Try Hack Me: Brooklyn Nine-Nine

The skills to be tested and needed to solve this room are: Nmap, GoBuster, Steganography, Hydra, and Security.

This room was fun because my wife and I are fans of this TV show.

Shout-out to @Fsociety2006 for creating this room. Visit https://tryhackme.com and create an account for free to take advantage of this great learning platform.

I was assigned an IP address of 10.10.213.44. If you are following this walk-through, please check your assigned IP address.

I also chose to mask part of the answers so you will have to do the steps and see how things work. I don’t want to take away this learning experience from you.

There are 2 tasks to complete the room:

  • user flag
    • e******************************e
  • root flag
    • 6******************************5

Steps:

  1. Deploy the machine:

2. Scan the victim machine using nmap. nmap -sC -sV 10.10.213.44

Open ports are 21, 22 and 80

3. Looking at the nmap results, FTP is left open to anonymous login, and we can see that a file called note_to_jake.txt is accessible

FTP service is open with “note_to_jake.txt”

4. Let’s login to FTP and download the file to see what is the content by typing ftp 10.10.213.44

FTP Anonymous login and no password entered

5. List what’s in the current directory we are in by using ls

We can see that “note_to_jake.txt” file

6. Let’s download the file “note_to_jake.txt” to our attack machine (your kali box) by typing get note_to_jake.txt

Download the file to our machine

7. Exit your FTP session and check by typing ls if we can see the file we just downloaded

Confirmed that we have the file we downloaded

8. Open the file by typing cat note_to_jake.txt to look inside

A message from Amy to Jake telling us that Jake has a weak password. We can definitely use Hydra to brute-force Jake’s password, but I want to see if there are other vectors we can use
  • Just to show you that Hydra works to brute-force Jake’s password. Here’s a screenshot of a successful brute-force attack

9. We are going to check the http service on port 80

10. Check the page source

  • The page source above is telling us to try steganography. What is steganography? This is the practice of concealing a file, message, image, or video within another file, message, image, or video1.

11. Now. let’s use gobuster and check for hidden directories that might contain files used for steganography. gobuster dir -u http://10.10.213.44 -w /usr/share/wordlists/dirb/common.txt

  • dir – to use directory/file brute-forcing mode
  • -u – is the flag to tell gobuster that we are scanning a URL
  • -w – is the flag to set the list of possible directory and file names
The only helpful and functioning directory is /index.html

12. We are going to run gobuster again, and this time we will do it inside the /index.html directory

  • The other gobuster scan came up empty, so let’s go back to the main page and download the Brooklyn Nine-Nine poster

13. If you right-click on the poster, there is no way to download the photo as .jpg

  • What we have to do next is click on the View Page Source again
We see “brooklyn.jpg” as url
  • Now, let’s try and add brooklyn99.jpg in the url and hit enter
Now, we see that “save as” is available

14. After downloading the image, we can run some tools to do steganalysis

  • Let’s try the basics of steganalysis by using strings. strings brooklyn99.jpg
There is nothing juicy and interesting from the result
  • How about just do a binwalk to check what information we can retrieve from the photo
Again, there is nothing to see
  • Now, let’s try to see if stegcracker can find any passwords. stegcracker brooklyn99.jp /usr/share/wordlists/rockyou.txt
Stegcracker cracked the file using the blurred password
  • Now, let’s check the content of the file brooklyn99.jpg.out and see if there is any helpful information hidden through steganography. cat brooklyn99.jpg.out
Now, we discovered that the image used on the webpage contains Holt’s password

15. We are now going to access the server through SSH service and use Holt’s username and password. ssh holt@10.10.213.44

We can see that we were able to authenticate as user Holt and the password we extracted from the image

16. user flag

User flag found

17. We need to escalate our privilege to access the root folder

We don’t have permission to access the root folder

18. Type sudo -l to check what sudo privileges does user holt has

  • That means we have root access when using /bin/nano. We will access the root folder and the root flag through nano. Type sudo /bin/nano /root/root.txt

19. root flag

root flag found!

Hope you enjoyed and learned something from the walk-through!

Don’t forget to subscribe to my blog! Much mahalos!

Resources:

1 – https://en.wikipedia.org/wiki/Steganography

Published by lightkunyagami

https://tryhackme.com/badge/18276

Leave a comment

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: