Brooklyn Nine Nine
Reconnaissance
Initial nmap scan to find open ports , using the flag "treat all hosts as alive" (-Pn)
Detailed Nmap Scan :
Command Breakdown:
(-sV): Service version
(-sC): Default nmap scripts
(-p): Specifying ports 21,22,80
(-oN nmap): Saving it into a files called nmap
Enumeration
Port 21: FTP
Looks like we can login through ftp as anonymous, lets do that. (We use anonymous for both username and password or you can just hit enter for password)
Lets list the file in this directory
Looks like there is a file which is a note to a person called Jake
, lets transfer this file to our machine and read what it has to say.
Lets now read the file
Looks like Jake did not change his password as mentioned by a person called Amy
. We also have a username Holt
, we now have three usernames
Port 80: HTTP
Lets visit the website
Its a Brooklyn Nine Nine poster, lets look at the source code.
We have something interesting, they mention steganography, which is the practice of concealing a message within message. So lets download the image onto our machine, the name of the image is in the source code
Exploitation
FTP
We can try to use hydra to find the password for Jake
.
We found the password, so lets login through ssh.
And we are logged in. We can find the user flag here.
HTTP
We can use a tool called stegcracker to find hidden messages within files. If you do not have it you can download it with this command
Now you can use stegcracker
We have the password, this can be the password for the file. Lets see what the file is hiding
Now we have the password for Holt, lets login through ssh.
Privilege Escalation
Jake
Lets run sudo -l
to see what Jake can run as root.
Looks like we can run the less command, with which we can see contents of files, so lets run the command to check what /root/root.txt
contains.
We can also try to become root using the commands found in GTFOBins
Lets use these commands to become root.
Holt
Lets run sudo -l
to see what Holt can run as root.
We can nano as root, so lets go to GTFOBins to find the commands to escalate privilege's to root.
Lets run these commands
We are now root. You can find the root flag in /root/
Last updated