Brooklyn Nine Nine TryHackMe Write-up
Brooklyn Nine Nine is an easy, beginner-friendly capture the flag exercise on TryHackMe. It features two different routes to gain both the initial foothold and the root flag. These avenues include weak passwords, poor FTP configuration, cleverly hidden credentials, and misconfigured sudo permissions.
Disclaimer 1: IP addresses featured in this write-up will differ from those on your machine.
Disclaimer 2: This post will include spoilers for the room, so be mindful of reading this if you want to solve the challenge on your own. Flags and other secrets will remain obfuscated.
Enumeration
As always, we will start the exercise with an Nmap scan. To keep things simple, let's go for an aggressive scan. We aren't worried about being discovered in this instance, so this should speed things up.
nmap -A 10.10.236.183
Right away, we see three things. We see there is an FTP server on port 21, SSH is running on port 22, and there is an Apache server on port 80. Because we ran an aggressive Nmap scan, we also ran default scripts. This reveals that the FTP server allows anonymous logins.
Now, we have a few things we can do, but there are two clear routes we can take: check out the server running on port 80 or check out what's on that FTP server. Let's try one at a time.
Route 1: The FTP Server
Let's start by checking out that FTP server. Since we know it allows anonymous login, all we need to do is type in the username “anonymous” and leave the password blank when prompted after the initial login command.
ftp 10.10.236.183
And just like that, we have access to the FTP server. Now, let's see what there is. The ls
command reveals there is a note for someone named Jake. Let's download that note so we can give it a look.
get note_to_jake.txt
We can now exit FTP and cat the downloaded note.
cat note_to_jake.txt
We don't get any obvious credentials, but we do get some info about the user Jake that could give us some insight on what to do next.
From Amy,
Jake please change your password. It is too weak and holt will be mad if someone hacks into the nine nine
Not only do we learn there is another user named Amy, but we also learn that Jake's credentials must be lackluster. Let's see how much so by trying to crack his password with hydra and the Rockyou wordlist.
hydra -l jake -P /usr/share/wordlists/rockyou.txt 10.10.236.183 -t 4 ssh
And just like that, we have the password. We can now try using that password to login as Jake via ssh.
ssh jake@10.10.236.183
And we are in. We can now navigate the various users on the system to find the first flag. After some digging, we find it under the user Holt, and we can cat out the results and capture the flag.
cat /home/holt/user.txt
Now, let's focus on getting root. First, let's see what programs Jake can run as sudo.
sudo -l
This reveals that Jake can run /usr/bin/less as root with no password. After navigating over to GTFOBins, we see there are two super simple privilege techniques we can take advantage of using less.
First, we can just use the command to exfiltrate the flag by guessing the flag filename with a little trial and error.
less /root/root.txt
We can also use less to escalate our privileges to root and snag the flag that way. Let's go ahead and copy and paste the exploit we found on GTFOBins into the command line.
sudo less /etc/profile
!/bin/sh
And just like that, we have root. We can now navigate to the root directory and cat the file out that way.
cat root.txt
Route 2: The Webpage
Instead of attacking the FTP server, let's make our way to the Apache server we saw running on port 80. Let's open the browser, and type the target IP into the address bar.
This will bring us to a landing page featuring nothing but a Brooklyn Nine Nine image and some text clarifying that the image will resize itself as we resize the browser. The page itself doesn't give us any incriminating information, so let's go ahead and check out the page's source code.
Now, we find something interesting. There's a code comment that pretty much tells us exactly what direction to go in next.
<!-- Have you ever heard of steganography? -->
Steganography is the technique of hiding information within another message or medium. The webpage we are investigating has an image on it, so we assume that is what the comment is referring to. We can download the image however we want, either with wget or by right-clicking and saving the image that way.
Now, after some trial and error using online steganography tools with no luck, we go ahead and try the command line tool stegcracker. Here, we make some progress.
stegcracker brooklyn99.jpg
The results are dumped into a file called brooklyn99.jpg.out (unless you changed the name of the picture when you downloaded it). We can cat the file, and we get the password for the user Holt. We can now try logging in to this new user with the discovered credentials.
ssh holt@10.10.236.183
And there we go, our second foothold into the system. We can now easily cat the contents of the user flag and answer the first question.
cat user.txt
Just like the first route, if we want to easily escalate our privileges to gain the second flag, we have to first see what programs Holt can run as sudo.
sudo -l
Here, we find that Holt can run /usr/bin/nano as root without a password. This is great, because there are two things we can easily do with nano to exfiltrate the root flag: we can use nano similarly to how we used less earlier and just reveal the flag with some trial and error, or we can use nano to edit the sudoers file and give Holt all sudo permissions.
Let's first start by exfiltrating the root flag. We can do so by assuming the flag is under /root and by guessing what the filename might be.
sudo nano /root/root.txt
This will reveal the second and final flag to the box.
But, let's say you want to escalate your privileges to root and snag the flag that way. You can do so by editing the sudeors file.
sudo nano /etc/sudoers
Let's change holt ALL=(ALL) NOPASSWD:/usr/bin/nano
to holt ALL=(ALL) NOPASSWD:ALL
, giving us full root access without needing a password. Now, save the file and run sudo -i
to gain a root shell.
And now we can navigate to /root to cat out the flag.
cat /root/root.txt
Conclusion
And just like that, we've completed the box. In route 1, we leveraged an anonymous FTP session to gain knowledge about the users on the system, we used hydra to crack a weak SSH password, and we exploited misconfigured sudo privileges to either exfiltrate the root data or escalate our privileges.
In route 2, we found SSH credentials hidden in an image hosted on a webpage, we used those credentials to gain a foothold on the target, and just like route 1, we leveraged misconfigured sudo privileges to either exfiltrate the root data or escalate our privileges.
Tags: #CTF Write.as Comments: Discuss...