TryHackMe: Brooklyn Nine Nine Walkthrough (Method-2)
--
This is an another method to solve this room. After doing port scanning I found that http service is running on port 80.
I open the web page in browser using the MACHIN_IP. The page contains an image and one line written at the bottom.
On viewing the page source I saw a comment line which points towards steganography.
So I saved the image in my system and used steganography tools to find out the hidden message in the image. Steghide failed bit stegcracker worked right.
Using the command: stegcracker brooklyn99.jpg rockyou.txt
The stegcracker tool saves the output in brooklyn99/jpg.out file. Using cat command to read the content of output file. It gave me the password of user Holt.
While port scanning I found that ssh service is running on port 22. So, using above username and password I connected to ssh service. And got the user flag after reading the content of user.txt.
Now, for privileges escalation use sudo -l command to find out the directory which can be used by the user holt as root.
The result says that the user can run sudo command on /bin/nano. It means that user can use the /bin/nano directory as root user.
Checking on GTFObins, whether we can exploit the above directory or not. I got that the nano can be exploited.
Following the steps given in GTFObins:
- sudo /bin/nano
- ctrl+R
- ctrl+X
- reset; sh 1>&0 2>&0
- Press Enter.
As soon as we press enter we will get another shell. Run hostname command to find out the host. Use cat command to read the root flag.
Successfully completed the room :-)
Thank you!!!
