THM: Brooklyn Nine Nine

Initial Access

Our initial web server shows us that we have an FTP server with anonymous log on available.

There is only one file available. Use get to download it or more to view it FTP

We know that the user Jake has a bad password which means he may be vulnerable to brute forcing. Let’s enumerate a little further first though.

The web server only displays a single photo

The source code reveals a hint

Let’s download the image and find the secret message.

We now have holts password so let’s login over ssh

We find the user flag in Holt’s home directory now let’s try to escalate our privileges.

Holt has permission to run nano with sudo so we can view the root flag inside of the text editor

The Other Way

Earlier we thought we might be able to brute force Jakes account so let’s try it.

Now that we have his password let’s login.

Jake also had the user flag in his home directory

Jake’s privilege escalation is very similar to holts except he has permission to the less command instead of nano. This lets us view the file with root permisions.