Jack-of-All-Trades
Scanning
Lets run nmap scans to find open ports and services.
Enumeration
Lets visit the website on port 22
We have to bypass this and we can do this by going to about:config
and search for network.security.ports.banned.override
Now delete the current one and add another with the String option and type in port 22
Now lets visit the site on port 22 again
We have a web page. We also have a username Jack
. Lets run a gobuster scan while we explore the webpage.
We get nothing of interest
Lets look at the source code
Ok so we have a web page called /recovery.php
and a string , lets decode the string using CyberChef
Looks like we have a password and someone called Johny Graves
, lets go check on google who this guy is.
Found his twitter and an interesting post about his favorite crypto
method.
Lets now look at the recovery page we found.
Its a password recovery tool, lets look at the source code.
We have another string, lets try using the method we found in the Twitter post
Lets visit the bit.ly link
Its a dinosaur page, lets go to the home as there is his password there.
We have the same dinosaur, his password might be hidden in this , lets use steganography
to find hidden information in this image, lets first download the image to our machine.
Looking at the source , we can find the link to the image
Lets download the image
Lets use steghide
to find hidden files, its asks for a password, we can use the one we found when we decoded the first string.
Lets read this file
Damn, lets download the other image
We have another file, lets check it out
We have the username and the password, lets login in the recovery page.
Exploitation
Lets run a command using the cmd parameter
So our commands are working, we have Remote Code Execution on the machine, lets navigate through the machine and look for interesting files
We have an interesting file, lets read it
Its a list of passwords, lets copy them onto our machine and name the file passwords.txt.
One of these might be Jack's password, lets use hydra
to get the right password for logging into ssh
First lets save the passwords
Now lets use hydra.
We have the password, lets login through ssh.
Lets download this image to our machine
Lets open the file and see what it says
We have the user flag
Privilege Escalation
We do not have sudo permissions so lets look at the SUID
files
/usr/bin/strings
is interesting
Lets get more information about this on GTFOBins .
Looks like we can run the strings command on any file we want, so lets run it on the root/root.txt file
We have the root flag.
Last updated