Hey everyone, I am Deep. I am security researcher and love to play ctfs. I have been using TryHackMe for quite a some time. It has very great CTF rooms and so many rooms for learning. All the rooms has great writeups and walkthroughs,too. So, Today I thought why not write a walkthrough which can help others learn. So, today’s walkthrough is for “Brooklyn Nine Nine” room.so, let’s get into it.
First scan machine with nmap using this command:
nmap -sC -sV -v <machine-ip>
Here, We can see that there are 3 open ports:
21:ftp
22:ssh
80:http
Here, we get interesting results for ftp, it shows that we can login to ftp as anonymous.Also we can see that it has a text file named “note_to_jake.txt”.
So, let’s login to ftp using “anonymous” and password as blank. Here, we can find the text file. We can Download this text file using “get” command.
Once we have downloaded note_to_jake.txt. let’s see what’s this:
Okay. We can guess that jake is a user of this machine and he is using weak password. :)
So, From our nmap results we know that ssh(port 22) is open. Let’s try to bruteforce ssh using Hydra. Here, We will try to bruteforce user “jake” using this command:
hydra -l jake -P /usr/share/wordlists/rockyou.txt <machine-ip> ssh -t 4
Great! We found jake’s password.
Now, Let’s use this password and login into ssh using :
ssh jake@<machine-ip>
And we are in!!
Looking at jake’s directory there was nothing much.
After looking at /home directory we can see that there are total three users.
After looking at holt’s home directory found user.txt. Which contains user flag :)
Now, let’s try to escalate our privileges. Let’s see if we have authority to run any commands of root using:
sudo -l
We can see that we can run less command as root. Nice! We can leverage this to get a root shell using this command:
sudo less /etc/profile
!/bin/sh
Awesome! We are root. Now let’s get the root flag.
Thank you everyone.
Thank you fsociety2006 for creating beginner friendly room.