ENUMERATION

RUSTSCAN

┌──(gforce㉿kali)-[~/tryhackme]
└─$ rustscan -a B99.thm -- -A -sVC                   
.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.
| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \\ |  `| |
| .-. \\| {_} |.-._} } | |  .-._} }\\     }/  /\\  \\| |\\  |
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: <http://discord.skerritt.blog>         :
: <https://github.com/RustScan/RustScan> :
 --------------------------------------
RustScan: Where '404 Not Found' meets '200 OK'.

[~] The config file is expected to be at "/home/gforce/.rustscan.toml"
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'. 
Open 10.10.147.175:21
Open 10.10.147.175:22
Open 10.10.147.175:80
[~] Starting Script(s)
[>] Running script "nmap -vvv -p {{port}} -{{ipversion}} {{ip}} -A -sVC" on ip 10.10.147.175
Depending on the complexity of the script, results may take some time to appear.
[~] Starting Nmap 7.95 ( <https://nmap.org> ) at 2025-05-02 16:36 EDT
NSE: Loaded 157 scripts for scanning.
NSE: Script Pre-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 16:36
Completed NSE at 16:36, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 16:36
Completed NSE at 16:36, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 16:36
Completed NSE at 16:36, 0.00s elapsed
Initiating Ping Scan at 16:36
Scanning 10.10.147.175 [4 ports]
Completed Ping Scan at 16:36, 0.17s elapsed (1 total hosts)
Initiating SYN Stealth Scan at 16:36
Scanning B99.thm (10.10.147.175) [3 ports]
Discovered open port 22/tcp on 10.10.147.175
Discovered open port 80/tcp on 10.10.147.175
Discovered open port 21/tcp on 10.10.147.175
Completed SYN Stealth Scan at 16:36, 0.19s elapsed (3 total ports)
Initiating Service scan at 16:36
Scanning 3 services on B99.thm (10.10.147.175)
Completed Service scan at 16:36, 6.40s elapsed (3 services on 1 host)
Initiating OS detection (try #1) against B99.thm (10.10.147.175)
Retrying OS detection (try #2) against B99.thm (10.10.147.175)
WARNING: OS didn't match until try #2
Initiating Traceroute at 16:36
Completed Traceroute at 16:36, 0.17s elapsed
Initiating Parallel DNS resolution of 1 host. at 16:36
Completed Parallel DNS resolution of 1 host. at 16:36, 0.06s elapsed
DNS resolution of 1 IPs took 0.06s. Mode: Async [#: 1, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
NSE: Script scanning 10.10.147.175.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 16:36
NSE: [ftp-bounce 10.10.147.175:21] PORT response: 500 Illegal PORT command.
Completed NSE at 16:36, 6.03s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 16:36
Completed NSE at 16:36, 1.59s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 16:36
Completed NSE at 16:36, 0.00s elapsed
Nmap scan report for B99.thm (10.10.147.175)
Host is up, received echo-reply ttl 63 (0.25s latency).
Scanned at 2025-05-02 16:36:08 EDT for 22s

PORT   STATE SERVICE REASON         VERSION
21/tcp open  ftp     syn-ack ttl 63 vsftpd 3.0.3
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_-rw-r--r--    1 0        0             119 May 17  2020 note_to_jake.txt
| ftp-syst: 
|   STAT: 
| FTP server status:
|      Connected to ::ffff:10.9.1.97
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      At session startup, client count was 1
|      vsFTPd 3.0.3 - secure, fast, stable
|_End of status
22/tcp open  ssh     syn-ack ttl 63 OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 16:7f:2f:fe:0f:ba:98:77:7d:6d:3e:b6:25:72:c6:a3 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDQjh/Ae6uYU+t7FWTpPoux5Pjv9zvlOLEMlU36hmSn4vD2pYTeHDbzv7ww75UaUzPtsC8kM1EPbMQn1BUCvTNkIxQ34zmw5FatZWNR8/De/u/9fXzHh4MFg74S3K3uQzZaY7XBaDgmU6W0KEmLtKQPcueUomeYkqpL78o5+NjrGO3HwqAH2ED1Zadm5YFEvA0STasLrs7i+qn1G9o4ZHhWi8SJXlIJ6f6O1ea/VqyRJZG1KgbxQFU+zYlIddXpub93zdyMEpwaSIP2P7UTwYR26WI2cqF5r4PQfjAMGkG1mMsOi6v7xCrq/5RlF9ZVJ9nwq349ngG/KTkHtcOJnvXz
|   256 2e:3b:61:59:4b:c4:29:b5:e8:58:39:6f:6f:e9:9b:ee (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBItJ0sW5hVmiYQ8U3mXta5DX2zOeGJ6WTop8FCSbN1UIeV/9jhAQIiVENAW41IfiBYNj8Bm+WcSDKLaE8PipqPI=
|   256 ab:16:2e:79:20:3c:9b:0a:01:9c:8c:44:26:01:58:04 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIP2hV8Nm+RfR/f2KZ0Ub/OcSrqfY1g4qwsz16zhXIpqk
80/tcp open  http    syn-ack ttl 63 Apache httpd 2.4.29 ((Ubuntu))
| http-methods: 
|_  Supported Methods: GET POST OPTIONS HEAD
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 4.X
OS CPE: cpe:/o:linux:linux_kernel:4.15
OS details: Linux 4.15
TCP/IP fingerprint:
OS:SCAN(V=7.95%E=4%D=5/2%OT=21%CT=%CU=35116%PV=Y%DS=2%DC=T%G=N%TM=68152CCE%
OS:P=x86_64-pc-linux-gnu)SEQ(SP=104%GCD=1%ISR=10A%TI=Z%CI=Z%II=I%TS=B)SEQ(S
OS:P=107%GCD=1%ISR=10B%TI=Z%CI=Z%II=I%TS=A)OPS(O1=M508ST11NW6%O2=M508ST11NW
OS:6%O3=M508NNT11NW6%O4=M508ST11NW6%O5=M508ST11NW6%O6=M508ST11)WIN(W1=F4B3%
OS:W2=F4B3%W3=F4B3%W4=F4B3%W5=F4B3%W6=F4B3)ECN(R=Y%DF=Y%T=40%W=F507%O=M508N
OS:NSNW6%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=
OS:Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=A
OS:R%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=4
OS:0%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=
OS:G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=S)

Uptime guess: 4.413 days (since Mon Apr 28 06:41:04 2025)
Network Distance: 2 hops
TCP Sequence Prediction: Difficulty=263 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE (using port 22/tcp)
HOP RTT       ADDRESS
1   166.35 ms 10.9.0.1
2   164.70 ms B99.thm (10.10.147.175)

NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 16:36
Completed NSE at 16:36, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 16:36
Completed NSE at 16:36, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 16:36
Completed NSE at 16:36, 0.00s elapsed
Read data files from: /usr/share/nmap
OS and Service detection performed. Please report any incorrect results at <https://nmap.org/submit/> .
Nmap done: 1 IP address (1 host up) scanned in 23.05 seconds
           Raw packets sent: 61 (4.280KB) | Rcvd: 43 (3.180KB)

• Immediately I see that there are ways I can get some access. Like using the anonymous access to FTP and the fact that I can read the contents ( the permissions set allow that).
• But first, I will start with the website at port 80(HTTP) and see what I got.

HTTP(80)

• Nothing much here but looking at the source code I get a very interesting comment:

<!DOCTYPE html>
<html>
<head>
<meta name="viewport" content="width=device-width, initial-scale=1">
<style>
body, html {
  height: 100%;
  margin: 0;
}

.bg {
  /* The image used */
  background-image: url("brooklyn99.jpg");

  /* Full height */
  height: 100%; 

  /* Center and scale the image nicely */
  background-position: center;
  background-repeat: no-repeat;
  background-size: cover;
}
</style>
</head>
<body>

<div class="bg"></div>

<p>This example creates a full page background image. Try to resize the browser window to see how it always will cover the full screen (when scrolled to top), and that it scales nicely on all screen sizes.</p>
<!-- Have you ever heard of steganography? -->
</body>
</html>

• So am pretty sure of what to do.

STEGANOGRAPHY

• I have downloaded the image at the website by just copying the image link and using wget at the terminal to download the image for analysis;

┌──(gforce㉿kali)-[~/tryhackme/B99]
└─$ wget <http://b99.thm/brooklyn99.jpg>
--2025-05-02 16:27:31--  <http://b99.thm/brooklyn99.jpg>
Resolving b99.thm (b99.thm)... 10.10.147.175
Connecting to b99.thm (b99.thm)|10.10.147.175|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 69685 (68K) [image/jpeg]
Saving to: ‘brooklyn99.jpg’

brooklyn99.jpg          100%[===============================>]  68.05K   161KB/s    in 0.4s    

2025-05-02 16:27:33 (161 KB/s) - ‘brooklyn99.jpg’ saved [69685/69685]

• I was having issues with this; tried binwalk, steghide (which required some passphrase I did not have), so I have tried stegseek to basically bruteforce the password and unearth the hidden file:

┌──(gforce㉿kali)-[~/tryhackme/B99]
└─$ stegseek brooklyn99.jpg /usr/share/wordlists/rockyou.txt

StegSeek 0.6 - <https://github.com/RickdeJager/StegSeek>

[i] Found passphrase: "admin"
[i] Original filename: "note.txt".
[i] Extracting to "brooklyn99.jpg.out".

                                                                                                
┌──(gforce㉿kali)-[~/tryhackme/B99]
└─$ ls
brooklyn99.jpg  brooklyn99.jpg.out
                                                                                                
┌──(gforce㉿kali)-[~/tryhackme/B99]
└─$ cat brooklyn99.jpg.out 
Holts Password:
fluffydog12@ninenine

Enjoy!!
        

• So I have some creds(Holts and fluffydog12@ninenine that could potentially be used for ssh, but I look into that later. Now I will try logging in anonymously at FTP and see what files I can be able to access and what they contain.

FTP

• Since anonymous login is enabled, I have logged in using username anonymous and password anonymous .
• I have found a txt file that I can download and look at it: