THM Series #4 Brooklyn Nine Nine

Brooklyn Nine Nine Room

Back after a break with a room dedicated to one of my favorite shows Brooklyn Nine Nine. As per TryHackMe, the room is categorized as easy. The room can be accessed here. I too find it apt for the beginner category and very easy if we follow the guideline to test the basics before going into complexities. Let us start the steps to own this room.

The nmap identified 3 ports open i.e. port 21 running FTP service, port 22 running SSH service and port 80 running HTTP service, and using Apache in the back-end. The nmap also identified FTP to be enabled with the anonymous login.

NMAP Output

Since anonymous login is allowed for FTP, attempted to look at what kind of content is available in the ftp directory. Interestingly found a text file named as a note to Jake.

FTP Content Enumeration

I used get to download the file and cat to view the contents of the file. It was a serious note to Jake from Amy and the first clue. It was to remind that the password used by Jake is weak and can be an issue if Holt comes to know about it to be a cause of the breach.

Message to Jake

Now we have another 2 services pending to be enumerated i.e. HTTP service running on port 80 and SSH running on port 22. I made a mistake here assuming that usually, HTTP service gives information that can be used to get access through SSH. By taking this strategy, I ran gobuster to brute force directories for but no luck. I tried to inspect the home page but no clue there. While trying to dig deep for http service, it struck to me about the clue too weak and I modified my approach and thought to brute force the ssh using Hydra. It did not take long and I had the password with me. The command used to crack the password: “hydra -l jake[username] -P rockyou.txt [file having the most common and weak password ]ssh:// [ssh protocol is being brute forced and the server address with port].

Jake Password Brute Forcing

After finding a match, now it was time to attempt to login via ssh. Jake’s home directory was empty which wasn’t a good indication as I thought I will have to iterate through the contents of all accessible files to check for the flag. Before going for this approach, I navigated to /home and found only 3 directories for Amy, Holt, and Jake. Holt’s directory had the user flag.

User Flag

After owning the user flag, it was time to look for a privilege escalation method to get root access. Following the basics, I attempted to check if what kind of sudo permission is available for jake account. The sudo -l command indicated that we can run /usr/bin/less in sudo mode. I referred to google to find a way to exploit /usr/bin/less utility and I found a way here.

Escalating Privileges

I used less utility to access /etc/hosts and once I had the prompt, I had to just enter !sh to escalate it to root. I quickly looked in Holt’s directory if the root flag is present and yeah, it was not there. I moved to the root folder and found the root.txt file having the flag to own the room.

Root Flag

This room was an easy one but provides practice of enumerating FTP contents and using Hydra to brute force the credentials.

Keep learning till the next write-up.

Up ↑

%d bloggers like this: