TryHackMe: Brooklyn Nine Nine Room Write-up Method-2

To access the box click on the following link and join room.

TryHackMe | Brooklyn Nine Nine

Check connection

Ping machine IP to check if the connection is established. In my case ping is successful so the connection is established.

Checking Connection

Scanning

Let’s start with a nmap scan. Use following command to scan the target IP address.

sudo nmap -sV -Pn 10.10.111.89

The above command performs a service version detection scan using Nmap on the target IP address “10.10.111.89.” The options we used are:

• sV Enables version detection to determine the service and its version running on open ports.
• Pn Treats all hosts as online and does not perform host discovery. This can be useful when we already know the target is online and we don't want Nmap to waste time determining host status.

nmap scan results

Nmap scan results shows that port 21, 22 and 80 are open. Port 80 is the default port for web servers to serve web pages over the internet. When you access a website using a web browser, your browser communicates with the web server on port 80 to request web pages and other resources.

Visiting Target IP

Let’s visit the website running on port 80.

Webpage on port 80 of target IP

Seems like a simple website with an image. Let’s inspect the source code to dig deeper. Right click on the webpage and select view page source option.

Webpage on port 80 of target IP

The webpage contains a strange piece of comment. Have you ever heard of steganography? If not, you’re in for a treat! Check out this link to embark on a journey into the art of hiding secrets within plain sight. It’s a captivating and mysterious realm worth discovering. 😊🕵️‍♂️🔍

Source code of webpage running on port 80

Let’s take this clue and find out what’s hidden inside the image. Right click on the image and select open image in new tab.

Webpage on port 80 of target IP

In new tab Right click on the image and select save image as… option to download image on your local kali machine.

Downloading image from target IP

Let’s check in the downloads directory if the image is downloaded using ls command.

Downloaded image from target IP

yeah!!! it’s there.

Extracting hidden data

Let’s use steghide tool to extract data from the image we downloaded. use following command to extract data from the image.

steghide extract -sf brooklyn99.jpg

• steghide is the name of the steganography tool.
• extract is the action that instructs steghide to extract hidden data.
• sf specifies the steganography file, in our case, “brooklyn99.jpg,” from which we want to extract data.

The above command will attempt to extract any hidden information or files that may have been concealed within the “brooklyn99.jpg” image using steganography techniques. If there is hidden data present, it will be extracted and saved as separate files or displayed, depending on the content and format of the hidden information.

Extracting hidden data from the image

Looks like we need a passphrase to extract the data from the image.

Brute-force with stegcracker

Time to hit it with stegcracker!

stegcracker brooklyn99.jpg

The above command is used to perform a brute force attack on the image file “brooklyn99.jpg” to attempt to extract passphrase.

Brute-Force with stegcracker

Let’s use “steghide extract” command again with the passphrase we cracked.

Extracting hidden data from the image

We got the hidden note.txt file. Let’s use cat command to check what’s inside that text file.

Viewing contents of note.txt file

We got Holts Password in the text file. That’s exciting….

SSH with Holts password

Let’s try ssh into Holts account with that password……….and we are in…….🎉

SSH into Holts account

Get user flag

Let’s use ls command to check what we have got. Huh!!! we got user.txt file. Let’s use cat command to view the content of user.txt and capture the user flag.

User flag captured

Get root flag

Now that we are logged in as the user Holt, we will check our privileges by running the following command:

sudo -l

It displays information about which commands or scripts a user is allowed to execute with superuser (root) privileges or as another specified user.

Results of sudo -l command

Result shows we are allowed to run nano editor in terminal with sudo privileges, Let’s go to https://gtfobins.github.io/ and search for nano. GTFOBins is a curated list of Unix binaries that can be used to bypass local security restrictions in misconfigured systems. Click on sudo to get results.

GTFOBins

Search result of nano command with sudo

Let’s open nano editor first by using following command.

sudo nano

Nano editor with sudo privileges

We got a command form GTFOBins let’s try that out.

privileges escalation in nano

We got shell in nano editor. Let’s execute few commands to verify it.

Shell in nano editor

Let’s just assume that if user flag was in user.txt the root flag might be in root.txt. Let’s use find command to find root.txt.

find / -type f -name "root.txt" 2>/dev/null

• /is the starting directory for the search. In this case, it starts from the root directory, so it will search the entire file system.
• type f option specifies that we are looking for files (not directories).
• name "root.txt" is the name of the file we're searching for.
• 2>/dev/null Redirects error messages to /dev/null, so we won't see permission denied messages.

Result of find command

We’ve located the path to the root.txt file. Now, to capture the flag, we’ll simply use the ‘cat’ command with the absolute file path.

root flag captured

There we go, we got our root flag! Paste both flags (user and root) on tryhackme and enjoy the success.

CONGRATULATIONS!!! The room is completed!

“This was the second approach we used to conquer the Brooklyn Nine-Nine Room challenge. If you’re curious about first method, you can dive into the writeup by clicking the link below.”

TryHackMe: Brooklyn Nine Nine Room Write-up

This walkthrough finishes here. Stay tuned for the next adventure! 🚀😊