Let's solve an interesting Tryhackme lab named "Brooklyn Nine Nine" , it's theme is based on the TV series Brooklyn Nine Nine. Ps : You don't have to watch the whole series to solve the lab, but it would be a fun to watch.
Let's connect to our VPN and start the machine.
Let's copy the IP and use our first tool, Nmap.
nmap -A -p 0-10000 <IP address> -Pn
Okay we some interesting results of nmap scan.
We can observe that FTP with user ftp, SSH and HTTP is open. Let's see the easiest one first, HTTP.
We get this image :
Lets inspect the page using dev tools and see what other things we can see.
Okay, this is an interesting message. looks like we can do some steganography.
strings <filename>
so looking at the results, there is nothing we can find interesting. maybe it could be a distraction.
Let's move on to FTP. we know that the user here is "ftp". You can use filezilla, but I am going to write the command in CLI.
ftp <IP address>
woah! no password, even better. direct ftp, we'll do ls and we see a file inside it. let's download it and see it's contents.
we can see some names here; jake, amy and holt.
let's try our luck on ssh now.
ssh user@<IP address>
hmm, so we don't know the password. We'll do hydra now.
hydra -l jake -P <wordlist path> ssh://<IP address>
boom, we got the password. (how did I sound like Charles Boyle)
let's login again using ssh
now we are in jake's machine.
let's roam in a bit to see find user flag.
there we have it, User flag. let's enter and move to find root flag.
let's try sudo su to see whether we can get root access.
so we have to find some other way. let's do sudo -l, to see what set of commands we can run without root privileges
okay we can run less command as less command with root privileges to gain root access. For this we have to go to GTFO bins to find the best method.
so we have to use the first command
sudo less /etc/hoststhen we have to write this line at the end
yayy, we have got the root shell now. let's cd to root directory and see the root flag.
there we go, we found the flag.
Our lab is completed now.
Thanks for reading my article. hope you have enjoyed.