capture the flag, hacking, web application security

@RealTryHackMe – Brooklyn Nine Nine

Another day, another challenge.

In this blog post, we’re going to solve the Brooklyn Nine Nine boot 2 root.

Let’s get started.

Going to the room, and pressing the start machine we get our IP address.

Here’s a screenshot of my IP address:

Next, let’s fire a terminal and see if we can enumerate the machine.

Going to the terminal let’s enter the command nmap -sV <IP address> in my case it will be nmap -sV 10.10.188.95

Doing this we get the following:

We see there’s an open port of FTP.

What can we do with FTP?

FTP can be configured where we can enter a username as anonymous with any password. Of course, this is NOT good security as there should be a valid username and password combination.

Let’s try it.

Going back to the terminal and enter ftp press Enter

Next enter open <ip address> in my case it will be open 10.10.164.245

Doing this we see:

We were able to login!

Next, let’s use the ls or list command to see what files/directories (folders) are on the FTP server.

We have one file – note_to_jake.txt

How can we download this file onto our terminal? We can use the GET command

enter get note_to_jake.txt to download the file onto our computer.

Afterwards, enter the command exit to exit the FTP server.

Now we’re back to our terminal on our machine. Enter the command ls -la which will do a long listing showing hidden files as well.

Doing this we see our file – note_to_jake.txt!

Now let’s open the file with cat note_to_jake.txt

We see:

OK – Amy is telling Jake his password is weak. This is good for us as we will need to use Jake’s login information to get into the system.

We’ll keep this in our toolbox.

Going back to the open ports, we now have SSH (22) and HTTP (80).

Let’s try the HTTP server and see what we find.

We’re going to use the brute force program – dirb

Let’s enter the command dir http://<IP address> in my case it will be dirb http://10.10.188.95

Doing this we have:

We didn’t find much.

Let’s move to the SSH server.

We can brute force the password using the hydra command. We’re going to enter the command hydra -l jake -P /usr/share/wordlists/rockyou.txt ssh://<IP address> -t 4

In my case it will be hydra -l jake -P /usr/share/wordlists/rockyou.txt ssh:/10.10.188.95 -t 4

Let’s break it down

hydra – command

-l jake – the user we want to brute force

-P /usr/share/wordlists/rockyou.txt – The wordlists (rockyou.txt) we want to brute force the SSH server with

-t 4 – we’re specifying to hydra that we want use 4 threads (more threads make hydra complete faster)

We found the password for jake’s login credentials for SSH. As you can see the password is not secure.

Now we’re going to log into the SSH server with the following ssh jake@<IP address> in my case it will be ssh jake@10.10.188.95

Doing this we’re prompted to enter our password which is 987654321.

After pressing Enter we’re in!

Now we need to find the user.txt.

How are we going to find this file?

Using the find command

In the terminal let’s enter: find / -name user.txt 2>/dev/null

Let’s break this down

find – the find command

/ – start at the root file system

-name – want to find a file by name

user.txt – the name of the file

2> – redirect errors from standard output (screen)

/dev/null – move the errors (from the 2>) to the /dev/null

Doing this we see:

We found the user.txt

Let’s open the file.

We found the user.txt code.

Now we have one more question – we need to find the root.txt

How are we going to do this?

Let’s see if we can do an escalation of privilege.

One of the first thing we can do is see if the user (jake) can execute any files or directories as root.

How do we check this?

Execute the command sudo -l

Let’s break this command down.

If the user (jake) is in the /etc/sudoers file then the above command will let us know what commands we can execute to get to root.

Entering the command we see:

There’s a command we can enter as to execute our privileges – less.

Let’s see how we can do this.

Doing a google search of less privilege escalation we see the following link.

Click the above link and scrolling down we see how we can do an escalation privilege under the sudo section.

Going back to our terminal let’s enter: sudo less /etc/profile (press) Enter) then enter !/bin/sh

Doing this we see:

Once we press Enter we’re back to the terminal

but if you notice the prompt has changed to a #

doing a whoami we see that we’re root!

Now let’s navigate to the root home directory (/root) to see if the root.txt is located there.

Enter the command cd /root to navigate to the root home directory

Doing a long list to show everything (ls -la) we see there’s a root.txt file!

Now let’s open the root.txt file

Enter the command cat root.txt we see:

capture the flag, hacking, owasp, web application security

#PwnItFridays @hackthebox_eu Staring Point Series: Sequel

Another day, another challenge.

I’m restarting the series #PwnItFriday, where I hack machines from hackthebox and TryHackMe.

Without further ado, the machine I’m solving today is Sequel.

The Sequel box explores the following concepts – Weak Credentials, SQL, Vulnerability Assessment.

Want to learn more? Watch the below video.

Like the content — support by Buying a Coffee

capture the flag, hacking, owasp, web application security

#PwnItFridays @hackthebox_eu Staring Point Series: Crocodile

Another day, another challenge.

I’m restarting the series #PwnItFriday where I hack machines from hackthebox and TryHackMe.

Without further ado, the machine I’m solving today is Crocodile.

The Crocodile box explores the following concepts – FTP (File Transfer Protocol), and Account Misconfiguration.

Want to learn more? Watch the below video.

Like the content — support by Buying a Coffee

capture the flag, hacking, owasp, web application security

#PwnItFridays @hackthebox_eu Staring Point Series: Appointment

Another day, another challenge.

I’m restarting the series #PwnItFriday where I hack machines from hackthebox and TryHackMe.

Without further ado, the machine I’m solving today is Appointment.

The Appointment box explores the following concepts – SQL Injection, MariaDB, and PHP.

Want to learn more? Watch the below video.

Like the content — support by Buying a Coffee

capture the flag, hacking, owasp, web application security

#PwnItFridays @hackthebox_eu Staring Point Series: Dancing

Another day, another challenge.

I’m restarting the series #PwnItFriday where I hack machines from hackthebox and TryHackMe.

Without further ado, the machine I’m solving today is Dancing.

The Dancing box explores the following concepts – SMB (Simple Message Blocks), and Account Misconfiguration.

Want to learn more? Watch the below video.

Like the content — support by Buying a Coffee

capture the flag, hacking, owasp, web application security

#PwnItFridays @hackthebox_eu Staring Point Series: Fawn

Another day, another challenge.

I’m restarting the series #PwnItFriday where I hack machines from hackthebox and TryHackMe.

Without further ado, the machine I’m solving today is Fawn.

The Fawn box explores the following concepts – Linux, FTP (File Transfer Protocol), and Account Misconfiguration.

Want to learn more? Watch the below video.

Like the content — support by Buying a Coffee

capture the flag, hacking, owasp, web application security

#PwnItFridays @hackthebox_eu Staring Point Series: Meow

Another day, another challenge.

I’m restarting the series #PwnItFriday, where I hack machines from hackthebox and TryHackMe.

Without further ado, the machine I’m solving today is Meow.

The Meow box explores the following concepts – Telnet, Networking, and Weak Credentials.

Want to learn more? Watch the below video.

Like the content — support by Buying a Coffee

capture the flag, cybersecurity education, hacking

#PwnItFridays @hackthebox_eu Starting Point Series: Vaccine

Another day, another challenge.

I’m restarting the series #PwnItFriday where I hack machines from hackthebox and TryHackMe.

Without further ado, the machine I’m solving today is Vaccine.

Topics explored in this machine are Vulnerability Assessment, Source Code Analysis, Password Cracking, and SQL Injection.

Click the video to learn how to solve this machine!

Like the content — support by Buying a Coffee

capture the flag, cybersecurity education, hacking

#PwnItFridays @hackthebox_eu Starting Point Series: Responder

Another day, another challenge.

I’m restarting the series #PwnItFriday where I hack machines from hackthebox and TryHackMe.

Without further ado, the machine I’m solving today is Responder.

Topics explored in this machine are Network, Hash Capture, Remote File Inclusion, and Password Cracking.

Click the video to learn how to solve this machine!

Like the content — support by Buying a Coffee