TryHackMe write-up: Brooklyn Nine Nine (First Method)

Introduction

This is my write-up for TryHackMe’s Brooklyn Nine Nine Room. According to the room description, there are 2 ways to root the box. However, I will only describe the first method I found. The 2nd method will be described in the next post.

Enumeration

Using nmap, I saw that this box is running FTP, SSH and HTTP.

Checking the webpage from my browser, I saw the following:

Exploitation

The webpage looked like a dead end, but when I checked the source code, I saw a clue:

Steganography? Sounds interesting…

I decided to download the file brookyn99.jpg. Running steghide looked like there is actually something hidden in the file.

However, it is password-protected.

Maybe stegcracker can crack it? Running stegcracker, I was able to extract the hidden contents.

Checking the hidden file, I found the credentials for 1 user:

Using the credentials, I was able to connect to the target via SSH.

Privilege Escalation

Checking for sudo privileges, I found that I could run nano under sudo.

According to GTFOBins, nano can be used to elevate privileges.

Running sudo /bin/nano opens up nano text editor. From inside nano, I simply followed the steps shown in GTFOBins and typed:

^R^X
reset; sh 1>&0 2>&0

This then opened another sh shell with root privileges.

--

--

--

I like breaking stuff.

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Firebase News: April 19th — 25th

Okta JWT Authorizer for API Gateway using serverless

Road to computer vision #1

Advanced SQL Queries for Data Analysis

Reduce Cost and Increase Productivity with Value Added IT Services from buzinessware — {link} -

How DevOps and Application Security Have Changed

The Referral Code for trading TARI!

Using the Zip function in Python Part 3

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
m0ndzon3

m0ndzon3

I like breaking stuff.

More from Medium

Phishing Emails 1 write-up (TryHackMe)

Driver — Hackthebox Walkthrough

Hack The Box: Getting User Level Privilege

HackTheBox — Shibboleth Writeup