Brooklyn99 THM

Brooklyn99 Machine

From TryHackMe Website with {Easy Difficulty}

Table of Contents:

• Information Gathering

Hydra Brute-Force

• User Flag

• Privilege Escalation

• Root Flag

• References

------------------------------------------------------------------------------------

Information Gathering

Nmap Scanning

└──╼$ nmap –sCV 10.10.140.111

We found an FTP Port Open with Anonymous Login Allowed and there's another two open Ports (22 and 80), so let's check the FTP port info.

test

So we got this file when we login with FTP Connection "note_to_jake.txt" and have this message

From Amy,

Jake please change your password. It is too weak and holt will be mad if someone hacks into the nine nine.

Hydra Brute-Force

So this is a sign to try to BruteForce Jake Password, so we use hear Hydra to bruteforce jake ssh connection Password with this command

└──╼$ hydra -l jake -p /usr/share/wordlists/rockyou.txt ssh://10.10.140.111 -t 4

so while hydra takt it's time to bruteforce jake's password, let's gather some information by Gobuster

Gobuster Scanning

└──╼$ gobuster –w /usr/share/wordlists/dirb/common.txt dir -u http://10.10.140.111/

We have nothing useful here, let’s take a look at the website.

Again nothing is useful here too, so Trying to find another something useful than that like The Source Code of the website.

There's an interesting comment here that said "Have you ever heard of steganography?", so i think to download the website image to check it.

-we can not find anything useful in this image by using exiftool and steghide tools.

User Flag

-let's get back to our Hydra Brute-force and we got this credential for Jake

jake:987654321, so let's login into Jake account.

└──╼$ ssh jake@10.10.253.221 password: 987654321

So we can not find the user.txt file into jack directory let's try to find it by using find command like that

└──╼$ find -type f -name "user.txt"

and now we go the user flag in this location -> ./home/holt/user.txt

Privilege Escalation

Root Flag

let's now try to know what is the command that we can use it as a root user by using this command

└──╼$ sudo -l -l

And i found the less command can be executed as root

so by using thins command we have two way to get the root flag

1- by using this command └──╼$ sudo less /root/root.txt

2- By using GTFObins Website to search about less command

So let's try these commands in the machine like that by creating any file and run shell into it like that

touch file.txt + Enter

sudo less file.txt + Enter

!/bin/sh + Enter

Here we go now we become the Root user and can easily got the root flag.

Congratulation Machine has been Pwned!!

References

PreviousTryHackMeNextSimple CTF THM

Last updated

Was this helpful?