This is a walkthrough for TryHackMe room Brooklyn Nine Nine
Let’s scan the machine with rustscan for ports
rustscan -a IP
We have 3 port’s open
21 — FTP
22 — SSH
80 — HTTP
Time to get User flag
Let’s see if anonymous login is allowed in FTP.
Yes, login with anonymous is allowed. Let’s see what files are in the folder.
We find 3 usernames — Holt, Amy and Jake
It seems that Jake has a weak password, probably we can brute force and get the password?
hydra -l jake -P /path/to/rockyou.txt ssh://IP -t 50
Yes! We have the password for user jake on SSH.
Let’s login using those credentials.
We are in!!
Let’s find where is the user flag using the command :
find / -name user.txt 2>dev/null
We can see it is in
Let’s grab it!
User flag down!!
Time to get Root flag
We can see it’s running a Ubuntu machine.
There was a recent CVE for getting root access in Ubuntu CVE-2021–3493
(If you wanna know more about this CVE check out this room)
After visiting that site, scroll down until you find a C program. Let’s copy it.
Now let’s go in the
/tmp directory in the compromised machine.
nano text editor to save that code.
Let’s name it
CTRL+SHIFT+V (paste the code you copied)
Let’s compile the program using
gcc exploit.c -o rootshell
Let’s run the binary —
Let’s go in the
/root directory and get the flag.
Root flag down!!