Brooklyn Nine Nine — TryHackMe Walkthrough

Brooklyn Nine Nine

Hello! Today I’ll be solving “Brooklyn Nine Nine” CTF room on TryHackMe. This is another thematic room based around the TV show Brooklyn Nine Nine.

Room Link: https://tryhackme.com/room/brooklynninenine

TryHackMe | Brooklyn Nine Nine

To get started, I’ll add the target IP address to /etc/hosts

/etc/hosts

Step 0: Reconnaissance

To kickstart, we’ll scan the target host for open ports using Nmap(Network Mapper).

sudo nmap -sC -sV brook.thm -oN logs/initial_nmap

1. -sC — scans the target host with default set of scripts.
2. -sV — enables version detection for target host.
3. -oN — saves the output in normal format.

Brief:

1. 21/tcp — FTP(File Transfer Protocol) — used for transferring files between server and client.
2. 22/tcp — SSH(Secure Shell) — this service used to remotely access a system.
3. 80/tcp — HTTP — used to run a web server(Apache 2.4.29 in this case).

Step 1: Exploring FTP

In the nmap scan it was found that anonymous login was enabled for the FTP server, meaning we can log into the FTP server and access the files without entering any credentials.

The nmap scan also revealed a file note_to_jake.txt

Found and downloaded the note_to_jake.txt file. Lets check it.

Its a note by Amy telling Jake to change his password.

Key Takeaways:

1. Identified potential users on the machine(Jake, Amy, Holt).
2. Jake’s password is weak(can be cracked using rockyou.txt).

Step 2: Inspecting the website

Now let us move to the next part by inspecting the website for clues if any.

http://brook.thm

Its a normal website with an image on it which resizes dynamically as the size of the window changes. Lets inspect the source code.

There’s a comment pointing towards steganography

Steganography is an encryption method used to hide data inside image, audio file, video file etc.

Step 3: Reverse Steganography

Lets download and extract the image on the main page using steghide .

steghide extract -sf brooklyn99.jpg

steghide

It requires a passphrase. Lets crack it using stegseek .

GitHub - RickdeJager/stegseek: :zap: Worlds fastest steghide cracker, chewing through millions of…

I’ll use rockyou.txt as the password wordlist.

stegseek --crack brooklyn99.jpg /usr/share/wordlists/rockyou.txt

stegseek

Got the passphrase, with the encrypted data extracted to brooklyn.jpg.out

brooklyn.jpg.out

It contains Holt’s password.

Step 4: Compromising the system

Lets try the credentials found previously from the image to log into the SSH server.

SSH login

And we’re in! Lets grab our first flag(user.txt)

user.txt

Easy catch!

Step 5: Privilege Escalation

To escalate our privileges, let us first check what commands holt can run as sudo without password on this machine using sudo -l.

sudo -l

Holt is allowed to execute the nano command on this machine with root privileges. We can easily abuse this configuration using GTFObins to get a privileged root shell.

nano gtfobin

rooted shell

Brooklyn Nine Nine has been rooted!

“Cool, cool, cool, cool, cool. No doubt, no doubt, no doubt.”

Conclusion

Brooklyn Nine Nine is an easy thematic room which requires the knowledge of steganography and privilege escalation to crack.

References

1. https://github.com/RickdeJager/stegseek
2. https://gtfobins.github.io/gtfobins/nano/#sudo

Happy Hacking!