TryHackMe Brooklyn99 Walkthrough.

This is a walkthrough for TryHackMe room Brooklyn Nine Nine

Let’s scan the machine with rustscan for ports

rustscan -a IP

We have 3 port’s open

21 — FTP

22 — SSH

80 — HTTP

Time to get User flag

Let’s see if anonymous login is allowed in FTP.

Yes, login with anonymous is allowed. Let’s see what files are in the folder.

We find 3 usernames — Holt, Amy and Jake

It seems that Jake has a weak password, probably we can brute force and get the password?

hydra -l jake -P /path/to/rockyou.txt ssh://IP -t 50

Yes! We have the password for user jake on SSH.

Let’s login using those credentials.

We are in!!

Let’s find where is the user flag using the command : find / -name user.txt 2>dev/null

We can see it is in /home/holt.
Let’s grab it!

User flag down!!

Time to get Root flag

We can see it’s running a Ubuntu machine.

There was a recent CVE for getting root access in Ubuntu CVE-2021–3493

(If you wanna know more about this CVE check out this room)

After visiting that site, scroll down until you find a C program. Let’s copy it.

Now let’s go in the /tmp directory in the compromised machine.

Use nano text editor to save that code.

Let’s name it exploit.c

nano exploit.c

CTRL+SHIFT+V (paste the code you copied)


Press y


Let’s compile the program using gcc

gcc exploit.c -o rootshell

Let’s run the binary — ./rootshell

Let’s go in the /root directory and get the flag.

Root flag down!!

Thank You for reading my writeup hope you enjoyed it




Hi, I’m Aksheet. Interested in Cyber Security and Aviation. eJPT certified

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

CUN releases its exclusive PointBox for Android

Getting started with Neo4j and Gephi Tool

How to Display List of Open Cases on Item Record in NetSuite

A simple guide for Git cherry picking in TortoiseGit 🍒

JVM — Class Loader Subsystem

Pandas Note (1): Data Type

Evolution of resource planning in the software development company

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Aksheet V

Aksheet V

Hi, I’m Aksheet. Interested in Cyber Security and Aviation. eJPT certified

More from Medium

Basic Pentesting CTF Walkthrough TryHackMe

HackTheBox — Monitors

[THM] Brooklyn Nine Nine Writeup

CTF Walkthrough | TryHackMe | GoldenEye 👁