# Jack-of-All-Trades ![](/files/-McuBraVpZmSim70sH5H) ## Scanning Lets run nmap scans to find open ports and services. ![](/files/-McuDHl7IeDl9lvSMlq2) ## Enumeration Lets visit the website on port 22 ![](/files/-McuE8qiMG41P092tJEu) We have to bypass this and we can do this by going to `about:config` and search for `network.security.ports.banned.override` ![](/files/-McuEXzcDjj8KNZr4mKg) Now delete the current one and add another with the String option and type in port 22 ![](/files/-McuF7aFDPObhhN8mPZT) Now lets visit the site on port 22 again ![](/files/-McuFMrsYxOjx6NeBdk4) We have a web page. We also have a username `Jack`. Lets run a gobuster scan while we explore the webpage. ``` gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://10.10.182.211:22/ ``` ![](/files/-McuNciGJGIm2lMZ-Unt) We get nothing of interest Lets look at the source code ![](/files/-McuFqQQoMUZPxKa8K20) Ok so we have a web page called `/recovery.php` and a string , lets decode the string using [CyberChef](https://gchq.github.io/CyberChef/#recipe=From_Base64\('A-Za-z0-9%2B/%3D',true\)\&input=VW1WdFpXMWlaWElnZEc4Z2QybHphQ0JLYjJodWVTQkhjbUYyWlhNZ2QyVnNiQ0IzYVhSb0lHaHBjeUJqY25sd2RHOGdhbTlpYUhWdWRHbHVaeUVnU0dseklHVnVZMjlrYVc1bklITjVjM1JsYlhNZ1lYSmxJR0Z0WVhwcGJtY2hJRUZzYzI4Z1oyOTBkR0VnY21WdFpXMWlaWElnZVc5MWNpQndZWE56ZDI5eVpEb2dkVDlYZEV0VGNtRnhDZw) ![](/files/-McuG3TNPnkNFwqias8Y) Looks like we have a password and someone called `Johny Graves`, lets go check on google who this guy is. ![](/files/-McuHt_J12k2e9awJEIk) Found his twitter and an interesting post about his favorite `crypto` method. Lets now look at the recovery page we found. ![](/files/-McuINCIgjM7gEQm5Uki) Its a password recovery tool, lets look at the source code. ![](/files/-McuIY4Ojzxloy9_BrZt) We have another string, lets try using the method we found in the Twitter post ![](/files/-McuJ7Cngr1VDweF4kbx) Lets visit the bit.ly link ![](/files/-McuJL0kE9mrZltgQYb6) Its a dinosaur page, lets go to the home as there is his password there. ![](/files/-McuJV9nn9ow6UOZWHrr) We have the same dinosaur, his password might be hidden in this , lets use `steganography` to find hidden information in this image, lets first download the image to our machine. Looking at the source , we can find the link to the image ![](/files/-McuJoftpP-S7skAI3q-) Lets download the image ![](/files/-McuJuTvQ5LNZ8wKBSO4) Lets use `steghide` to find hidden files, its asks for a password, we can use the one we found when we decoded the first string. ![](/files/-McuKNEwALiHiSb1Ejtj) Lets read this file ![](/files/-McuKSG-BEC0pxToAQ5m) Damn, lets download the other image ![](/files/-McuKehLOkXtuyG59NyP) ![](/files/-McuKq3G4ck_Gff0D3a2) We have another file, lets check it out ![](/files/-McuL-o6eTKv_EKmo3Mi) We have the username and the password, lets login in the recovery page. ![](/files/-McuLbi1nqQhGean-MbO) ## Exploitation Lets run a command using the cmd parameter ![](/files/-McuLrign6VHUaraVjo5) So our commands are working, we have Remote Code Execution on the machine, lets navigate through the machine and look for interesting files ![](/files/-McuMFqUgFT4Rx6eDIcW) We have an interesting file, lets read it ![](/files/-McuMYDQznVHdrXL0dj1) Its a list of passwords, lets copy them onto our machine and name the file `passwords.txt.` One of these might be Jack's password, lets use `hydra` to get the right password for logging into ssh First lets save the passwords ![](/files/-McuMzoy-o4Dw6eLHULr) Now lets use hydra. ![](/files/-McuNDpFjiqh5GtJ-fuF) We have the password, lets login through ssh. ![](/files/-McuOJghrCdCsQjnf6AA) Lets download this image to our machine ![](/files/-McuOP6vJDqxBlBkv2ho) Lets open the file and see what it says ![](/files/-McuOiHlw_D3zfazrXD_) We have the user flag ## Privilege Escalation We do not have sudo permissions so lets look at the `SUID` files ![](/files/-McuPDGCr4I6Odet86nY) `/usr/bin/strings` is interesting Lets get more information about this on [GTFOBins ](https://gtfobins.github.io/gtfobins/strings/#suid). ![](/files/-McuPV6ZIvZdA1oeJJ_m) Looks like we can run the strings command on any file we want, so lets run it on the root/root.txt file ![](/files/-McuPnFDXEcu8PhREH2e) We have the root flag. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://writeups.adityadindi.com/tryhackme/untitled/jack-of-all-trades.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.