Brooklyn 99 was an interesting room by Fsociet2006, meant for beginners. I say interesting because it incorporated aspects of stego in the process to rooting it, which i haven't seen before in a boot2root type of machine. Overall, the machine was fun and would be good practice for any new player. The room is not to realistic and very much CTF style. Not that its a bad thing.
Compromising a machine can be a directionless journey. So I start by taking a look at the map.
There is something strange on the FTP server, I grab the file and read it.
I get plenty of information from this, for one, I can confirm the existence of three new users. Amy, Jake and Holt. Furthermore, I know that Jake has weak credentials, of which could probably be brute-forced. It looks like there is nothing else in the FTP server. Time to skim over the webserver.
The webserver is only an image. Upon taking a further look at the source, I discover vital info.
Stego? It seems this image could be hiding secret data. I curl /brooklyn99.jpg and pop it into Steghide. I am prompted to enter a password. Wait, didn't Amy said Jake uses a weak password? Could this image belong to jake? I look online for a stegcracking tool and come across this Github repo. After installing it, I run it on the image with the rockyou.txt wordlist.
The password is successfully found and the contents of the hidden data are redirected to a file. Upon viewing this new file, user credentials are exposed.
I can use these credentials to SSH into the machine and own user.
Time to start identifying privesc vectors. I take a look at my current working directory.
How about trying sudo -l on for size.
Great, I have sudo on nano. Time to peek at GTFObins and own root!
Brooklyn seriously needs to give their security budget more attention!
(thanks flip67 for the 90th time)