TryHackMe CTF: Brooklyn Nine Nine

 TryHackMe: Brooklyn Nine Nine CTF

Today, we are going to walkthrough the Easy rated TryHackMe room, "Brooklyn Nine Nine." This was an extremely fun room, and as fan of the show, I was excited to get this machine started. Lets dive in! 


Let's start out by adding this machine to our Hosts file, then running our Nmap scan.

Okay, so we have FTP, SSH and a web server running on this machine. The first thing that jumps out is the Anonymous login for FTP, with a readable text file called "note_to_jake." Let's go grab that

Now that we have the file, we read it and see that it's a note from Amy telling Jake to change his password to something stronger so Holt doesn't get mad if B99 gets hacked.

We have 3 possible usernames here, Jake, Amy and Holt. Let's keep this aside for now and head to the web server. 

Once we get to the web server, we see just a picture of the Brooklyn Nine Nine cast. First thing I always do is check the source code.

Immediately we see a note that was left asking if we've heard of Steganography. Okay, so there is clearly something hidden in that picture on the web servers main page. We can use the URL listed in the source code above to navigate to the source of the image to download it.

I use a tool called Steghide to see if I can see what's hidden in this image, but find out that it's password protected.

We can use a tool called Stegcracker to see if we can crack this password. I'm just going to use the standard RockYou.txt to attempt this first. After a few minutes, we can see that Stegcracker was able to successfully crack the password

Awesome, so let's go back and use Steghide to extract the data inside this file now that we have the password.

Okay so we have another text file called "note.txt" and if we read this, we can see we have a confirmed username along with a password!


The exploitation of this machine is very simple. The first thing I did was attempt to use the username/password to SSH into the machine 

Success! Let's go grab the user flag! 


So since we have Holt's password, let's just run a sudo -l command and see if we can run anything as root without a password. 

Okay, so we can run Nano as root without a password. Being able to run Nano, a text editor, as root means we can edit any file we want as root as long as we use the Nano editor. If we can do that, why not just attempt to change the Sudoers file to allow holt to run anything as root, without a password? 

Now that it let us save that, let's simply type "sudo su" and see if we get root. Well, we sure do and we can go and grab the root flag! 


   Overall, this was a very simple, yet really fun box! I am glad I was able to stumble across this box as again, I'm a huge fan of the show! Hopefully this guide provided some help if you were stuck! 

Popular Posts