capture the flag, hacking, web application security

Solving @TryHackMe – Brooklyn Nine Nine

Another day, another challenge.

In this blog post, we’re going to solve the Brooklyn Nine Nine boot 2 root.

Let’s get started.

Going to the room, and pressing the start machine we get our IP address.

Here’s a screenshot of my IP address:

Next, let’s fire a terminal and see if we can enumerate the machine.

Going to the terminal let’s enter the command nmap -sV <IP address> in my case it will be nmap -sV 10.10.188.95

Doing this we get the following:

We see there’s an open port of FTP.

What can we do with FTP?

FTP can be configured where we can enter a username as anonymous with any password. Of course, this is NOT good security as there should be a valid username and password combination.

Let’s try it.

Going back to the terminal and enter ftp press Enter

Next enter open <ip address> in my case it will be open 10.10.164.245

Doing this we see:

We were able to login!

Next, let’s use the ls or list command to see what files/directories (folders) are on the FTP server.

We have one file – note_to_jake.txt

How can we download this file onto our terminal? We can use the GET command

enter get note_to_jake.txt to download the file onto our computer.

Afterwards, enter the command exit to exit the FTP server.

Now we’re back to our terminal on our machine. Enter the command ls -la which will do a long listing showing hidden files as well.

Doing this we see our file – note_to_jake.txt!

Now let’s open the file with cat note_to_jake.txt

We see:

OK – Amy is telling Jake his password is weak. This is good for us as we will need to use Jake’s login information to get into the system.

We’ll keep this in our toolbox.

Going back to the open ports, we now have SSH (22) and HTTP (80).

Let’s try the HTTP server and see what we find.

We’re going to use the brute force program – dirb

Let’s enter the command dir http://<IP address> in my case it will be dirb http://10.10.188.95

Doing this we have:

We didn’t find much.

Let’s move to the SSH server.

We can brute force the password using the hydra command. We’re going to enter the command hydra -l jake -P /usr/share/wordlists/rockyou.txt ssh://<IP address> -t 4

In my case it will be hydra -l jake -P /usr/share/wordlists/rockyou.txt ssh:/10.10.188.95 -t 4

Let’s break it down

hydra – command

-l jake – the user we want to brute force

-P /usr/share/wordlists/rockyou.txt – The wordlists (rockyou.txt) we want to brute force the SSH server with

-t 4 – we’re specifying to hydra that we want use 4 threads (more threads make hydra complete faster)

We found the password for jake’s login credentials for SSH. As you can see the password is not secure.

Now we’re going to log into the SSH server with the following ssh jake@<IP address> in my case it will be ssh jake@10.10.188.95

Doing this we’re prompted to enter our password which is 987654321.

After pressing Enter we’re in!

Now we need to find the user.txt.

How are we going to find this file?

Using the find command

In the terminal let’s enter: find / -name user.txt 2>/dev/null

Let’s break this down

find – the find command

/ – start at the root file system

-name – want to find a file by name

user.txt – the name of the file

2> – redirect errors from standard output (screen)

/dev/null – move the errors (from the 2>) to the /dev/null

Doing this we see:

We found the user.txt

Let’s open the file.

We found the user.txt code.

Now we have one more question – we need to find the root.txt

How are we going to do this?

Let’s see if we can do an escalation of privilege.

One of the first thing we can do is see if the user (jake) can execute any files or directories as root.

How do we check this?

Execute the command sudo -l

Let’s break this command down.

If the user (jake) is in the /etc/sudoers file then the above command will let us know what commands we can execute to get to root.

Entering the command we see:

There’s a command we can enter as to execute our privileges – less.

Let’s see how we can do this.

Doing a google search of less privilege escalation we see the following link.

Click the above link and scrolling down we see how we can do an escalation privilege under the sudo section.

Going back to our terminal let’s enter: sudo less /etc/profile (press) Enter) then enter !/bin/sh

Doing this we see:

Once we press Enter we’re back to the terminal

but if you notice the prompt has changed to a #

doing a whoami we see that we’re root!

Now let’s navigate to the root home directory (/root) to see if the root.txt is located there.

Enter the command cd /root to navigate to the root home directory

Doing a long list to show everything (ls -la) we see there’s a root.txt file!

Now let’s open the root.txt file

Enter the command cat root.txt we see:

boot2root, hacking, web application security

Solving @TryHackMe – Bounty Hunter

Another day, another challenge.

In today’s post we’re going to solve the Bounty Hunter room in TryHackMe.

Let’s get started.

Going to the room and clicking the deploy/start machine, we see the following:

Your IP address will be different.

Let’s start answering the question.

The first question is to find open ports.

We’re going to enter the command: nmap -sV <deployed IP address> which in my case will be nmap -sV 10.10.126.62

Doing this we see:

We have three ports open. FTP, SSH, and HTTP.

Next question.

We need to see who wrote the task list.

With FTP depending on the configuration, you can access this server with a username of anonymous and any password.

Let’s see if this works.

It worked!

Now let’s do a listing to see what is on the server.

We have a locks.txt and a task.txt file

How do we download the files?

We can use the get command – get <file>

Let’s try it.

The files were downloaded successfully.

We can close the ftp server by entering the exit command.

Doing an cat (concatenate) to open the task.txt file we see:

We found the user – lin.

Let’s answer the next question.

What service can we use to brute force the text file?

Looking at the services opened, we already anonymously logged into the FTP server, so that’s not it.

Let’s see if SSH is the answer. It is!

Next question.

What is the user’s password? The user in this case is lin.

Well to brute force SSH we can use the program – Hydra.

We didn’t open the tasks.txt file.

Let’s open it.

Using the cat command cat locks.txt we see:

Hmm… this file seems like this is a file with passwords.

Going back to Hydra, doing this we can use the command hydra -l lin -P locks.txt <IP address> -t 4 ssh in my case it will be hydra -l lin -P locks.txt 10.10.126.62 -t 4 ssh

Let’s explain the command

Hydra – The program we’re going to use

-l lin – select the user we want to use (lin)

-P tasks.txt – selecting the password file we want

<IP address> – specifying the IP address we want to brute-force

-t 4 – the number of threads we want. In this case we say we want 4 threads. The bigger the threads, the faster hydra will perform

ssh – let’s us know we want to brute-force the ssh server

Doing this we get the following:

We found the password – RedDr4gonSynd1cat3

Now let’s login

Going back to our terminal let’s enter the command ssh lin@10.10.126.62

Let’s break this down

ssh – invoking we want to access the SSH server

lin@10.10.126.62 – the user at the server

We get the following:

We get the question of are we sure we want to connect – enter yes.

Next we need to enter the password. Copy the password from the Hydra output.

Doing that we see the above screenshot.

We are now in the SSH server!

Let’s answer the next question.

We need to find and open the user.txt file.

Doing a long listing to view everything ls -la we see:

We see the user.txt file!

Using the cat command to open the file it will be – cat user.txt

Now to the final question.

We need to find and open the root.txt file.

Going back to the terminal – we’re going to enter the command: find / -perm -u=s -type f 2>/dev/null

Let’s break it down

find – invoke the find command

/ – specifying we’re starting at the root file system

-perm = look for a specific permission

-u = s – specifies we want to find users (owners) with the sticky bit set. The sticky bit allows a user to execute the program as the owner. In this case we want to find sticky bits that can be executed as root.

-type f = we’re looking for files

2>/dev/null – we’re redirecting error messages from the standard output (the screen) to /dev/null.

Doing this we get the following:

The above files allows us to execute the program as root.

Most of these are standard, but the sudo command should not be there.

Why? The sudo allows to execute root commands for the specific command.

With the sudo command there’s also a file sudoers file that tells the users, and files that can run as root.

To figure this out, let’s enter the command sudo -l

We’re going to be prompted for the password which is: RedDr4gonSynd1cat3

Doing this we see:

We see that one file – /bin/tar can run as root.

Going to Google and typing in privilege escalation tar file

We see:

Clicking on the first link we see:

Scrolling down we see:

We see a section on Sudo!

Copying this command into our terminal and entering the whoami command we get:

We have successfully escalated our privileges to root!

Going to the root home directory and doing a long listing we see:

We see the root.txt file

Let’s open it with the cat command.

Doing this we see:

We have successfully solved the challenge!