TryHackMe: Brooklyn Nine-Nine

Though the name of this room refers to one of the globally famous series, it does not have anything to do with solving the box. To be honest, this room is a really easy box once you get the initial foothold. Marked as beginner, this box is truly beginner-friendly and very easy to solve.

This box can be solved in two ways, I’ll be explaining one of them. In this path, we’ll be using mainly Steghide and GTFOBins. So, let’s get started!

Initial Foothold

Once the machine gets deployed, we can go http://<machine_ip> and see that there is an auto-sizing Brooklyn Nine-Nine poster that adjusts its size to our browser's window size. Which looks like:

For any webpage, the first thing that we can do is check out it’s source-code and over there we can see a hint related to steganography.

Now, we can think like we have an image and a hint towards steganography. So, we can download the image and see if there is something hidden inside it. We can use Steghide to uncover the hidden data:

Steghide was not able to retrieve the data from the image, so we can try to do the same with StegCracker. If StegCracker is not present on your machine, it can be downloaded using the command sudo apt install stegcracker.

We can pass on a wordlist to StegCracker which it uses to attack the target file and if the wordlist is not passed on then it by default uses the rockyou.txt to attack the target file.

We can see that the file has been cracked and the data has been written to a new file.

Now, we have the user credentials that we can try to use with SSH. Keep in mind that the username is holt and I've hid the password with *.

And we got the user.txt flag. Now, the next task is to get the root access for which we need to perform privilege escalation.

Privilege Escalation

As we have already logged in as holt, we need to become root to get the second flag. We can check the commands that can be executed as user holt. To do this we can use the command sudo -l to list all the commands that we can execute as root.

We can see that the command /bin/nano can be executed as 'root' by user 'holt'. So, we can check if there are any GTFOBins for nano. We can run the commands as described in GTFOBins and get the shell access as root.

First, we need to enter the nano editor with sudo privilege using the command:

Once, we get into the editor we need to press Ctrl+R and then Ctrl+X and then we can execute the command reset; sh 1>&0 2>&0. This will give us a root shell using which we can read the root.txt from /root directory.

Now we can take the flag from root.txt and submit it as the flag for the second question. With this, we have solved the Brooklyn Nine-Nine room!

Some Key Points to Take Away

  1. Whenever you have access to a webpage, check it’s source-code for any kind of Sensitive Information Disclosure.
  2. If you have an image, try to check it for steganography with Steghide or StegCracker.
  3. For PrivEsc, always run the command sudo -l to check what commands can be executed with sudo privilege by the user and then look up how that command can be exploited using GTFOBins.

Do check my other TryHackMe walkthroughs at:

https://github.com/0xNirvana/TryHackMe-Writeups

Just another CyberSec Guy

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store