Introduction
This is my write-up for TryHackMe’s Brooklyn Nine Nine Room. According to the room description, there are 2 ways to root the box. However, I will only describe the first method I found. The 2nd method will be described in the next post.
Enumeration
Using nmap, I saw that this box is running FTP, SSH and HTTP.
Checking the webpage from my browser, I saw the following:
Exploitation
The webpage looked like a dead end, but when I checked the source code, I saw a clue:
Steganography? Sounds interesting…
I decided to download the file brookyn99.jpg. Running steghide looked like there is actually something hidden in the file.
However, it is password-protected.
Maybe stegcracker can crack it? Running stegcracker, I was able to extract the hidden contents.
Checking the hidden file, I found the credentials for 1 user:
Using the credentials, I was able to connect to the target via SSH.
Privilege Escalation
Checking for sudo privileges, I found that I could run nano under sudo.
According to GTFOBins, nano can be used to elevate privileges.
Running sudo /bin/nano opens up nano text editor. From inside nano, I simply followed the steps shown in GTFOBins and typed:
^R^X
reset; sh 1>&0 2>&0This then opened another sh shell with root privileges.
