Another day, another challenge.
In this blog post, we’re going to solve the Brooklyn Nine Nine boot 2 root.
Let’s get started.
Going to the room, and pressing the start machine we get our IP address.
Here’s a screenshot of my IP address:
Next, let’s fire a terminal and see if we can enumerate the machine.
Going to the terminal let’s enter the command nmap -sV <IP address> in my case it will be nmap -sV 10.10.188.95
Doing this we get the following:
We see there’s an open port of FTP.
What can we do with FTP?
FTP can be configured where we can enter a username as anonymous with any password. Of course, this is NOT good security as there should be a valid username and password combination.
Let’s try it.
Going back to the terminal and enter ftp press Enter
Next enter open <ip address> in my case it will be open 10.10.164.245
Doing this we see:
We were able to login!
Next, let’s use the ls or list command to see what files/directories (folders) are on the FTP server.
We have one file – note_to_jake.txt
How can we download this file onto our terminal? We can use the GET command
enter get note_to_jake.txt to download the file onto our computer.
Afterwards, enter the command exit to exit the FTP server.
Now we’re back to our terminal on our machine. Enter the command ls -la which will do a long listing showing hidden files as well.
Doing this we see our file – note_to_jake.txt!
Now let’s open the file with cat note_to_jake.txt
OK – Amy is telling Jake his password is weak. This is good for us as we will need to use Jake’s login information to get into the system.
We’ll keep this in our toolbox.
Going back to the open ports, we now have SSH (22) and HTTP (80).
Let’s try the HTTP server and see what we find.
We’re going to use the brute force program – dirb
Let’s enter the command dir http://<IP address> in my case it will be dirb http://10.10.188.95
Doing this we have:
We didn’t find much.
Let’s move to the SSH server.
We can brute force the password using the hydra command. We’re going to enter the command hydra -l jake -P /usr/share/wordlists/rockyou.txt ssh://<IP address> -t 4
In my case it will be hydra -l jake -P /usr/share/wordlists/rockyou.txt ssh:/10.10.188.95 -t 4
Let’s break it down
hydra – command
-l jake – the user we want to brute force
-P /usr/share/wordlists/rockyou.txt – The wordlists (rockyou.txt) we want to brute force the SSH server with
-t 4 – we’re specifying to hydra that we want use 4 threads (more threads make hydra complete faster)
We found the password for jake’s login credentials for SSH. As you can see the password is not secure.
Now we’re going to log into the SSH server with the following ssh jake@<IP address> in my case it will be ssh firstname.lastname@example.org
Doing this we’re prompted to enter our password which is 987654321.
After pressing Enter we’re in!
Now we need to find the user.txt.
How are we going to find this file?
Using the find command
In the terminal let’s enter: find / -name user.txt 2>/dev/null
Let’s break this down
find – the find command
/ – start at the root file system
-name – want to find a file by name
user.txt – the name of the file
2> – redirect errors from standard output (screen)
/dev/null – move the errors (from the 2>) to the /dev/null
Doing this we see:
We found the user.txt
Let’s open the file.
We found the user.txt code.
Now we have one more question – we need to find the root.txt
How are we going to do this?
Let’s see if we can do an escalation of privilege.
One of the first thing we can do is see if the user (jake) can execute any files or directories as root.
How do we check this?
Execute the command sudo -l
Let’s break this command down.
If the user (jake) is in the /etc/sudoers file then the above command will let us know what commands we can execute to get to root.
Entering the command we see:
There’s a command we can enter as to execute our privileges – less.
Let’s see how we can do this.
Doing a google search of less privilege escalation we see the following link.
Click the above link and scrolling down we see how we can do an escalation privilege under the sudo section.
Going back to our terminal let’s enter: sudo less /etc/profile (press) Enter) then enter !/bin/sh
Doing this we see:
Once we press Enter we’re back to the terminal
but if you notice the prompt has changed to a #
doing a whoami we see that we’re root!
Now let’s navigate to the root home directory (/root) to see if the root.txt is located there.
Enter the command cd /root to navigate to the root home directory
Doing a long list to show everything (ls -la) we see there’s a root.txt file!
Now let’s open the root.txt file
Enter the command cat root.txt we see: