Muzec's Cyber Security Blog

Hack. Sleep. Repeat

View on GitHub

Image

Jack-Of-All-Trades Rated medium on TryHackMe Boot-to-root originally designed for Securi-Tay 2020.

Enumeration! Enumeration! Time!

Image

Our Nmap result was kind of strange HTTP running on port 22 and SSH running on port 80 opposite the result am expecting not wasting to much of time i try to access the HTTP port.

Image

Strange right?? Firefox is blocking us also hmm tricky so i try messing with my browser HTTP proxy setting.

Image

And boom we are in…

Image

Next Stop > View Page Source

Image

Image

Next Stop > /recovery.php

Image

View Page Source Again.

Image

Base32 to Hex

Image

Hex to Rot13

image

Rot13 to Plaintext

Image

We are left with a link hint pointing us to a Wikipedia page .

Image

Image

Using Steghide with the credentials that you got from the base64

Image

Image

Image

Time to spawn a reverse shell to our terminal.

Image

Start an ncat connection

Image

incoming connection receive boom.

Try to make the shell stable by spawning a TTY shell python -c ‘import pty; pty.spawn(“/bin/bash”)’

image

After spawning TTY Shell

image

Changing directory to home we found a password list let’s do some brute-forcing and see if the pass list we found is still containing password used by user Jack.

Image

Image

Image

Privilege Escalation To Get Root Flag.

Image

Trying sudo -l the respond i get was Sorry, user jack may not run sudo on jack-of-all-trades time to launch LinEnum.

Image

Checking the SUID files i found something interesting /usr/bin/strings cool i quickly check up GTFOBINS for the exploit.

Image

Image

Boom we have root.txt

Greeting From Muzec



Back To Home