ZiMa's Blog
  • $ Whoami
  • HACK THE BOX
    • Paper Machine HTB
  • TryHackMe
    • Brooklyn99 THM
    • Simple CTF THM
    • Tokyo Ghoul THM
  • PortSwigger
    • Client-side topics
      • Cross-site scripting (XSS)
        • Reflected XSS
          • Reflected XSS into HTML context with nothing encoded
        • Stored XSS
        • DOM-based XSS
          • 1- DOM XSS in document.write sink using source location.search
    • Server-side topics
  • Introduction To Network 🌐
  • Mobile App Write-ups
    • Prerequisites and tools before Beginning!
    • All Safe Application
    • DIVA
    • Insecure Shop Application
Powered by GitBook
On this page
  • Brooklyn99 Machine
  • From TryHackMe Website with {Medium Difficulty}
  • Table of Contents:
  • Information Gathering
  • Nmap Scanning
  • Hydra Brute-Force
  • Gobuster Scanning
  • User Flag
  • Privilege Escalation
  • Root Flag
  • References

Was this helpful?

  1. TryHackMe

Tokyo Ghoul THM

PreviousSimple CTF THMNextPortSwigger

Last updated 1 year ago

Was this helpful?

Brooklyn99 Machine

From TryHackMe Website with {Medium Difficulty}

Table of Contents:

• Information Gathering

• Hydra Brute-Force

• User Flag

• Privilege Escalation

• Root Flag

• References

------------------------------------------------------------------------------------

Information Gathering

- First I look to the mean page and i found this link to another page

Nmap Scanning

└──╼$ nmap –sCV 10.10.63.127

We found an FTP Port Open with Anonymous Login Allowed and there's another three open Ports (21, 22 and 80), so let's check the FTP port info.

So we got this file when we login with FTP Connection "note_to_jake.txt" and have this message

From Amy,

Jake please change your password. It is too weak and holt will be mad if someone hacks into the nine nine.

Hydra Brute-Force

So this is a sign to try to BruteForce Jake Password, so we use hear Hydra to bruteforce jake ssh connection Password with this command

└──╼$ hydra -l jake -p /usr/share/wordlists/rockyou.txt ssh://10.10.140.111 -t 4

so while hydra takt it's time to bruteforce jake's password, let's gather some information by Gobuster

Gobuster Scanning

└──╼$ gobuster –w /usr/share/wordlists/dirb/common.txt dir -u http://10.10.140.111/

We have nothing useful here, let’s take a look at the website.

Again nothing is useful here too, so Trying to find another something useful than that like The Source Code of the website.

There's an interesting comment here that said "Have you ever heard of steganography?", so i think to download the website image to check it.

-we can not find anything useful in this image by using exiftool and steghide tools.

User Flag

-let's get back to our Hydra Brute-force and we got this credential for Jake

jake:987654321, so let's login into Jake account.

└──╼$ ssh jake@10.10.253.221 password: 987654321

So we can not find the user.txt file into jack directory let's try to find it by using find command like that

└──╼$ find -type f -name "user.txt"

and now we go the user flag in this location -> ./home/holt/user.txt

Privilege Escalation

Root Flag

let's now try to know what is the command that we can use it as a root user by using this command

└──╼$ sudo -l -l

And i found the less command can be executed as root

so by using thins command we have two way to get the root flag

1- by using this command └──╼$ sudo less /root/root.txt

2- By using GTFObins Website to search about less command

So let's try these commands in the machine like that by creating any file and run shell into it like that

touch file.txt + Enter

sudo less file.txt + Enter

!/bin/sh + Enter

Here we go now we become the Root user and can easily got the root flag.

Congratulation Machine has been Pwned!!

References

  • https://gtfobins.github.io/#less

test