scr1++y

Writeups for CTF Challenges

View on GitHub

Brooklyn Nine-Nine by Fsociety2006

IP = 10.10.6.125*
Difficulty: Easy
Machine OS: Linux
Learning Platform: tryhackme.com

*Note: IP address may vary.

Reconnaissance

Scoping and Preparation

Connect to Tryhackme OpenVPN Server using:

Run our recon tools such as nmap and gobuster.

I ran nmap twice to get the specific ports that are open so I can do OS and Version enumeration faster since I got the open ports needed.

1st Nmap command used: sudo nmap -T4 -p- -oN [FILENAME] [IP]

2nd Nmap command used: sudo nmap -A -T4 -p21,22,80 -oN [FILENAME] [IP]

Gobuster command used: gobuster dir -u http://[IP] -w [WORDLIST] -o [FILENAME FOR OUTPUT] -t [NUMBER OF THREADS]

External Enumeration

Preliminary Enumeration via nmap

Table 1.1: nmap Results Summary

PORT STATUS SERVICE VERSION
21/tcp open FTP vsftpd 3.0.3
22/tcp open SSH OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
80/tcp open HTTP Apache httpd 2.4.29 ((Ubuntu))

Nmap Scan

Nmap scan shows that anonymous FTP login is allowed.

Ubuntu Version: Bionic Beaver

Web Enumeration

Enumerating the web server only gives us a static webpage as shown below.

HTTP webserver

Let’s check the HTML source code if there are any developer comments.

HTML source

The comment suggests that the developer used steganography on image. (I checked the image using steghide and the image has embedded data which is password protected and I did not bother try cracking the password. Feel free to try cracking the password for the image.)

Let’s see what the web technologies that the web server use. In this case, I use the browser extension wapplayzer. Link

WebTech

FTP Enumeration

Going through the FTP server, we found a file named note_to_jake.txt.

To login in FTP:

Command: ftp [IP]

Since anonymous login is allowed, we should set the login name to anonymous and leave the password as blank by pressing enter key on your keyboard. (see image below)

Note to Jake

To download the file in FTP:

Command: get [FILENAME]

Download FTP file

Now, let’s see the content of the text file: note_to_jake.txt.

Note to Jake contents

Reading the content of the text file suggests that Jake has weak password.

Content Discovery

GoBuster Scan

Let’s check if gobuster found some directories that we can work with.

GoBuster Scan

All of the results shown are HTTP 403: Forbidden error and we can safely assume that the webserver is not useful for us.

Exploitation

We have an idea that Jake has weak password but there is no login page on webpage but we know that there is a SSH port open. We can try to bruteforce/guess the password of Jake using hydra.

Using hydra

Steps:

  1. We have username: jake and we need to bruteforce his password using hydra.

    Command: hydra -l jake -P [WORDLIST] ssh://[IP] -t [NUMBER OF THREADS]

  2. Wait for hydra to finish.

    Results:

    Hydra result

Table 1.2: Credentials

Username Password
jake 987654321

Post-Exploitation

Internal Enumeration

Table 1.3: Checklist for Linux Internal Enumeration

COMMAND DESCRIPTION  
ss -tlnp lists all sockets (-t = tcp) (-l = listening) (-n = numeric) (-p = processes)  
netstat -tulnp    
sudo -l lists all binaries/files/programs the current user has sudo permissions. (might require password)  
find / -type f -user root -perm -u+s 2>/dev/null finds files in / directory that has SUID bit set. If any, consult GTFOBins.  
uname -a prints system information (-a = all)  
whoami && id prints effective userid (EUID) and prints real and effective userid and groupids (GID).  
cat /etc/crontab checks for cron jobs.  

Notes: For more information about the commands look here

Tip: When nothing else makes sense, try to use LinPEAS (winPEAS for windows machines.).

We are now logged in as Jake!

logged in as jake

Let’s navigate through the /home directory.

Holt's readable flag

Looking at the permissions on user.txt file on holt's home directory, we can just read the contents of the flag!

Let’s run the commands on our mini checklist above starting with sudo -l command and try to find privilege escalation vectors to get us to root the machine.

passwordless less binary

Privilege Escalation

This privesc is very easy and we can just run:

Inside the file’s output, type:

Note: Root shell is denoted by # (octothorpe/hashtag/number/pound) sign.

Rooted

Data Exfiltration

We also exfiltrated the files user.txt, root.txt and the contents /etc/shadow file.

Flags

User.txt: ee11cbb19052e40b07aac0ca060c23ee

Root.txt: 9f0ea7bb98050796b649e85481845

/etc/shadow Contents (only with encrypted passwords/and root user)

root:*:18295:0:99999:7:::
amy:$6$UKs4AX7L$8Q1ET3/4EDtczkEAde4Bkc9g4ao2v3IRbapkqtNnWaKa7a2UHbYGsAEqBPlAwXVq8LK39IRjPwmocYkkkikrR0:18399:0:99999:7:::
holt:$6$arvDAeLb$qQX5UfC/TdI2GELzcrI88B7aD.3NGI9eGyhIQPNdtFIcTfzNdSrxt212lOdNM./UQ0dInL0ej4UliuHKKQcjk0:18399:0:99999:7:::
jake:$6$sAa2xMd5$/EyF9jL6BNeNEYixHkn86Gcvg8UeVJl7FvjXcJH1InhrwObBcN7qecniXkq.Bq1nFA8YS8HD2uk/jf8Ju7KnW0:18401:0:99999:7:::

STATUS: ROOTED

The next two steps are not necessary for completion of the machine but it completes the 5 Phases of Penetration Testing.

Persistence

Copied the /etc/shadow file for user identification and their passwords.

Added another root user for easy access.

Clearing Tracks

Removed all logs and footprints to to prevent risk of exposure of breach to security administrator.

Status: Finished

Feel free to reach out and if there is something wrong about the above post. Feedbacks are also appreciated! :D

Donation Box

Not required but appreciated! :D

ko-fi

"Buy Me A Coffee"

Socials

<– Go Back