search

Brooklyn Nine Nine

hashtag
Lab Setup

mkdir ~/Documents/TryHackMe/eJPT/Brooklyn99
cd ~/Documents/TryHackMe/eJPT/Brooklyn99
mkdir recon enumeration notes
touch/{README.md,vulns,creds}

export IP=10.10.106.147
export URL=http://$IP

hashtag
Enumeration

First thing that I do when I make a machine I scan for open ports. I do this with nmap and rustscan.

  • rustscan

rustscan -a $IP --ulimit 5000 -- -sC -sV -v -oN recon/rustscan.init

  • nmap

nmap -Pn -p- -v -T4 --max-retries 5 $IP -oN recon/nmap.init;
cat recon/nmap.init | grep '/.*open'| cut -d '/' -f 1| tr '\n' ', '| sed 's/.$//g' > recon/ports;
sudo nmap -Pn -sS -sV -n -v -A -T4 -p $(cat recon/ports) $IP -oN recon/nmap.alltcp

Look for default page on website. In source code I found an interesting commentary.

So let’s download the image and use some stegano tools.

circle-info

Keep in mind that the path I used for rockyou database might differ from your path

When I see the 80 port open I usually scan for files and directories, but I didn’t find anything. So let’s connect to FTP server with anonymous default user.

Jake has a weak password so let’s brute force ssh login.

Now I have 2 users and for each of them one password to connect with ssh.

hashtag
Exploitation

Connect with ssh and see the user flag in holt home directory.

Search on Gtfobinsarrow-up-right to see how to exploit this vulnerability.

PreviousKoTH HackersNextChill Hack

Last updated