Brooklyn Nine Nine

Lab Setup

mkdir ~/Documents/TryHackMe/eJPT/Brooklyn99
cd ~/Documents/TryHackMe/eJPT/Brooklyn99
mkdir recon enumeration notes
touch/{README.md,vulns,creds}

export IP=10.10.106.147
export URL=http://$IP

Enumeration

First thing that I do when I make a machine I scan for open ports. I do this with nmap and rustscan.

  • rustscan

rustscan -a $IP --ulimit 5000 -- -sC -sV -v -oN recon/rustscan.init

  • nmap

nmap -Pn -p- -v -T4 --max-retries 5 $IP -oN recon/nmap.init;
cat recon/nmap.init | grep '/.*open'| cut -d '/' -f 1| tr '\n' ', '| sed 's/.$//g' > recon/ports;
sudo nmap -Pn -sS -sV -n -v -A -T4 -p $(cat recon/ports) $IP -oN recon/nmap.alltcp

Look for default page on website. In source code I found an interesting commentary.

So let’s download the image and use some stegano tools.

Keep in mind that the path I used for rockyou database might differ from your path

When I see the 80 port open I usually scan for files and directories, but I didn’t find anything. So let’s connect to FTP server with anonymous default user.

Jake has a weak password so let’s brute force ssh login.

Now I have 2 users and for each of them one password to connect with ssh.

Exploitation

Connect with ssh and see the user flag in holt home directory.

Search on Gtfobins to see how to exploit this vulnerability.

PreviousKoTH HackersNextChill Hack

Last updated