# Brooklyn99 THM ## **Brooklyn99 Machine** ### *From* [***TryHackMe***](https://tryhackme.com/room/brooklynninenine) *Website with {Easy Difficulty}* ![](https://1695281020-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FiBkNGOCaSbgxYLnHH6RS%2Fuploads%2FJ9I9nzMXRSWxEtZwQPYj%2F95b2fab20e29a6d22d6191a789dcbe1f.jpeg?alt=media\&token=35b7ea7f-2d70-41bf-9544-53ca2ea7a97e) ### **Table of Contents:** [ • Information Gathering](#_toc102177854) • [Hydra Brute-Force](#_toc102177855-1) [ • User Flag ](#_toc102177859) [ • Privilege Escalation ](#privilege-escalation) [ • Root Flag ](#_toc102177860) [ • References](#_toc102177861) \------------------------------------------------------------------------------------ ### Information Gathering ### Nmap Scanning `└──╼$ nmap –sCV 10.10.140.111` ![](https://1695281020-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FiBkNGOCaSbgxYLnHH6RS%2Fuploads%2Fhr0xZMLYWqNrypiYhxfg%2FScreenshot_2022-10-07_11_39_01.png?alt=media\&token=7cfca68c-efe6-491e-9abb-ef3e6b5dc923) We found an **FTP Port** Open with **Anonymous Login Allowed** and there's another two open Ports (**22** and **80**), so let's check the **FTP** port info.
test
So we got this file when we login with FTP Connection "**note\_to\_jake.txt**" and have this message `From Amy,` `Jake please change your password. It is too weak and holt will be mad if someone hacks into the nine nine.` ### Hydra Brute-Force So this is a sign to try to BruteForce Jake Password, so we use hear **Hydra** to **bruteforce** jake **ssh connection** Password with this command `└──╼$ hydra -l jake -p /usr/share/wordlists/rockyou.txt ssh://10.10.140.111 -t 4`
so while **hydra** takt it's time to **bruteforce** jake's password, let's gather some information by **Gobuster** ### Gobuster Scanning `└──╼$ gobuster –w /usr/share/wordlists/dirb/common.txt dir -u http://10.10.140.111/` ![](https://1695281020-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FiBkNGOCaSbgxYLnHH6RS%2Fuploads%2FMbf4rwLowjKbcvRQXdRR%2FScreenshot_2022-10-07_11_38_45.png?alt=media\&token=d80cfd90-9eaf-4709-96ba-f616702eac5b) We have nothing useful here, let’s take a look at the website.
Again nothing is useful here too, so Trying to find another something useful than that like The **Source Code** of the website.
There's an interesting comment here that said "**Have you ever heard of steganography?",** so i think to download the website image to check it.
-we can not find anything useful in this image by using exiftool and steghide tools. ### User Flag -let's get back to our **Hydra Brute**-**force** and we got this credential for Jake `jake:987654321`**,** so let's login into Jake account. `└──╼$ ssh jake@10.10.253.221`\ `password: 987654321` ![](https://1695281020-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FiBkNGOCaSbgxYLnHH6RS%2Fuploads%2FDF6GH1U72osY2Yp0OVpA%2Fcopy2.png?alt=media\&token=291ae593-37ff-4286-ac64-6574b3fbc6ac) So we can not find the user.txt file into jack directory let's try to find it by using find command like that `└──╼$ find -type f -name "user.txt"`
and now we go the user flag in this location -> `./home/holt/user.txt` ### Privilege Escalation ### Root Flag let's now try to know what is the command that we can use it as a root user by using this command `└──╼$ sudo -l -l`
And i found the **`less`** command can be executed as root so by using thins command we have two way to get the root flag 1- by using this command `└──╼$ sudo less /root/root.txt`
2- By using GTFObins Website to search about `less` command
So let's try these commands in the machine like that by creating any file and run shell into it like that `touch file.txt` + **Enter** `sudo less file.txt` + **Enter** `!/bin/sh` + **Enter**
Here we go now we become the **Root** user and can easily got the root flag. Congratulation Machine has been Pwned!!
### References *