Brooklyn Nine-Nine by Fsociety2006

5 min readJul 11, 2022

IP = 10.10.6.125*
Difficulty: Easy
Machine OS: Linux
Learning Platform: tryhackme.com

*Note: IP address may vary.

Reconnaissance

Scoping and Preparation

Connect to Tryhackme OpenVPN Server using:

sudo openvpn {PATH_TO_OVPN_FILE}

Run our recon tools such as nmap and gobuster.

I ran nmap twice to get the specific ports that are open so I can do OS and Version enumeration faster since I got the open ports needed.

1st Nmap command used: sudo nmap -T4 -p- -oN [FILENAME] [IP]

2nd Nmap command used: sudo nmap -A -T4 -p21,22,80 -oN [FILENAME] [IP]

Gobuster command used: gobuster dir -u http://[IP] -w [WORDLIST] -o [FILENAME FOR OUTPUT] -t [NUMBER OF THREADS]

External Enumeration

Preliminary Enumeration via nmap

Table 1.1: nmap Results Summary

Nmap scan shows that anonymous FTP login is allowed.

Ubuntu Version: Bionic Beaver

Web Enumeration

Enumerating the web server only gives us a static webpage as shown below.

Let’s check the HTML source code if there are any developer comments.

The comment suggests that the developer used steganography on image. (I checked the image using steghide and the image has embedded data which is password protected and I did not bother try cracking the password. Feel free to try cracking the password for the image.)

Let’s see what the web technologies that the web server use. In this case, I use the browser extension wapplayzer. Link

FTP Enumeration

Going through the FTP server, we found a file named note_to_jake.txt.

To login in FTP:

Command: ftp [IP]

Since anonymous login is allowed, we should set the login name to anonymous and leave the password as blank by pressing enter key on your keyboard. (see image below)

To download the file in FTP:

Command: get [FILENAME]

Now, let’s see the content of the text file: note_to_jake.txt.

Reading the content of the text file suggests that Jake has weak password.

Content Discovery

GoBuster Scan

Let’s check if gobuster found some directories that we can work with.

All of the results shown are HTTP 403: Forbidden error and we can safely assume that the webserver is not useful for us.

Exploitation

We have an idea that Jake has weak password but there is no login page on webpage but we know that there is a SSH port open. We can try to bruteforce/guess the password of Jake using hydra.

Using hydra

Steps:

We have username: jake and we need to bruteforce his password using hydra.

Command: hydra -l jake -P [WORDLIST] ssh://[IP] -t [NUMBER OF THREADS]

2. Wait for hydra to finish.

Results:

Using hydra to crack Jake’s SSH password.

Table 1.2: Credentials

Post-Exploitation

Internal Enumeration

Table 1.3: Checklist for Linux Internal Enumeration

Mini checklist for Linux Privilege Escalation.

Notes: For more information about the commands look here

Tip: When nothing else makes sense, try to use LinPEAS (winPEAS for windows machines.).

We are now logged in as Jake!

Let’s navigate through the /home directory.

Holt’s directory has readable user.txt file.

Looking at the permissions on user.txt file on holt's home directory, we can just read the contents of the flag!

Let’s run the commands on our mini checklist above starting with sudo -l command and try to find privilege escalation vectors to get us to root the machine.

Less binary has can be ran as root with no password.

Privilege Escalation

This privesc is very easy and we can just run:

sudo /usr/bin/less [FILENAME]

Inside the file’s output, type:

!bash

then press enter to get root shell.

Note: Root shell is denoted by # (octothorpe/hashtag/number/pound) sign.

Data Exfiltration

We also exfiltrated the files user.txt, root.txt and the contents /etc/shadow file.

Flags

User.txt: ee11cbb19052e40b07aac0ca060c23ee

Root.txt: 9f0ea7bb98050796b649e85481845

/etc/shadow Contents (only with encrypted passwords/and root user)

root:*:18295:0:99999:7:::
amy:$6$UKs4AX7L$8Q1ET3/4EDtczkEAde4Bkc9g4ao2v3IRbapkqtNnWaKa7a2UHbYGsAEqBPlAwXVq8LK39IRjPwmocYkkkikrR0:18399:0:99999:7:::
holt:$6$arvDAeLb$qQX5UfC/TdI2GELzcrI88B7aD.3NGI9eGyhIQPNdtFIcTfzNdSrxt212lOdNM./UQ0dInL0ej4UliuHKKQcjk0:18399:0:99999:7:::
jake:$6$sAa2xMd5$/EyF9jL6BNeNEYixHkn86Gcvg8UeVJl7FvjXcJH1InhrwObBcN7qecniXkq.Bq1nFA8YS8HD2uk/jf8Ju7KnW0:18401:0:99999:7:::

STATUS: ROOTED

The next two steps are not necessary for completion of the machine but it completes the 5 Phases of Penetration Testing.

Persistence

Copied the /etc/shadow file for user identification and their passwords.

Added another root user for easy access.

Clearing Tracks

Removed all logs and footprints to to prevent risk of exposure of breach to security administrator.

Status: Finished

Feel free to reach out and if there is something wrong about the above post. Feedbacks are also appreciated! :D

Donation Box

Not required but appreciated! :D