Brooklyn Nine Nine

Stacey Landrum
5 min readFeb 25, 2023

--

This room is aimed for beginner level hackers but anyone can try to hack this box. There are two main intended ways to root the box.

First let’s do our nmap scan.

Starting Nmap 7.60 ( https://nmap.org ) at 2023-02-25 00:06 GMT
Nmap scan report for ip-10-10-35-173.eu-west-1.compute.internal (10.10.35.173)
Host is up (0.00050s latency).
Not shown: 997 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_-rw-r--r-- 1 0 0 119 May 17 2020 note_to_jake.txt
| ftp-syst:
| STAT:
| FTP server status:
| Connected to ::ffff:10.10.115.24
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 3
| vsFTPd 3.0.3 - secure, fast, stable
|_End of status
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 16:7f:2f:fe:0f:ba:98:77:7d:6d:3e:b6:25:72:c6:a3 (RSA)
| 256 2e:3b:61:59:4b:c4:29:b5:e8:58:39:6f:6f:e9:9b:ee (ECDSA)
|_ 256 ab:16:2e:79:20:3c:9b:0a:01:9c:8c:44:26:01:58:04 (EdDSA)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
MAC Address: 02:C3:C4:0A:4C:21 (Unknown)
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.60%E=4%D=2/25%OT=21%CT=1%CU=38440%PV=Y%DS=1%DC=D%G=Y%M=02C3C4%T
OS:M=63F95117%P=x86_64-pc-linux-gnu)SEQ(SP=102%GCD=1%ISR=109%TI=Z%CI=Z%TS=A
OS:)SEQ(SP=102%GCD=1%ISR=109%TI=Z%CI=Z%II=I%TS=A)OPS(O1=M2301ST11NW7%O2=M23
OS:01ST11NW7%O3=M2301NNT11NW7%O4=M2301ST11NW7%O5=M2301ST11NW7%O6=M2301ST11)
OS:WIN(W1=F4B3%W2=F4B3%W3=F4B3%W4=F4B3%W5=F4B3%W6=F4B3)ECN(R=Y%DF=Y%T=40%W=
OS:F507%O=M2301NNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS%RD=0%Q=)T2(R=N
OS:)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=40%W=0
OS:%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T7
OS:(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=40%IPL=164%UN=
OS:0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=S)

Network Distance: 1 hop
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE
HOP RTT ADDRESS
1 0.50 ms ip-10-10-35-173.eu-west-1.compute.internal (10.10.35.173)

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 24.42 seconds

We see FTP, SSH, and Apache running. Since we have a webapp let’s look at that first.

We can do some directory busting but I will just go to robots.txt manually first.

Just information disclosure. I viewed the source code for the website and since the photo was the primary thing on the website I inspected the element. This seems interesting….

Since it mentions stenography — basically hiding files within files (ie. pictures), I downloaded the picture for analysis. Exiftool didn’t give me much.

Let’s try steghide.

No luck. How about stegseek.

We found note.txt. It was saved as brooklyn99.jpg.out. Let’s view it.

Now we have Holt’s password!! Let’s SSH in.

There is a user.txt where we get our first flag. That was easy!

Let’s look around.

Nothing to see here. Now we need to escalate privilege.

Holt can run nano as root. Perhaps we can read the root flag with nano even if we don’t have root privileges?

It worked!

Let’s see if we can get root another way. We see from our scan that anonymous login is allowed for FTP. Let’s log in.

We see a note that looks interesting.

We see that Jake’s password is weak.

Let’s brute force it.

Yes it is very weak and was discovered quickly. Tsk tsk! Let’s log in.

Looking around there is nothing of note so let’s see if we can escalate privileges.

Jake can run less as root. GTFObins tells us how we can exploit this.

Run the sudo command and add !/bin/sh and we have root! We get our flag!

--

--

Stacey Landrum
Stacey Landrum

Written by Stacey Landrum

Cybersecurity analyst with a CySA+ certification and a background in accounting. Passionate about protecting digital assets & staying ahead of emerging threats.