TryHackMe | Brooklyn Nine Nine
This room is aimed for beginner level hackers but anyone can try to hack this box. There are two main intended ways to…
I used the command namp -sSV -Pn -sC MACHINE_IP for port scanning. Three open ports are found that are:
- 21 FTP
- 22 SSH
- 80 HTTP
With the default script scan (-sC), I found that Anonymous login is allowed at FTP.
So, I proceeded with logging into ftp using command ftp MACHINE_IP
Username as anonymous and nothing in password field. I successfully logged in ftp server.
Using ls command to list out the files/folders in the current location where we are. ls command listed out a text file named as note_to_jake.txt
Using get filename command to get the file on our local system.
Read the content of the file. It’s a message for jake that password is too weak. It gives us a hint that the password can be attacked.
Using hydra tool to attack the password and rockyou wordlist.
Command used: hydra -l jake -P rockyou.txt ssh://MACHINE_IP
-l is used to specify username and -P is you to specify password which is in rockyou.txt word list.
As soon as the attack completes we got the password of the user jake.
Using the above username and password connect to the ssh server. After successfully connecting we are now jake.
Using command: find / -name user.txt 2>/dev/null to find the user flag.
Use cat to read the content of user.txt and get the flag.
I used sudo -l command to list the user’s privileges and on which directory user can run sudo command.
The result says that the user can run sudo command on /usr/bin/less. It means that user can use the /usr/bin/less directory as root user.
Checking on GTFObins, whether we can exploit the above directory or not. I got that the less directory can be exploited.
Following the steps given in GTFObins:
- sudo /user/bin/less /etc/profile
- Writing !/bin/sh at the end and press Enter.
As soon as we press enter we will get another shell. Run command whoami to check which user you are. It states that we are root user now. Now simply use the command cat /root/root.txt to read the flag.
Successfully completed the room :-)