WriteUp: Brooklyn Nine Nine

In a previous post, I mentioned that a great place to learn hacking techniques is a site called TryHackMe. Since joining the site myself, I have learned a lot of techniques. Some of which I use in my role for a cyber security company. And to show off the culmination of everything I am learning, I am going to walk through the steps to retrieve the flags from the room Brooklyn Nine Nine on TryHackMe. This is a free room to join and a relatively easy CTF.

Let’s begin!

There are two way to get the flags from this box but first things first. We run the box’s IP address through nmap.
nmap -sS -sV <ip_addr>

Method 1

Notice from the scan that port 21 is open. This is the default port for FTP which means we may be able to do an anonymous login.
ftp <ip_addr>
Type in anonymous as the username and enter a blank password.

Now that we are here, let’s see what we can find. Run the ls command and see that there is a file we can download with the get command. Once the file is on our computer, cat it to revel this message.

Now we know that Jake is using a weak password. The questions are: Password to what? How do we get it?
Recall from the nmap scan that port 22 is open which is the default port for SSH. We could run the ssh command over and over again trying to guess the password but who has time for that? Let’s use Hydra instead!
Hydra is great for cracking weak passwords for SSH logins. In the command below, we give it a username, a wordlist, an ip address, and the protocol.
hydra -l jake -P rockyou.txt 10.10.5.193 ssh

Jake’s password is now ours! If you need the “rockyou.txt” wordlist, you can download it from here.
Let’s try our newfound password for Jake in SSH.

Let’s find some flags!
The first one is the “user” flag. Normally, we can run ls and see that the user flag is in our home directory. But it’s not this time! We can look for the user flag using the find command.
find / -type f -name "user.txt" -exec ls -l {} \; 2>/dev/null

We found the file so let’s read it with cat to get that first delicious flag!

The second flag requires us to become root to read “/root/root.txt”. Let’s see if Jake is in the sudo group. Running groups shows us that Jake is not to be trusted with that much power but he still might have some privileges. Run sudo -l.

Jake is able to use less as root. We can use this command to read files instead of cat.
sudo less /root/root.txt

And with that, we have escalated our privileges and got that pesky root flag! Submit to TryHackMe and enjoy your new badge!

Method 2

There is a port from the nmap scan that wasn’t used in method 1. Port 80. Visiting the ip address in a browser takes us to this rather simple webpage.

Besides this lovely picture and text, not much to see here. If we take a look at the page’s source code though, there is a comment asking us if we have heard of steganography. If you have, then you can guess that the picture is protecting more than just the big city. If not, do a quick Google search.
Save the picture to your computer. Next, we will use a tool call steghide to extract any hidden data from the picture, if it exists. You can download steghide through the apt repository if you are using a Debian based machine. Run the following command to extract any hidden data from the picture.
steghide extract -sf brooklyn99.jpg

I will admit, I was a little baffled here. I was hoping for a password not being needed in order to extract any hidden data. If you run dirsearch or dirbuster on the ip address, you will find there is not much more to explore via the browser. All seems lost but fear now! There is a tool to crack steganography passwords!

Stegcracker can crack our steganography password and can be found here. If you have pip3, the install is simple!
pip3 install stegcracker

Now let’s see if we can crack a password. Run stegcracker on the picture using a wordlist.
stegcracker brooklyn99.jpg rockyou.txt

We will use this password in steghide. Run the steghide extract command again and use the password. You should get a message telling you the file “note.txt” was extracted. Open the file and we now have Holt’s password!

Let’s try this password out on ssh. SSH into the box as holt and enter his password. We get in with no problem! Now to find those scrumptious flags!
To find the user flag, run ls. Immediately, we see the file “user.txt”. Read that and get the user flag.

Now to find the root flag.
As always, let’s see if we belong to the sudo group by using the groups command. This does not look promising but there is still sudo -l.

Holt can use the nano editor as root. Let’s open up nano using sudo nano. It will take us to a blank page with some options listed at the bottom. One option that catches our interest is the “Read File” option. Hit CTRL+R and then CTRL+T to bring up a filesystem. We can use this to navigate to a file we want to read. Since we are running nano as root, we can go straight to “/root/root.txt” and get our flag!

Conclusion

This box is pretty easy to get into with the assumption that you have decent linux command line skills, good researching skills, and some basic knowledge of pentesting. And if this wasn’t easy, no problem! TryHackMe is chock full of rooms that teach the basics. If may seem difficult at first but if you stick to it, you’ll be crafting your own writeup helping others one day too!

Happy Hunting!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s