Brooklyn Nine-Nine ~ TryHackMe

MaliciousX

Katılımcı Üye
16 Kas 2019
284
49
10
Nikomedya
Hello fellow enthusiasts;
Today, we are going to solve Brooklyn Nine-Nine's CTF via TryHackMe. Let's cut to the chase.


Assuming that you know VPN connection and connecting your machine to the VPN I won't be talking about them.

First, let's take a look at our machine. It has only presented a picture and writing at the bottom however it seems that it does not help us acquire anything. Let's have a quick look at the source code, maybe we might find something there.

l2l7y.png


Actually, I might have spotted some useful lines in the source code. But before we check, that let's use a
Nmap scan to figure out which port(s) are available.


l2flK.png


The Nmap output we see tells that 3 ports are open:
21 FTP
22 ssh
80 http

But for us to gain access with the help of these open ports, we will need a username and a password.
When we check the Nmap output, the 21st port delivers a message like: "
Anonymous FTP Login allowed". With this, it of course says that there is a ".txt" file as well.
I want to apply the
brute force technique immediately because I need to be sure whether "note_to_jale.txt" file has any clues or not.


l2W7M.png


I am executing "
FTP <ipaddress>" command right away and I have a username which I have to use the trial and error method. In the Nmap output it was telling that it was"anonymous" so I am using this as the username and the password.
It alerts us that the connection has been successful which means we are following the right path.

l2mcQ.png


I am using the "
ls" command immediately to see what is inside. It only sent me the "note_to_jake.txt" file.

l2Nw3.png


I want to make sure whether if there are any files that I don't have permission to read so I run the "
ls -al" command but there is no response. As a result, I need to download this file to read so I run the following command: "get note_to_jake.txt".

l2T0q.png


I cut the FTP connection.
I check the file to see what is included. "
cat note_to_jake.txt" shows us a message like:" A message from Amy to Jake, in which Jake's password is weak, that he has to change it, and if Holt finds out about this, he/she will be angry."

Our outcome should be that we had 3 usernames:
Jake
Amy
Holt



l2wmH.png


Since we found out that the password is weak let's try and see if
hydra will find the password.

"
hydra ssh://<ipaddress> -l username -P rackyou.txt"

hydra is finding the password. This is good news so let's provide the "ssh" connection.

l2CYc.png


"
ssh username@ipaddress" command has been executed and we wrote the password that we got from hydra. Finally, we have successfully established our ssh connection.
Let's check what we have in our current path via executing the "
ls" command but it is EMPTY!
Since it is empty let's check our current location: "
pwd" This shows that we are at "/home/jake" Just for confirmation purposes let's run "whoami" and again, we saw that we are "jake".
Finally, we executed the "
id" command.

l2XL7.png


Now,
TryHackMe requested "User flag" and "Root flag" from me so I run the "find / -name user.txt" command. The reason behind me adding ".txt" at the last part is that it requests a password or a code so I basically guess that it might be hidden in a ".txt" file. I rapidly execute it but there is a problem with my permissions.

l2E6R.png


So I quickly check "
gtfobins.gitjub.io" website to see about upgrading my permission.


l2Hvj.png
l23pD.png


Now my permissions are upgraded fully so I am in the "
root" level at the machine.

l2kln.png



I research my file with "
find / -name user.txt" and the path is visible to me now!



l28wI.png


I execute "
cat /home/holt/user.txt" and I have my first flag!
Let's check if it is correct!


l2B1b.png


With the same method we scan our "
root" file and we have our results.

l2KPZ.png
l2bm6.png



This CTF is successfully over! See you next time :)

 
Üst

Turkhackteam.org internet sitesi 5651 sayılı kanun’un 2. maddesinin 1. fıkrasının m) bendi ile aynı kanunun 5. maddesi kapsamında "Yer Sağlayıcı" konumundadır. İçerikler ön onay olmaksızın tamamen kullanıcılar tarafından oluşturulmaktadır. Turkhackteam.org; Yer sağlayıcı olarak, kullanıcılar tarafından oluşturulan içeriği ya da hukuka aykırı paylaşımı kontrol etmekle ya da araştırmakla yükümlü değildir. Türkhackteam saldırı timleri Türk sitelerine hiçbir zararlı faaliyette bulunmaz. Türkhackteam üyelerinin yaptığı bireysel hack faaliyetlerinden Türkhackteam sorumlu değildir. Sitelerinize Türkhackteam ismi kullanılarak hack faaliyetinde bulunulursa, site-sunucu erişim loglarından bu faaliyeti gerçekleştiren ip adresini tespit edip diğer kanıtlarla birlikte savcılığa suç duyurusunda bulununuz.