THM - Brooklyn NineNine
Introduction
This room is aimed for beginner level hackers but anyone can try to hack this box. There are two main intended ways to root the box.
Per the description, this is a beginner box. Sometimes I battle for hours on these easy rated boxes overlooking something simple or hunting for some particular hidden directory. In this case, I got both flags within 10 minutes of deploying the box. Here’s how.
nmap
As I’m writing this I’ve already gotten both flags and my nmap scan is about 50% completed :/
This one has at least FTP, SSH and HTTP on port 80 and that’s probably all. I cancelled the scan before it finished.
FTP
We have anonymous login, and get one file called note_to_jake.txt. The content is:
From Amy,
Jake please change your password. It is too weak and holt will be mad if someone hacks into the nine nine
So maybe there’s a vector there, but in the end we didn’t use it.
Webserver
On the website is a picture from the TV show and the page source literally says: Have you ever heard of steganography?. Well yes, yes I have.
Stego, again.
We can download the image from the root of the webserver and try to extract the hidden data. Running steghide with no password, i.e.
root@kali:steghide extract -sf brooklyn99.jpg
produced an error about the contained data being corrupted. That didn’t sound right, so
root@kali:stegcracker brooklyn99.jpg /usr/share/seclists/Passwords/xato-net-10-million-passwords-100000.txt
quickly found the password, which was admin.
The hidden content was:
Holts Password:
fluffydog12@ninenine
Enjoy!!
On the box
Using this password we can ssh in as ‘holt’, and grab the user flag. Next:
holt@brookly_nine_nine:~$ sudo -l
Matching Defaults entries for holt on brookly_nine_nine:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User holt may run the following commands on brookly_nine_nine:
(ALL) NOPASSWD: /bin/nanoSince we can run nano as root, we can read root flag immediately using ^R in nano, or GTFOBins shows us how to use this privilege to get a root shell, if we’re not happy with just reading the flag.
nano
^R^X
reset; sh 1>&0 2>&0And that’s all she wrote!