Jack-of-All-Trades

Scanning

Lets run nmap scans to find open ports and services.

Enumeration

Lets visit the website on port 22

We have to bypass this and we can do this by going to about:config and search for network.security.ports.banned.override

Now delete the current one and add another with the String option and type in port 22

Now lets visit the site on port 22 again

We have a web page. We also have a username Jack. Lets run a gobuster scan while we explore the webpage.

gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://10.10.182.211:22/

We get nothing of interest

Lets look at the source code

Ok so we have a web page called /recovery.php and a string , lets decode the string using CyberChef

Looks like we have a password and someone called Johny Graves, lets go check on google who this guy is.

Found his twitter and an interesting post about his favorite crypto method.

Lets now look at the recovery page we found.

Its a password recovery tool, lets look at the source code.

We have another string, lets try using the method we found in the Twitter post

Lets visit the bit.ly link

Its a dinosaur page, lets go to the home as there is his password there.

We have the same dinosaur, his password might be hidden in this , lets use steganography to find hidden information in this image, lets first download the image to our machine.

Looking at the source , we can find the link to the image

Lets download the image

Lets use steghide to find hidden files, its asks for a password, we can use the one we found when we decoded the first string.

Lets read this file

Damn, lets download the other image

We have another file, lets check it out

We have the username and the password, lets login in the recovery page.

Exploitation

Lets run a command using the cmd parameter

So our commands are working, we have Remote Code Execution on the machine, lets navigate through the machine and look for interesting files

We have an interesting file, lets read it

Its a list of passwords, lets copy them onto our machine and name the file passwords.txt. One of these might be Jack's password, lets use hydra to get the right password for logging into ssh

First lets save the passwords

Now lets use hydra.

We have the password, lets login through ssh.

Lets download this image to our machine

Lets open the file and see what it says

We have the user flag

Privilege Escalation

We do not have sudo permissions so lets look at the SUID files

/usr/bin/strings is interesting

Lets get more information about this on GTFOBins .

Looks like we can run the strings command on any file we want, so lets run it on the root/root.txt file

We have the root flag.

Last updated