TryHackMe: Brooklyn Nine Nine is a beginner-level boot2root style challenge. The goal of the challenge is to find and read the contents of the user.txt and root.txt files located on the machine. Brooklyn Nine Nine shows the importance of information gathering and how to use it to gain access to a system. It also highlights the importance of avoiding weak passwords. As noted by the challenge’s author, there are two main intended ways to complete this room. This write-up goes through one of the solutions.
Information Gathering
After booting the machine up, I use Nmap to scan every port at the IP address.
Looking at these results, we see that the ftp port is open and allows anonymous ftp login. Highlighted above, the user anonymous has read write privileges to the file note_to_jake.txt.
Exploitation
Using the command ftp 10.10.207.118 and putting anonymous as our username, any password is valid and can log me in. After logging in, we can see that there is a note_to_jake.txt file waiting for us. The command get note_to_jake.txt will then download the file to our client.
Amy is letting us know that Jake has a weak password. We can then use a tool called Hydra to brute force Jake’s ssh password.
By setting the username and using the rockyou.txt password list we can launch a dictionary attack against the server’s ssh protocol. The results show that Jake’s password is 987654321.
We can ssh to the server by using Jake’s credentials.
Post Exploitation
By knowing which directory we are in on the system, we can start having a look around. By changing to Holt’s directory we can locate and read the user.txt document which hold’s the user flag of this challenge.
Now it is time to use privilege leverage escalation techniques to become root on the system. The sudo -l command lists the allowed (and forbidden) commands for the invoking user.
As we can see, the user Jake can invoke sudo commands by using the less command. Going to gtfobins we can find a section that tells us how we can use this command to become root.
And there you have it. We now have root access over this machine and can change the root directory to read the root.txt flag.
Conclusion
Overall, this was a pretty straightforward challenge. I would recommend it to new hackers as their first challenge on TryHackMe. Doing this challenge has taught me about network mapping, brute force, and Linux privilege escalation.
