TryHackMe write-up: Brooklyn Nine Nine (First Method)

Introduction

This is my write-up for TryHackMe's Brooklyn Nine Nine Room.  According to the room description, there are 2 ways to root the box.  However, I will only describe the first method I found.  The 2nd method will be described in this post.

Enumeration

Using nmap, I saw that this box is running FTP, SSH and HTTP.



Checking the webpage from my browser, I saw the following:


Exploitation

The webpage looked like a dead end, but when I checked the source code, I saw a clue:


Steganography?  Sounds interesting...

I decided to download the file brookyn99.jpg.  Running steghide looked like there is actually something hidden in the file.


However, it is password-protected.  

Maybe stegcracker can crack it?  Running stegcracker, I was able to extract the hidden contents.



Checking the hidden file, I found the credentials for 1 user:


Using the credentials, I was able to connect to the target via SSH.


Privilege Escalation

Checking for sudo privileges, I found that I could run nano under sudo.


According to GTFOBins, nano can be used to elevate privileges.
Running sudo /bin/nano opens up nano text editor.  From inside nano, I simply followed the steps shown in GTFOBins and typed:
^R^X
reset; sh 1>&0 2>&0
This then opened another sh shell with root privileges.


No comments:

Post a Comment