Hello fellow enthusiasts;
Today, we are going to solve Brooklyn Nine-Nine's CTF via TryHackMe. Let's cut to the chase.
Assuming that you know VPN connection and connecting your machine to the VPN I won't be talking about them.
First, let's take a look at our machine. It has only presented a picture and writing at the bottom however it seems that it does not help us acquire anything. Let's have a quick look at the source code, maybe we might find something there.
Actually, I might have spotted some useful lines in the source code. But before we check, that let's use a Nmap scan to figure out which port(s) are available.
The Nmap output we see tells that 3 ports are open:
21 FTP
22 ssh
80 http
But for us to gain access with the help of these open ports, we will need a username and a password.
When we check the Nmap output, the 21st port delivers a message like: "Anonymous FTP Login allowed". With this, it of course says that there is a ".txt" file as well.
I want to apply the brute force technique immediately because I need to be sure whether "note_to_jale.txt" file has any clues or not.
I am executing "FTP <ipaddress>" command right away and I have a username which I have to use the trial and error method. In the Nmap output it was telling that it was"anonymous" so I am using this as the username and the password.
It alerts us that the connection has been successful which means we are following the right path.
I am using the "ls" command immediately to see what is inside. It only sent me the "note_to_jake.txt" file.
I want to make sure whether if there are any files that I don't have permission to read so I run the "ls -al" command but there is no response. As a result, I need to download this file to read so I run the following command: "get note_to_jake.txt".
I cut the FTP connection.
I check the file to see what is included. "cat note_to_jake.txt" shows us a message like:" A message from Amy to Jake, in which Jake's password is weak, that he has to change it, and if Holt finds out about this, he/she will be angry."
Our outcome should be that we had 3 usernames:
Jake
Amy
Holt
Since we found out that the password is weak let's try and see if hydra will find the password.
"hydra ssh://<ipaddress> -l username -P rackyou.txt"
hydra is finding the password. This is good news so let's provide the "ssh" connection.
"ssh username@ipaddress" command has been executed and we wrote the password that we got from hydra. Finally, we have successfully established our ssh connection.
Let's check what we have in our current path via executing the "ls" command but it is EMPTY!
Since it is empty let's check our current location: "pwd" This shows that we are at "/home/jake" Just for confirmation purposes let's run "whoami" and again, we saw that we are "jake".
Finally, we executed the "id" command.
Now, TryHackMe requested "User flag" and "Root flag" from me so I run the "find / -name user.txt" command. The reason behind me adding ".txt" at the last part is that it requests a password or a code so I basically guess that it might be hidden in a ".txt" file. I rapidly execute it but there is a problem with my permissions.
So I quickly check "gtfobins.gitjub.io" website to see about upgrading my permission.
Now my permissions are upgraded fully so I am in the "root" level at the machine.
I research my file with "find / -name user.txt" and the path is visible to me now!
I execute "cat /home/holt/user.txt" and I have my first flag!
Let's check if it is correct!
With the same method we scan our "root" file and we have our results.
This CTF is successfully over! See you next time
Today, we are going to solve Brooklyn Nine-Nine's CTF via TryHackMe. Let's cut to the chase.
Assuming that you know VPN connection and connecting your machine to the VPN I won't be talking about them.
First, let's take a look at our machine. It has only presented a picture and writing at the bottom however it seems that it does not help us acquire anything. Let's have a quick look at the source code, maybe we might find something there.
Actually, I might have spotted some useful lines in the source code. But before we check, that let's use a Nmap scan to figure out which port(s) are available.
The Nmap output we see tells that 3 ports are open:
21 FTP
22 ssh
80 http
But for us to gain access with the help of these open ports, we will need a username and a password.
When we check the Nmap output, the 21st port delivers a message like: "Anonymous FTP Login allowed". With this, it of course says that there is a ".txt" file as well.
I want to apply the brute force technique immediately because I need to be sure whether "note_to_jale.txt" file has any clues or not.
I am executing "FTP <ipaddress>" command right away and I have a username which I have to use the trial and error method. In the Nmap output it was telling that it was"anonymous" so I am using this as the username and the password.
It alerts us that the connection has been successful which means we are following the right path.
I am using the "ls" command immediately to see what is inside. It only sent me the "note_to_jake.txt" file.
I want to make sure whether if there are any files that I don't have permission to read so I run the "ls -al" command but there is no response. As a result, I need to download this file to read so I run the following command: "get note_to_jake.txt".
I cut the FTP connection.
I check the file to see what is included. "cat note_to_jake.txt" shows us a message like:" A message from Amy to Jake, in which Jake's password is weak, that he has to change it, and if Holt finds out about this, he/she will be angry."
Our outcome should be that we had 3 usernames:
Jake
Amy
Holt
Since we found out that the password is weak let's try and see if hydra will find the password.
"hydra ssh://<ipaddress> -l username -P rackyou.txt"
hydra is finding the password. This is good news so let's provide the "ssh" connection.
"ssh username@ipaddress" command has been executed and we wrote the password that we got from hydra. Finally, we have successfully established our ssh connection.
Let's check what we have in our current path via executing the "ls" command but it is EMPTY!
Since it is empty let's check our current location: "pwd" This shows that we are at "/home/jake" Just for confirmation purposes let's run "whoami" and again, we saw that we are "jake".
Finally, we executed the "id" command.
Now, TryHackMe requested "User flag" and "Root flag" from me so I run the "find / -name user.txt" command. The reason behind me adding ".txt" at the last part is that it requests a password or a code so I basically guess that it might be hidden in a ".txt" file. I rapidly execute it but there is a problem with my permissions.
So I quickly check "gtfobins.gitjub.io" website to see about upgrading my permission.
Now my permissions are upgraded fully so I am in the "root" level at the machine.
I research my file with "find / -name user.txt" and the path is visible to me now!
I execute "cat /home/holt/user.txt" and I have my first flag!
Let's check if it is correct!
With the same method we scan our "root" file and we have our results.
This CTF is successfully over! See you next time