtKSraq)

Also looking carefully at the webpage source code we get a like to assets/stego.jpg the name of the image indicates that the challenge is stenography. Since we already have a password i downloaded the image and did some stenography

From the creds.txt we find out that there’s another image that contains stenography challenge. So what i did was to download all images and tried to do some stenography on them. What did stand out was header.jpg had credentials

Tried to login to ssh with those credential and got an authentication error. But in the homepage source code there was a not left by jack saying

<!--Note to self - If I ever get locked out I can get back in at /recovery.php! -->

Before running gobuster i decided to visit the URL and boom we get a login prompt

Decided to test those credentials we had obtain and voila we got in. I looked at the page source there was base64 encoded text but it was a rabbit hole so am not going to dive into that. Logging into the page we get a note that implies that the index.php is a “backdoor” which when supplied with the right parameter can lead to code execution. Luckily the creator gave a clue to use cmd and when i did that i got code execution

But what if that character was random I’ll show you how to use wfuzz to fuzz for that parameter. Wfuzz is really a great tool when it comes to web application fuzzing actually one of my best tool also you can use zaproxy or burpsuite

Remember to use a valid cookie for the fuzzing to work you use the flag ‘-b’ to specify a cookie

From the result from the wfuzz scan we can see that only the parameter cmd was an outlier and hence it was the correct parameter

Now the next thing we are supposed to do is to get a shell on the box. This next step I’ll use burpsuite. I did intercept a request and send it to repeater

The root of the web server was owned by root so i could not drop a file there execute and get a shell since we are www-data the folder that is world writable are /dev/shm i decided to drop a bash reverse shell

Set up a listener in my box using netcat then executed the bash reverse shell using burpsuite

And we get a shell

Now it’s time to enumerate the box

The home folder has an interesting file “jacks_password_list” that seem to contain some sort of passwords. I copied the file to my box and decided to do ssh brute forcing with them using hydra

And we get a valid combination of user and password.

Now we can log in via ssh and submit the user flag since we are the user jack

I uploaded linpeas my best Linux priv checker script to check for privilege escalation vector

And we get that /usr/bin/strings can be executed as root even though we are not the root user

I’ll use one method just to get the root flag and the second method we’ll view the shadow files copy the root password hash and potentially we could crack using hashcat

METHOD 1

I used GTFOBins file read command to read the root flag. And boom we get the root flag of the box

METHOD 2

I used GTFOBins file read command to read the contents of /etc/shadow

we see that the root password is sha512crypt $6$, SHA512 (Unix) if the password isn’t strong enough we could potentially crack using hashcat but am not going to do that since we already have the root flag. But if you manage to crack the hash you can log in through ssh or using su command in linux