JPGChat — TryHackMe

0xsanz
5 min readMar 1, 2021
JPGChat

This is the write-up TryHackMe’s room named JPGChat. This room is rated Easy and from the room’s description given we have to Exploit poorly made custom chatting service written in a certain language.The language certainly looks to be Python from the room’s logo. Task is to get both the user and root flags. As always start the enumeration process by running NMAP scans.

Enumeration

NMAP

# Identify the list of services running on the target machine
⇒ sudo nmap -sS -Pn -T4 -p- 10.10.56.110

┌──(kali㉿kali)-[/tmp]
└─$ sudo nmap -sS -Pn -T4 -p- 10.10.56.110 130 ⨯
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2021-02-28 14:25 EST
Nmap scan report for 10.10.56.110
Host is up (0.021s latency).
Not shown: 65533 closed ports
PORT STATE SERVICE
22/tcp open ssh
3000/tcp open ppp

# Perform further information gathering on the open ports identified above
⇒ sudo nmap -O -A -Pn -T4 -p22,3000 10.10.56.110

┌──(kali㉿kali)-[/tmp]
└─$ sudo nmap -O -A -Pn -T4 -p22,3000 10.10.56.110
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2021-02-28 14:31 EST
Nmap scan report for 10.10.56.110
Host is up (0.025s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 fe:cc:3e:20:3f:a2:f8:09:6f:2c:a3:af:fa:32:9c:94 (RSA)
| 256 e8:18:0c:ad:d0:63:5f:9d:bd:b7:84:b8:ab:7e:d1:97 (ECDSA)
|_ 256 82:1d:6b:ab:2d:04:d5:0b:7a:9b:ee:f4:64:b5:7f:64 (ED25519)
3000/tcp open ppp?
| fingerprint-strings:
| GenericLines, NULL:
| Welcome to JPChat
| source code of this service can be found at our admin's github
| MESSAGE USAGE: use [MESSAGE] to message the (currently) only channel
|_ REPORT USAGE: use [REPORT] to report someone to the admins (with proof)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 3.10 - 3.13 (95%), Linux 5.4 (95%)…
0xsanz

Software Developer having keen interest in Security, Privacy and Pen-testing. Certs:- Security+,PenTest+,AZ900,AZ204