Try it out: TryHackMe - Brooklyn Nine Nine
[Task 1] Deploy and Get Hacking
Let's go ahead and deploy the machine as usual.
First, let's run an nmap scan:
nmap -sS -sV -sC -Pn <YOUR_MACHINE_IP>
After performing the nmap scan, I found 3 open ports:
- 21 FTP
- 22 SSH
- 80 HTTP
Getting the User Flag
Logged in with FTP anonymous login.
Linux CLI FTP defaults to using active-mode FTP.
Try switching to passive mode with the pass command.
I found a text file called note_to_jake.txt and copied it to my system using the get command.
I read the text file using cat and saw three usernames: Amy, Jake & Holt - which might be useful ahead.
Since it was Jake's account and I didn't know the password required for SSH login, and as Amy mentioned, Jake's password was indeed weak - so I used Hydra to brute-force the password.
hydra -l jake -P /usr/share/wordlists/rockyou.txt ssh://machine_ip
Got the password. So we can login with that.
ssh jake@machine_ipPassword is 987654321.
I checked the home directory for the user.txt file and found three directories named after the users above. I checked Holt's directory first, found user.txt, and got the user flag.
Privilege Escalation - Getting the Root Flag
Check our privileges by running:
sudo -l
Seems like we are allowed to run less with sudo rights. For checking exploits I used GTFOBins and searched for less.
I found the following exploit for /usr/bin/less:
https://gtfobins.github.io/gtfobins/less/#sudo
So let's try this:
sudo less /etc/profile
!/bin/sh
Got root access.
Checked the root directory & got the root flag.
Hope you all enjoyed going through this walkthrough.
Happy Hacking!