Introduction
This is my 2nd write-up for TryHackMe’s Brooklyn Nine Nine Room. According to the room description, there are 2 ways to root the box. The first method was described in an earlier post. The 2nd method will be described here.
Enumeration
Using nmap, I saw that this box is running FTP, SSH and HTTP.
It turns out, FTP allows anonymous access.
Downloading the note, I found that one user uses a weak password.
Exploitation
Running hydra, I quickly find the password.
Using the cracked password, I was able to SSH to the target.
A simple find command allowed me to find the location of user.txt. Turns out I have read access to it.
Privilege Escalation
Checking for sudo privileges, I found that I could run “less” under sudo.
According to GTFOBins, “less” can be used to elevate privileges.
Running “sudo /usr/bin/less /etc/profile” opens /etc/profile inside the “less” viewer. Following the instructions from GTFOBins, I typed in the following from inside “less”:
!/bin/shThis started “sh” as root, thus giving me elevated privileges. I was then able to view the contents of root.txt.
