A really stupid box, but anyway let’s pwn it.
You can find the machine there > Jack-of-All-Trades
As always let’s start with a nmap scan.
What a trick :P ,
Let’s visit the webpage. If you get an error
This address is restricted seems like firefox blocks this port follow this guide & u will be okey guide
If we check the page source code we can see these messages :
We have a path and a base64 string, let’s decode the string.
We have a password
u?WtKSraq cool, now let’s visit the webpage
A login function, hm let’s check the source code. Again a encoded string.
Seems like base32, let’s decode it.
Gives us a hex string. Let’s decode it.
Seems like ROT13, let’s decode it.
Gives us a hint that we need to do stego, so i’ll not waste more time i found the creds under this image
So now we can login into
After we login in, we can see this message
GET me a 'cmd' and I'll run it for you Future-Jack. damn easy.
Let’s use burp now to spawn a shell.
Send the request to repeater.
Now use this reverse shell and URL encode because the URL contains disallowed chars.
And we have shell!
Now privesc to user is really simple we can see this under
Let’s ssh brute force.
For user flag, just download the image and display it, u will get this flag :
And we can read root’s flag using
strings because it’s SUID binary.
what a meme, see you!