This is a walkthrough for TryHackMe room Brooklyn Nine Nine
Let’s scan the machine with rustscan for ports
rustscan -a IP
We have 3 port’s open
21 — FTP
22 — SSH
80 — HTTP
Time to get User flag
Let’s see if anonymous login is allowed in FTP.
Yes, login with anonymous is allowed. Let’s see what files are in the folder.
We find 3 usernames — Holt, Amy and Jake
It seems that Jake has a weak password, probably we can brute force and get the password?
hydra -l jake -P /path/to/rockyou.txt ssh://IP -t 50
Yes! We have the password for user jake on SSH.
Let’s login using those credentials.
We are in!!
Let’s find where is the user flag using the command : find / -name user.txt 2>dev/null
We can see it is in /home/holt.
Let’s grab it!
User flag down!!
Time to get Root flag
We can see it’s running a Ubuntu machine.
There was a recent CVE for getting root access in Ubuntu CVE-2021–3493
(If you wanna know more about this CVE check out this room)
After visiting that site, scroll down until you find a C program. Let’s copy it.
Now let’s go in the /tmp directory in the compromised machine.
Use nano text editor to save that code.
Let’s name it exploit.c
Steps:
nano exploit.c
CTRL+SHIFT+V (paste the code you copied)
CTRL+X
PressyENTER
Let’s compile the program using gcc
gcc exploit.c -o rootshell
Let’s run the binary — ./rootshell
Let’s go in the /root directory and get the flag.
Root flag down!!
