Jack-Of-ALL-Trades | TryHackMe

Jack-Of-All-Trades Rated medium on TryHackMe Boot-to-root originally designed for Securi-Tay 2020.

Enumeration! Enumeration! Time!

Our Nmap result was kind of strange HTTP running on port 22 and SSH running on port 80 opposite the result am expecting not wasting to much of time i try to access the HTTP port.

Strange right?? Firefox is blocking us also hmm tricky so i try messing with my browser HTTP proxy setting.

And boom we are in…

Next Stop > View Page Source

Next Stop > /recovery.php

View Page Source Again.

Base32 to Hex

Hex to Rot13

Rot13 to Plaintext

We are left with a link hint pointing us to a Wikipedia page .

Using Steghide with the credentials that you got from the base64

Time to spawn a reverse shell to our terminal.

Start an ncat connection

incoming connection receive boom.

Try to make the shell stable by spawning a TTY shell python -c ‘import pty; pty.spawn(“/bin/bash”)’

After spawning TTY Shell

Changing directory to home we found a password list let’s do some brute-forcing and see if the pass list we found is still containing password used by user Jack.

And boom we are in

User.txt

Privilege Escalation To Get Root Flag.

Trying sudo -l the respond i get was Sorry, user jack may not run sudo on jack-of-all-trades time to launch LinEnum.

Checking the SUID files i found something interesting /usr/bin/strings cool i quickly check up GTFOBINS for the exploit.

Boom we have root.txt

Thanks For Reading my First Write-Up More To Come.. Peace