TryHackMe write-up: Brooklyn Nine Nine (First Method)

Introduction

This is my write-up for TryHackMe’s Brooklyn Nine Nine Room. According to the room description, there are 2 ways to root the box. However, I will only describe the first method I found. The 2nd method will be described in the next post.

Enumeration

Using nmap, I saw that this box is running FTP, SSH and HTTP.

Checking the webpage from my browser, I saw the following:

Exploitation

The webpage looked like a dead end, but when I checked the source code, I saw a clue:

Steganography? Sounds interesting…

I decided to download the file brookyn99.jpg. Running steghide looked like there is actually something hidden in the file.

However, it is password-protected.

Maybe stegcracker can crack it? Running stegcracker, I was able to extract the hidden contents.

Checking the hidden file, I found the credentials for 1 user:

Using the credentials, I was able to connect to the target via SSH.

Privilege Escalation

Checking for sudo privileges, I found that I could run nano under sudo.

According to GTFOBins, nano can be used to elevate privileges.

Running sudo /bin/nano opens up nano text editor. From inside nano, I simply followed the steps shown in GTFOBins and typed:

^R^X
reset; sh 1>&0 2>&0

This then opened another sh shell with root privileges.

--

--

--

I like breaking stuff.

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

How to use Dremio with R and Exploratory

The Importance of Refactoring

Our AWS Serverless Video Transcoding Solution

Learning to own it: one year later

Making Android apps: A core tool set pt. 3

Singleton In Android

Introduction to SQL Using Python: Independent Subqueries

Radiant order of coders

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
m0ndzon3

m0ndzon3

I like breaking stuff.

More from Medium

TryHackMe: Internal

Pentesting Fundamentals TryHackMe

TryHackMe: Pentesting Fundamentals

HackTheBox — Resolute