#6.TryHackMe Series writeups: Brooklyn Nine Nine

Cyb3r M!nds
4 min readDec 19, 2023

--

Hello guys 👋 I’m back with another walkthrough, this time tackling on Brooklyn Nine Nine Lab from TryHackMe.

This room is aimed for beginner level hackers but anyone can try to hack this box. There are two main intended ways to root the box.

So, let’s start solving this lab 🤝.

As always we will start enumerating the box. So, we’ll start off with a nmap scan.

Commands: nmap -sV -sC <IP>

After executing the command, we can see the open ports and services running. Here, 3 ports are open i.e. FTP, SSH and HTTP.

Let’s check what’s there in HTTP port. After accessing, there was only an image on the page. We had not found any hidden directories, so from our perspective, it is the only thing we have. BUT. What if we checked the source code?

OOPS!! There is one comment:<! — Have you heard about steganography?->

We now know that there is something hidden in the image. Open the image, then right-click and save it to your computer. But because there are two ways to root this room, let’s leave this image for now and continue to our normal process.

So, let’s check FTP port as we run the default script so it gives a result that there is an “anonymous” login allowed.

We were successfully log in to the ftp. Let’s check for any sensitive files are present.

While listing there was a file present i.e. “note_to_jake.txt” which we will download locally and on viewing it we get some really useful information.

Command: get note_to_jake.txt //download the file

In this note, Amy is saying Jake to change the password as it is weak. So, we will try to bruteforce it using Hydra my personal fav tool.

Command: hydra -l jake -p /usr/share/wordlists/rockyou.txt <IP> ssh

Now we have the username and password, let’s try to login via ssh.

Command: ssh jake@<IP>

We have finally got access to jake account. Here’s our task is to find the user flag. I usually use the find command to search the user flag. So’, let’s try in that way.

Command: find / -name user.txt 2>/dev/null

Now it’s time to escalate our privileges to root 🤩🥰

Command: sudo -l

As we can see that less can be used here as root. So, we need to check it’s exploits.

We will use the above command to escalate the privileges.

Command: sudo less /etc/profile

Once executing the command, enter “/bin/sh” to get into the shell.

Well, we are root now!!

There is an another way to get into root.

We started by downloading the image while searching for information on port HTTP. So, the first thing we should look at in that photograph is the EXIF data. There is a potential that some interesting information has been saved.

Unfortunately, nothing unusual appears to be hidden in EXIF data. And by inspecting the file type, we can discover that it is a standard JPEG image.

Command: filetype brooklyn99.jpg

Normally Steghide is one of the tools that can be used to extract hidden information from the image. But to do that, we need to know the password.

Stegcracker, though, is a different tool that might work in this circumstance. This tool will use a brute force attack to try to forcefully discover the password. We will start with rockyou.txt wordlist for bruteforcing.

Command: stegcracker brooklyn99.jpg /usr/share/wordlists/rockyou.txt

The password got saved to brooklyn.jpg.out. View the file where we get to know the username and password.

Command: ssh holt@<IP>

In order to view the root flag, we can follow the same steps as we performed in previous method 🥱.

Command: sudo -l

But, as we can see in this lab, we have learned about the new tool and what steganography is.

Hurray ✌️, we have successfully solved the Brooklyn Nine Nine. Thank you for sticking around.

If you liked the walkthrough you can clap đź‘Ź for me down below.

--

--

Cyb3r M!nds
Cyb3r M!nds

Written by Cyb3r M!nds

DevSecOps | Freelancer | Cloud Security | Web Pentester | Android & iOS Pentester | API Pentester | Blogger | Learner .

No responses yet