TryHackMe | Brooklyn Nine Nine
nmap scan: nmap -T4 -A 10.10.55.133
We have ftp, ssh, and http working, let’s navigate to the website. The website produces a Brooklyn Nine Nine page of a full background picture of a crew:
Since there seems to be no information directly on this page, let’s try to use a directory busting tool. Since it is recommended by the challenge, we are going to use gobuster to try and find directories.
gobuster dir -u [<http://10.10.55.133/>](<http://10.10.55.133/>) -w /usr/share/wordlists/dirb/common.txt
So neither this nor dirbuster found anything of interest, however looking at the source code of the website, I find the following information:
Uh kinda, let’s see what we can do.
Steganography is the practice of concealing information within another message or physical object. In this case, it is extremely likely that there is a message hidden inside the image. Just looking at the image, it is hard to find anything that pops out in my face.
stegcracker in kali is a steganography brute-force tool to uncover hidden data inside files. Let’s try to use it for our image.
To get the desired image, let’s use wget in order to get the corresponding image that the site creator used, so that we have the exact same image to try to find encoding from.
wget <http://10.10.46.123/brooklyn99.jpg>
When launching and trying to run stegcracker, apparently stegseek is listed as a more powerful and quick new application. So we will try and use that.
Running against default rockyou.txt file for common passwords. Also, actually trying the other tool stegcracker might take hours, so use stegseek
