One of the tools that might be used for extracting hidden data from the image, is Steghide. And by checking the file type, we can see that this is a usual JPEG image. Unfortunately, nothing strange seems to be hidden in EXIF data. There is a chance that some interesting information is stored. The first thing we should check in that image is the EXIF data.
Remember that image and hint about steganography? Well, that’s another way how we can root Brooklyn Nine Nine room. We can check the root flag: Second method sudo -lĪnd we can see that Jake can run less command:Īfter executing the following: less /root/root.txt Let’s check if our user has any permissions to execute specific commands as sudo. And because we had not logged in not as root, by default we are not able to read root’s files. Now in order to get the second flag, we need to be able to read the file that is in the root’s directory. And after checking Holt’s home directory, we see that there is a file called user.txt, which has a flag. However, after going to the parent directory we can see there are other users.
#BROOKLYN NINE NINE THE TAGGER SCRIPT PASSWORD#
Let’s try logging in as Jake with the password we just found: ssh need to get the user’s flag, but we can see there’s nothing in Jake’s home directory. And for this purpose, we will use Hydra: hydra -l jake -P /usr/share/wordlists/rockyou.txt IP_ADDRESS -t 4 sshĪfter a moment, the attack finished and we get Jake’s password. First methodĪs we do know that Jake’s password is weak, we might try to brute force his password for SSH login. Now we know that Jake has a weak password, and there is a person called Holt, which is probably Jake’s manager and might also have access to the server.Īnd this is the moment when we can approach this room in two different ways. If you take a look at what files there are, you will find a text file named note_to_jake.txt.ĭownloading this file is pretty easy, just execute get note_to_jake.txt, and the file will be downloaded into your current directory.Įxit the FTP server with exit command, and take a look at what’s inside the note: Enter anonymous when asked for a name, and leave blank for the password: ftp IP_ADDRESS First of all, log in to the FTP with an anonymous user. Also, remember that text file with the note? Let’s try to get it. We do know that there is anonymous FTP access enabled. Open the image, right-click on it and save it to your machine.Īs there are two ways how you can root this room, let’s leave this image for now, as both ways will be covered in the following TryHackMe Brooklyn Nine Nine walkthrough subsections. Now we do know there’s something hidden in the image. We had not found any hidden directories, so from our perspective, it is the only thing we have. What can we do next, is to visit the website (we should’ve done this from the beginning, right?). Unfortunately, Nikto also does not return us anything interesting. It might found vulnerabilities or weird things about the target: nikto -host IP_ADDRESS What we might also try, is doing the Nikto web scan. This, unfortunately, does not bring us anything interesting. Firstly, let’s start the GoBuster to see if there are any hidden directories, and PHP or HTML files: gobuster dir -u IP_ADDRESS -w /usr/share/wordlists/dirbuster/ -x php,html We will investigate the anonymous FTP access later, but before that let’s run some scans against the webserver. This is definitely one of the things that intrigue us. What’s also interesting, that there is a file called note_to_jake.txt on the FTP server. As the default scripts were used by nmap, it was investigated that there is anonymous FTP access enabled.
We can see that there are three open ports: 21 (FTP), 22 (SSH), and 80 (HTTP). The scan returns us a few interesting things: We will use default Nmap scripts ( -sC), and version detection ( -sV): nmap -sC -sV IP_ADDRESS As the initial phase is reconnaissance, actions we will make will stay the same no matter what method you intend to use later. WalkthroughĪs I’ve already mentioned, you can get the flags from the Brooklyn Nine Nine machine in separate ways.
What you should also know about this room, is that there are two ways to root it. Anyway, that’s just a guess, and we will see later if this guess is right. If you are familiar with other THM machines, you might guess that getting the root flag will require privilege escalation. In fact, there are just two tasks – getting the user flag, and the root flag. TryHackMe Brooklyn Nine Nine room’s overviewĪs this room is aimed at beginners, it does not have any complex tasks.
0 kommentar(er)
