WriteUp: Bounty Hacker

This is another guide for a free CTF challenge on the website TryHackMe. I personally really like this site and if you’re interested in pentesting, this site is another great resource!

On to the challenge!

Not only is this challenge relatively easy, it is Cowboy Bebop themed! So double the fun for me!

After deploying the machine, we need to find all of the open ports. We can do this using nmap.
nmap -sS -sV -Pn <ip address>

We got 3 ports open: FTP, SSH, and HTTP.

If we take a quick look at the IP through the browser, we get our mission objective where upon success, we are rewarded with Jet’s famous bell pepper and beef dish! Beyond that, there is nothing worth noting but it is not a bad habit to run a dirbuster or dirsearch on the IP address or checking the source code.

Let’s see if we can use an anonymous login on FTP. Connecting to the IP address through FTP and sign in with the username “anonymous” and no password.

Awesome! Use the ls command and see that there are two files. Download them to your machine with the get command. Exit out of the FTP session and take a look at the task.txt file.

Now we know who wrote the task list!
The file locks.txt looks like a bunch of possible passwords. One could say it looks like a wordlist. Perfect for trying to brute force our way into the machine using hydra!
hydra -l <username> -P locks.txt <ip_address> -t 4 <protocol>

Because the next few commands include flags, there’s going to be a lot of masking. However, if you know which port your trying to brute force, you’ll get the password and you can login.

Now we got the user flag! Time to get the coveted root flag!
Unfortunately, the user we login as is not in the sudo group. So let’s try sudo -l and see if our user is in the sudoers file at all.

Ignoring all of the masking, we see that our user can use the tar command as root! But how can we use this command to get our flag?

A website that is great for helping us figure out how to exploit the tar command is GTFOBins. This site has an extensive list of linux commands that can be used to escalate privileges and if we search for tar, we see we can get access to a shell. Let’s modify the command a little to skip the shell and go straight to that root flag.

sudo tar -cf /dev/null /dev/null --checkpoint=1 --checkpoint-action=exec="/bin/cat /root/root.txt"

And there we have it! Turn in the root flag and go enjoy some of that bell pepper and beef!

Enjoy!

WriteUp: Brooklyn Nine Nine

In a previous post, I mentioned that a great place to learn hacking techniques is a site called TryHackMe. Since joining the site myself, I have learned a lot of techniques. Some of which I use in my role for a cyber security company. And to show off the culmination of everything I am learning, I am going to walk through the steps to retrieve the flags from the room Brooklyn Nine Nine on TryHackMe. This is a free room to join and a relatively easy CTF.

Let’s begin!

There are two way to get the flags from this box but first things first. We run the box’s IP address through nmap.
nmap -sS -sV <ip_addr>

Method 1

Notice from the scan that port 21 is open. This is the default port for FTP which means we may be able to do an anonymous login.
ftp <ip_addr>
Type in anonymous as the username and enter a blank password.

Now that we are here, let’s see what we can find. Run the ls command and see that there is a file we can download with the get command. Once the file is on our computer, cat it to revel this message.

Now we know that Jake is using a weak password. The questions are: Password to what? How do we get it?
Recall from the nmap scan that port 22 is open which is the default port for SSH. We could run the ssh command over and over again trying to guess the password but who has time for that? Let’s use Hydra instead!
Hydra is great for cracking weak passwords for SSH logins. In the command below, we give it a username, a wordlist, an ip address, and the protocol.
hydra -l jake -P rockyou.txt 10.10.5.193 ssh

Jake’s password is now ours! If you need the “rockyou.txt” wordlist, you can download it from here.
Let’s try our newfound password for Jake in SSH.

Let’s find some flags!
The first one is the “user” flag. Normally, we can run ls and see that the user flag is in our home directory. But it’s not this time! We can look for the user flag using the find command.
find / -type f -name "user.txt" -exec ls -l {} \; 2>/dev/null

We found the file so let’s read it with cat to get that first delicious flag!

The second flag requires us to become root to read “/root/root.txt”. Let’s see if Jake is in the sudo group. Running groups shows us that Jake is not to be trusted with that much power but he still might have some privileges. Run sudo -l.

Jake is able to use less as root. We can use this command to read files instead of cat.
sudo less /root/root.txt

And with that, we have escalated our privileges and got that pesky root flag! Submit to TryHackMe and enjoy your new badge!

Method 2

There is a port from the nmap scan that wasn’t used in method 1. Port 80. Visiting the ip address in a browser takes us to this rather simple webpage.

Besides this lovely picture and text, not much to see here. If we take a look at the page’s source code though, there is a comment asking us if we have heard of steganography. If you have, then you can guess that the picture is protecting more than just the big city. If not, do a quick Google search.
Save the picture to your computer. Next, we will use a tool call steghide to extract any hidden data from the picture, if it exists. You can download steghide through the apt repository if you are using a Debian based machine. Run the following command to extract any hidden data from the picture.
steghide extract -sf brooklyn99.jpg

I will admit, I was a little baffled here. I was hoping for a password not being needed in order to extract any hidden data. If you run dirsearch or dirbuster on the ip address, you will find there is not much more to explore via the browser. All seems lost but fear now! There is a tool to crack steganography passwords!

Stegcracker can crack our steganography password and can be found here. If you have pip3, the install is simple!
pip3 install stegcracker

Now let’s see if we can crack a password. Run stegcracker on the picture using a wordlist.
stegcracker brooklyn99.jpg rockyou.txt

We will use this password in steghide. Run the steghide extract command again and use the password. You should get a message telling you the file “note.txt” was extracted. Open the file and we now have Holt’s password!

Let’s try this password out on ssh. SSH into the box as holt and enter his password. We get in with no problem! Now to find those scrumptious flags!
To find the user flag, run ls. Immediately, we see the file “user.txt”. Read that and get the user flag.

Now to find the root flag.
As always, let’s see if we belong to the sudo group by using the groups command. This does not look promising but there is still sudo -l.

Holt can use the nano editor as root. Let’s open up nano using sudo nano. It will take us to a blank page with some options listed at the bottom. One option that catches our interest is the “Read File” option. Hit CTRL+R and then CTRL+T to bring up a filesystem. We can use this to navigate to a file we want to read. Since we are running nano as root, we can go straight to “/root/root.txt” and get our flag!

Conclusion

This box is pretty easy to get into with the assumption that you have decent linux command line skills, good researching skills, and some basic knowledge of pentesting. And if this wasn’t easy, no problem! TryHackMe is chock full of rooms that teach the basics. If may seem difficult at first but if you stick to it, you’ll be crafting your own writeup helping others one day too!

Happy Hunting!