TryHackMe | Brooklyn Nine Nine Walkthrough
Hi there, I’m glad to see you here. In this article, we’ll solve together the “Brooklyn Nine Nine” room in TryHackMe. In some sections, I’ll share brief about the subject. Don’t forget! You must always research to learn more. I hope it will be helpful for you. Let’s start!
Contents:
Solution 1
- Anonymous File Transfer Protocol
- Brute Force Attack using Hydra
- Privilege Escalation
Solution 2
- Using Steghide
- Using Stegcracker
- Privilege Escalation
Deploy and get hacking
This room is aimed for beginner level hackers but anyone can try to hack this box. There are two main intended ways to root the box.
Connect to TryHackMe network and deploy the machine.
Step 1: You need openvpn configuration file to connect with VPN to machines in TryHackMe.
Step 2: Use openvpn command and start your VPN connection.
Step 3: Can you see the IP address of the machine?
Step 4: You can check your connection.
Solution 1
Answer the questions below
Q1: User flag
A1: ********************************
Firstly, we need to run a nmap scan to find out which ports are open and which services are running on these ports.
Nmap (Network Mapper) is a free and open source utility for network discovery and security auditing.
nmap -A -T4 -Pn -P- 10.10.147.23-A : Enable OS detection, version detection, script scanning and traceroute.
-T4 : Set timing template (higher is faster).
-Pn : Treat all hosts as online — skip host discovery.
-p- : You can specify “-p-” to scan ports from 1 through 65535.
When we look at the Nmap output, we can see that FTP is running on port 21 and that we can login as Anonymous. So, what exactly are “FTP” and “Anonymous login”?
FTP (File Transfer Protocol) is a network protocol for transmitting files between computers over Transmission Control Protocol/Internet Protocol (TCP/IP) connections. Within the TCP/IP suite, FTP is considered an application layer protocol.
Anonymous File Transfer Protocol (FTP) enables remote users to use the FTP server without an assigned user ID and password.
Here’s a note for Jake. Let’s get it on our own machine. We can accomplish this with the get command.
get : Copies the remote file to the local host.
Amy appears to be complaining about Jake’s use of weak password. What about pissing off Holt?
Do you think the same as me? Jake has a weak password, and SSH is running on port 22. I think we should call the Hydra.
Hydra is a parallelized login cracker which supports numerous protocols to attack.
hydra -l jake -P /usr/share/wordlists/rockyou.txt 10.10.147.23 ssh-l : Login with LOGIN name.
-P : Load several passwords from FILE.
[machine IP] : The IP address of the target machine.
ssh / protocol : Sets the protocol.
You’re right Amy… Jake urgently needs to change his password.
Let’s go inside using Jake’s password. But first, let me explain what SSH is.
The SSH protocol (also referred to as Secure Shell) is a method for secure remote login from one computer to another.
Congratulations, you found the first flag!
Q2: Root flag
A2: ********************************
Our mission isn’t done yet. We must capture the last flag by raising our authority.
Note : A privilege escalation attack is a cyberattack designed to gain unauthorized privileged access into a system.
Let’s check if we have any permissions to execute specific commands as sudo.
sudo -l : The -l (list) option will print out the commands allowed (and forbidden) the user on the current host.
And we can see that we can run the less command.
Let’s research using the information provided by the system.
GTFOBins is a curated list of Unix binaries that can be used to bypass local security restrictions in misconfigured systems.
I think you should take note of this website. Because here you can find the privilege escalation commands.
Who are we? ROOOT!
Congratulations, you found the second flag!
Solution 2
Q1: User flag
A1: ********************************
Firstly, we need to run a nmap scan to find out which ports are open and which services are running on these ports.
Nmap (Network Mapper) is a free and open source utility for network discovery and security auditing.
nmap -A -T4 -Pn -P- 10.10.147.23-A : Enable OS detection, version detection, script scanning and traceroute.
-T4 : Set timing template (higher is faster).
-Pn : Treat all hosts as online — skip host discovery.
-p- : You can specify “-p-” to scan ports from 1 through 65535.
When we access port 80 through the browser, we are greeted with a huge photo from the “Brooklyn Nine-Nine” series.
We can check the page source for any important information.
The page source can give us important information. This is the original text and HTML tags typed by the author and interpreted by the browser to produce the Web page you actually SEE on the Internet. That’s why never forget to look here.
There is a question for us here when we examine the page source. Have you ever heard of steganography?
Steganography is the technique of hiding secret data within an ordinary, non-secret, file or message in order to avoid detection. The use of steganography can be combined with encryption as an extra step for hiding or protecting data.
Then let’s download it to our machine to examine the photo.
Wget is a command-line utility for downloading files from the web.
We can use the “steghide” tool to check if the photo contains any hidden data.
Steghide is steganography program which hides bits of a data file in some of the least significant bits of another file in such a way that the existence of the data file is not visible and cannot be proven.
To install steghide, follow the step below:
apt-get install steghide -yinfo : Display information about <filename>.
Yes, your predictions were correct. There is something here, but it is password-protected. Maybe we might be able to crack the password using the “stegcracker” tool.
StegCracker is steganography brute-force utility to uncover hidden data inside files.
To install stegcracker, follow the step below:
apt-get install stegcracker -y
We succeeded! There is a file called “note.txt” embedded in the photo.
steghide extract -sf brooklyn99.jpgextract : Extract data.
-sf : Select stego file.
Do you think the same as me? We know Holt’s password, and SSH is running on port 22.
Let’s go inside using Holt’s password. But first, let me explain what SSH is.
The SSH protocol (also referred to as Secure Shell) is a method for secure remote login from one computer to another.
Congratulations, you found the first flag!
Q2: Root flag
A2: ********************************
Our mission isn’t done yet. We must capture the last flag by raising our authority.
Note : A privilege escalation attack is a cyberattack designed to gain unauthorized privileged access into a system.
Let’s check if we have any permissions to execute specific commands as sudo.
sudo -l : The -l (list) option will print out the commands allowed (and forbidden) the user on the current host.
Let’s research using the information provided by the system.
GTFOBins is a curated list of Unix binaries that can be used to bypass local security restrictions in misconfigured systems.
I think you should take note of this site. Because here you can find the privilege escalation commands.
Let’s open nano as root and then press “CTRL + R” followed by “CTRL + X”.
As a result, nano opens a text box for us that can be used to execute commands.
reset; sh 1>&0 2>&0
And once more… Who are we? ROOOT!
Congratulations, you found the second flag!
Thank you for your time. See you soon! Until that time.. Happy Hacking ❤
Resources:
https://nmap.org/book/man-briefoptions.html
https://www.techtarget.com/searchnetworking/definition/File-Transfer-Protocol-FTP
https://www.ibm.com/docs/en/i/7.2?topic=i-configuring-anonymous-ftp
https://www.ibm.com/docs/en/aix/7.2?topic=f-ftp-command
https://www.kali.org/tools/hydra
https://www.ssh.com/academy/ssh/protocol
https://www.geeksforgeeks.org/sudo-command-in-linux-with-examples
https://www.crowdstrike.com/cybersecurity-101/privilege-escalation
https://gtfobins.github.io/gtfobins/less/#sudo
https://www.techtarget.com/searchsecurity/definition/steganography
https://linuxize.com/post/wget-command-examples
https://www.kali.org/tools/steghide
