📓
Pentesting
  • Writeups
  • HackTheBox
    • Easy Machines
      • Beep Writeup
      • Shocker Writeup
      • Lame Writeup
      • Jerry Writeup
      • Legacy Writeup
      • Blue Writeup
  • TryHackMe
    • Walkthroughs: Easy
      • CC: Steganography
      • Cryptography for Dummies
      • Cross-site Scripting
      • SQL Injection Lab
      • SQL Injection
      • ZTH: Web 2
      • SSRF
      • XXE
      • Authenticate
      • Injection
      • Blaster
      • The Cod Caper
      • Hardening Basics Part 1
      • What the Shell?
      • Game Zone
      • Upload Vulnerabilities
      • Bolt
      • Erit Securus 1
      • CC: Pentesting
      • JavaScript Basics
      • OverPass 2 - Hacked
      • Linux: Local Enumeration
      • Ice
      • Linux Backdoors
      • Avengers Blog
      • DNS in Detail
      • Putting it all together
      • Kenobi
      • Common Linux Privesc
      • Network Services 2
      • Network Services
      • The Hacker Methodology
      • The Find command
      • HTTP in Detail
      • Web Fundamentals
      • How Websites Work
      • Introductory Networking
    • Challenges (CTF): Easy
      • VulNet: Roasted
      • VulNet: Internal
      • Git Happens
      • Kiba
      • VulNet: Node
      • Memory Forensics
      • Smag Grotto
      • Investigating Windows
      • Cat Pictures
      • Juicy Details
      • Anthem
      • Tony The Tiger
      • Jack-of-All-Trades
      • JPGChat
      • Blueprint
      • All in One
      • Gotta Catch'em All
      • Mustacchio
      • Break Out The Cage
      • HeartBleed
      • Poster
      • Madness
      • Source
      • Thompson
      • Library
      • Magician
      • Anonforce
      • Dav
      • GLITCH
      • Fowsniff CTF
      • Team
      • H4cked
      • Easy Peasy
      • ColddBox: Easy
      • Archangel
      • Cyborg
      • Chocolate Factory
      • Brute It
      • Year of the Rabbit
      • ChillHack
      • Gaming Server
      • Brooklyn Nine Nine
      • Wgel CTF
      • Tomghost
      • ToolsRus
      • Skynet
      • Startup
      • Agent Sudo
      • Lian-Yu
      • OhSINT
      • Overpass
      • Crack The Hash
      • Ignite
      • Inclusion
      • Bounty Hunter
      • LazyAdmin
      • RootMe
      • Pickle Rick
      • Basic Pentesting
      • Simple CTF
  • Crackmes.one
    • 1 Difficulty Rating
      • easyAF
      • Easy Keyg3nme
Powered by GitBook
On this page
  • Scanning
  • Enumeration
  • Exploitation
  • Privilege Escalation

Was this helpful?

  1. TryHackMe
  2. Challenges (CTF): Easy

Jack-of-All-Trades

PreviousTony The TigerNextJPGChat

Last updated 3 years ago

Was this helpful?

Scanning

Lets run nmap scans to find open ports and services.

Enumeration

Lets visit the website on port 22

We have to bypass this and we can do this by going to about:config and search for network.security.ports.banned.override

Now delete the current one and add another with the String option and type in port 22

Now lets visit the site on port 22 again

We have a web page. We also have a username Jack. Lets run a gobuster scan while we explore the webpage.

gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://10.10.182.211:22/

We get nothing of interest

Lets look at the source code

Looks like we have a password and someone called Johny Graves, lets go check on google who this guy is.

Found his twitter and an interesting post about his favorite crypto method.

Lets now look at the recovery page we found.

Its a password recovery tool, lets look at the source code.

We have another string, lets try using the method we found in the Twitter post

Lets visit the bit.ly link

Its a dinosaur page, lets go to the home as there is his password there.

We have the same dinosaur, his password might be hidden in this , lets use steganography to find hidden information in this image, lets first download the image to our machine.

Looking at the source , we can find the link to the image

Lets download the image

Lets use steghide to find hidden files, its asks for a password, we can use the one we found when we decoded the first string.

Lets read this file

Damn, lets download the other image

We have another file, lets check it out

We have the username and the password, lets login in the recovery page.

Exploitation

Lets run a command using the cmd parameter

So our commands are working, we have Remote Code Execution on the machine, lets navigate through the machine and look for interesting files

We have an interesting file, lets read it

Its a list of passwords, lets copy them onto our machine and name the file passwords.txt. One of these might be Jack's password, lets use hydra to get the right password for logging into ssh

First lets save the passwords

Now lets use hydra.

We have the password, lets login through ssh.

Lets download this image to our machine

Lets open the file and see what it says

We have the user flag

Privilege Escalation

We do not have sudo permissions so lets look at the SUID files

/usr/bin/strings is interesting

Looks like we can run the strings command on any file we want, so lets run it on the root/root.txt file

We have the root flag.

Ok so we have a web page called /recovery.php and a string , lets decode the string using

Lets get more information about this on .

CyberChef
GTFOBins