Jack of All Trades
Last updated
Was this helpful?
Last updated
Was this helpful?
I found really interesting and easy. It involves many things like encoding-decoding, steganography and the thing that I liked the most was the way it gives you a feeling of solving a mystery. So, let's begin and get the flags!
The first thing that we can do is run an nmap scan against the deployed machine's IP address.
Here, we can see that two ports are open: 22 and 80, but there's a catch. Generally, port 22 is used for SSH whereas port 80 is used for HTTP. But here, instead of using the default port values they have interchanged the services running on the two ports i.e. on port 22 we can see HTTP is running whereas SSH is running on port 80. So, in order to access the webpage which we otherwise would've done on port 80, here we need to send the request on port 22.
But when we try to access the webpage using the address <machine_ip>:22
, we get this error:
To resolve this issue do the following:
In the URL bar, enter about:config
.
In the search bar, enter network.security.ports.banned.override
Select type String
and click on the +
sign to add.
Enter the port number 22.
After configuration, it should look like:
Now, we can again try to access the page at port 22 and it works!
Reading through the article suggests that we might find a lot of hidden hints at every step as Jack keeps hints for himself as he is old and forgets things. And keeping that in mind, on a webpage the best place to find hints are in it's source-code. So, we can immediately open the source-code of the homepage to see if we can something.
Remember to wish XXXXX XXXXXX well with his crypto jobhunting! His encoding systems are amazing! Also gotta remember your password: XXXXXXXXXX
We can now visit the page that is also mentioned in the comment and see if this password works over there.
It appears that we can access the machine we if login through this page but we don't know the username. We can check this page's source-code for any kind of hidden note by jack.
Decoding this string involved multiple steps i.e. first we need to use Base32
decryption, then convert from HEX
and then finally perform a ROT13
operation to get the final output.
Here, we can see that a shortened URL is provided which we can visit.
The shortened URL leads us to a Wikipedia page related to Stegosauria (a type of dinosaur). Now, this appears to be a bit suspicious. Jack likes dinosaurs and there is an image of a dinosaur on the homepage as well. Also, there are many types of dinosaur but the link that is stored in the encoded data was for STEGOsauria which hints towards steganography. This hints that there might be some data hidden in the dinosaur image on the homepage. So, we can download it and run steghide
on it with the password that we obtained from encoded data on the homepage.
And it appears that it was a trap for us. But it also says that this image is wrong. So, maybe we need to perform the same thing on some other image. Also, on the homepage we can see that there are 3 images: first one is at the top of the page, dinosaur is the second one and a third one at the end of the page. We can start with the first image for which we need to download it and again run steghide
over it.
So, now we have the credentials for the hidden page from where we can access the machine. Once, we login on the page there is nothing except a note saying:
GET me a 'cmd' and I'll run it for you Future-Jack.
This hints that we need to pass whatever the command is as a parameter in the URL itself. We can try this by passing a few basic Linux commands like whoami
and pwd
.
http://10.10.137.227:22/XXXXXXXX/ZZZZZ.php?cmd=whoami
GET me a 'cmd' and I'll run it for you Future-Jack. www-data www-data
http://10.10.137.227:22/XXXXXXXX/ZZZZZ.php?cmd=uname
GET me a 'cmd' and I'll run it for you Future-Jack. Linux Linux
The payload that I am using is:
The final request would look something like:
Remember to start a listener on the local machine using the command nc-nvlp 4242
before sending the request to the target machine. As soon as the request is processed, we get our remote shell:
We can explore the /home
directory to look for users present on the machine:
Here, we can see that there is only one user jack
on the machine. Along with that we can see a file named jacks_password_list
which contains a list of random strings. From the file name we can assume that one out of those random strings would be the password to jack
's account. But we can't try each password one by one. So, we can use Hydra
to brute force those password. To do so, we need to copy all the content of jacks_password_list
in a file on our attacking machine which we can pass to Hydra
.
In the first attempt, Hydra
is not able to connect with the target machine and returns a Socket Error
. This is because, Hydra
does not know about the changed service port configuration on the target machine. So, we can make Hydra
perform SSH brute force attack on on port 80 by changing the command as:
In the request, ssh://
tells Hydra
that we are running brute force for SSH service and the trailer :80
tells it to perform the brute force on port 80.
Now, as we have Jack
's credentials, we can SSH into his account. Keep in mind to specify port 80 while trying to login via SSH.
The first that we can do now is go to jack's directory and obtain the user flag.
But it appears that instead of a text file, the flag is stored in an image. So, we need to start a python HTTP server on the target machine and use wget
on our attacker machine to download the image file.
Target Machine:
Attacker Machine:
Now, we can open the image in an image viewer and get the flag easily.
Now, that we have the user flag our next task is to escalate our privileges to root level and obtain the root flag. The first thing we can check is sudo -l
:
It appears that poor jack is not allowed to run any commands with sudo privilege. We can also check the /etc/crontab
:
But even here we don't find any suspicious process running. The next thing we can check is the files for which SUID bit is set:
The basic idea with SUID bits is that, we can run these commands with the privilege level of their owners. From all these strings
appears to be a bit different and also it can be used to read the file stored in \root
. So, we can use it directly:
There we go! We got the root flag as well. And with this we completed the room!
Always check properly the services running on the ports as they might be jumbled.
If required change the browser configurations to access the HTTP service hosted on other standard port.
If python3
does not work then use python
server.
Look for odd files with SUID bit set which can be used for our task either directly or indirectly.
This appears to be a Base64
encoded string, so we can move to and decode the string:
So, we get another hint over here. Again it appears to be some sort of encoded string which we can try to decode in .
Running these commands has confirmed that we can perform command injection here. So, with the help of this we can get a reverse shell to the target machine using one of the . We will be using a PHP payload as we are passing the parameters to a PHP page. Also, before passing the payload in the URL, we can URL encode it.
TryHackMe-Jack if All Trades:
CyberChef:
Reverse Shell Payloads: