This room is aimed for beginner level hackers but anyone can try to hack this box. There are two main intended ways to root the box.

Per the description, this is a beginner box. Sometimes I battle for hours on these easy rated boxes overlooking something simple or hunting for some particular hidden directory. In this case, I got both flags within 10 minutes of deploying the box. Here’s how.


As I’m writing this I’ve already gotten both flags and my nmap scan is about 50% completed :/

This one has at least FTP, SSH and HTTP on port 80 and that’s probably all. I cancelled the scan before it finished.


We have anonymous login, and get one file called note_to_jake.txt. The content is:

From Amy,
Jake please change your password. It is too weak and holt will be mad if someone hacks into the nine nine

So maybe there’s a vector there, but in the end we didn’t use it.


On the website is a picture from the TV show and the page source literally says: Have you ever heard of steganography?. Well yes, yes I have.

Stego, again.

We can download the image from the root of the webserver and try to extract the hidden data. Running steghide with no password, i.e.

root@kali:steghide extract -sf brooklyn99.jpg

produced an error about the contained data being corrupted. That didn’t sound right, so

root@kali:stegcracker brooklyn99.jpg /usr/share/seclists/Passwords/xato-net-10-million-passwords-100000.txt

quickly found the password, which was admin.

The hidden content was:

Holts Password:

On the box

Using this password we can ssh in as ‘holt’, and grab the user flag. Next:

holt@brookly_nine_nine:~$ sudo -l
Matching Defaults entries for holt on brookly_nine_nine:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User holt may run the following commands on brookly_nine_nine:
    (ALL) NOPASSWD: /bin/nano

Since we can run nano as root, we can read root flag immediately using ^R in nano, or GTFOBins shows us how to use this privilege to get a root shell, if we’re not happy with just reading the flag.

reset; sh 1>&0 2>&0

And that’s all she wrote!